From d98da5d2d058ed3fccdf1344bd6e7642bbc10bb4 Mon Sep 17 00:00:00 2001 From: Yangmin Zhu Date: Mon, 18 May 2020 17:58:11 -0700 Subject: [PATCH] authz: remove alpha RBAC API (#1427) * authz: remove alpha RBAC API * update --- Makefile.core.mk | 28 - cue.yaml | 2 - kubernetes/customresourcedefinitions.gen.yaml | 500 --- proto.lock | 366 +- prototool.yaml | 1 - python/istio_api/rbac/v1alpha1/rbac_pb2.py | 674 --- rbac/v1alpha1/istio.rbac.v1alpha1.gen.json | 321 -- rbac/v1alpha1/istio.rbac.v1alpha1.pb.html | 81 - rbac/v1alpha1/rbac.pb.go | 3874 ----------------- rbac/v1alpha1/rbac.proto | 458 -- rbac/v1alpha1/rbac_deepcopy.gen.go | 102 - rbac/v1alpha1/rbac_json.gen.go | 179 - releaselocks/release-1.0/proto.lock.status | 44 + releaselocks/release-1.1/proto.lock.status | 74 + releaselocks/release-1.2/proto.lock.status | 78 + releaselocks/release-1.3/proto.lock.status | 78 + releaselocks/release-1.4/proto.lock.status | 78 + releaselocks/release-1.5/proto.lock.status | 78 + releaselocks/release-1.6/proto.lock.status | 78 + 19 files changed, 513 insertions(+), 6581 deletions(-) delete mode 100644 python/istio_api/rbac/v1alpha1/rbac_pb2.py delete mode 100644 rbac/v1alpha1/istio.rbac.v1alpha1.gen.json delete mode 100644 rbac/v1alpha1/istio.rbac.v1alpha1.pb.html delete mode 100644 rbac/v1alpha1/rbac.pb.go delete mode 100644 rbac/v1alpha1/rbac.proto delete mode 100644 rbac/v1alpha1/rbac_deepcopy.gen.go delete mode 100644 rbac/v1alpha1/rbac_json.gen.go diff --git a/Makefile.core.mk b/Makefile.core.mk index 10b96194..b85915d7 100644 --- a/Makefile.core.mk +++ b/Makefile.core.mk @@ -98,7 +98,6 @@ gen: \ generate-operator \ generate-mixer \ generate-networking \ - generate-rbac \ generate-authn \ generate-security \ generate-envoy \ @@ -353,30 +352,6 @@ clean-networking: @rm -fr $(networking_v1alpha3_pb_gos) $(networking_v1alpha3_pb_docs) $(networking_v1alpha3_pb_pythons) $(networking_v1alpha3_k8s_gos) \ $(networking_v1beta1_pb_gos) $(networking_v1beta1_pb_docs) $(networking_v1beta1_pb_pythons) $(networking_v1beta1_k8s_gos) -##################### -# rbac/... -##################### - -rbac_v1alpha1_path := rbac/v1alpha1 -rbac_v1alpha1_protos := $(wildcard $(rbac_v1alpha1_path)/*.proto) -rbac_v1alpha1_pb_gos := $(rbac_v1alpha1_protos:.proto=.pb.go) -rbac_v1alpha1_pb_pythons := $(patsubst $(rbac_v1alpha1_path)/%.proto,$(python_output_path)/$(rbac_v1alpha1_path)/%_pb2.py,$(rbac_v1alpha1_protos)) -rbac_v1alpha1_pb_doc := $(rbac_v1alpha1_path)/istio.rbac.v1alpha1.pb.html -rbac_v1alpha1_openapi := $(rbac_v1alpha1_path)/istio.rbac.v1alpha1.gen.json -rbac_v1alpha1_k8s_gos := \ - $(patsubst $(rbac_v1alpha1_path)/%.proto,$(rbac_v1alpha1_path)/%_json.gen.go,$(shell grep -l "^ *oneof " $(rbac_v1alpha1_protos))) \ - $(patsubst $(rbac_v1alpha1_path)/%.proto,$(rbac_v1alpha1_path)/%_deepcopy.gen.go,$(shell grep -l "+kubetype-gen" $(rbac_v1alpha1_protos))) - -$(rbac_v1alpha1_pb_gos) $(rbac_v1alpha1_pb_doc) $(rbac_v1alpha1_pb_pythons) $(rbac_v1alpha1_k8s_gos): $(rbac_v1alpha1_protos) - @$(protolock) status - @$(protoc) $(gogofast_plugin) $(protoc_gen_k8s_support_plugins) $(protoc_gen_docs_plugin)$(rbac_v1alpha1_path) $(protoc_gen_python_plugin) $^ - @cp -r /tmp/istio.io/api/rbac/* rbac - -generate-rbac: $(rbac_v1alpha1_pb_gos) $(rbac_v1alpha1_pb_doc) $(rbac_v1alpha1_protos) $(rbac_v1alpha1_k8s_gos) - -clean-rbac: - @rm -fr $(rbac_v1alpha1_pb_gos) $(rbac_v1alpha1_pb_doc) $(rbac_v1alpha1_pb_pythons) $(rbac_v1alpha1_k8s_gos) - ##################### # authentication/... ##################### @@ -499,7 +474,6 @@ all_protos := \ $(mixer_adapter_model_v1beta1_protos) \ $(networking_v1alpha3_protos) \ $(networking_v1beta1_protos) \ - $(rbac_v1alpha1_protos) \ $(authn_v1alpha1_protos) \ $(security_v1beta1_protos) \ $(type_v1beta1_protos) @@ -515,7 +489,6 @@ all_openapi := \ $(mixer_adapter_model_v1beta1_openapi) \ $(networking_v1alpha3_openapi) \ $(networking_v1beta1_openapi) \ - $(rbac_v1alpha1_openapi) \ $(authn_v1alpha1_openapi) \ $(security_v1beta1_openapi) \ $(type_v1beta1_openapi) @@ -550,7 +523,6 @@ clean: \ clean-operator \ clean-mixer \ clean-networking \ - clean-rbac \ clean-authn \ clean-envoy \ clean-policy \ diff --git a/cue.yaml b/cue.yaml index a38086e2..0fc34966 100644 --- a/cue.yaml +++ b/cue.yaml @@ -29,8 +29,6 @@ directories: - mode: perFile policy/v1beta1: - mode: all - rbac/v1alpha1: - - mode: all security/v1beta1: - mode: perFile diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index b2ccf4a5..c48b137d 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -4010,506 +4010,6 @@ spec: served: true storage: true ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: istio-pilot - chart: istio - heritage: Tiller - istio: rbac - release: istio - name: clusterrbacconfigs.rbac.istio.io -spec: - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: ClusterRbacConfig - listKind: ClusterRbacConfigList - plural: clusterrbacconfigs - singular: clusterrbacconfig - preserveUnknownFields: false - scope: Cluster - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'See more details at:' - properties: - enforcementMode: - enum: - - ENFORCED - - PERMISSIVE - type: string - exclusion: - description: A list of services or namespaces that should not be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - inclusion: - description: A list of services or namespaces that should be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - mode: - description: Istio RBAC mode. - enum: - - "OFF" - - "ON" - - ON_WITH_INCLUSION - - ON_WITH_EXCLUSION - type: string - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha1 - served: true - storage: true - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: rbac - package: istio.io.mixer - release: istio - name: rbacconfigs.rbac.istio.io -spec: - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: RbacConfig - listKind: RbacConfigList - plural: rbacconfigs - singular: rbacconfig - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'See more details at:' - properties: - enforcementMode: - enum: - - ENFORCED - - PERMISSIVE - type: string - exclusion: - description: A list of services or namespaces that should not be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - inclusion: - description: A list of services or namespaces that should be enforced - by Istio RBAC policies. - properties: - namespaces: - description: A list of namespaces. - items: - format: string - type: string - type: array - services: - description: A list of services. - items: - format: string - type: string - type: array - type: object - mode: - description: Istio RBAC mode. - enum: - - "OFF" - - "ON" - - ON_WITH_INCLUSION - - ON_WITH_EXCLUSION - type: string - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha1 - served: true - storage: true - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: rbac - package: istio.io.mixer - release: istio - name: serviceroles.rbac.istio.io -spec: - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: ServiceRole - listKind: ServiceRoleList - plural: serviceroles - singular: servicerole - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'See more details at:' - properties: - rules: - description: The set of access rules (permissions) that the role has. - items: - properties: - constraints: - description: Optional. - items: - properties: - key: - description: Key of the constraint. - format: string - type: string - values: - description: List of valid values for the constraint. - items: - format: string - type: string - type: array - type: object - type: array - hosts: - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - items: - format: string - type: string - type: array - notMethods: - items: - format: string - type: string - type: array - notPaths: - items: - format: string - type: string - type: array - notPorts: - items: - format: int32 - type: integer - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - items: - format: int32 - type: integer - type: array - services: - description: A list of service names. - items: - format: string - type: string - type: array - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha1 - served: true - storage: true - ---- -apiVersion: apiextensions.k8s.io/v1beta1 -kind: CustomResourceDefinition -metadata: - annotations: - "helm.sh/resource-policy": keep - labels: - app: mixer - chart: istio - heritage: Tiller - istio: rbac - package: istio.io.mixer - release: istio - name: servicerolebindings.rbac.istio.io -spec: - additionalPrinterColumns: - - JSONPath: .spec.roleRef.name - description: The name of the ServiceRole object being referenced - name: Reference - type: string - - JSONPath: .metadata.creationTimestamp - description: 'CreationTimestamp is a timestamp representing the server time when - this object was created. It is not guaranteed to be set in happens-before order - across separate operations. Clients may not set this value. It is represented - in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for - lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' - name: Age - type: date - group: rbac.istio.io - names: - categories: - - istio-io - - rbac-istio-io - kind: ServiceRoleBinding - listKind: ServiceRoleBindingList - plural: servicerolebindings - singular: servicerolebinding - preserveUnknownFields: false - scope: Namespaced - subresources: - status: {} - validation: - openAPIV3Schema: - properties: - spec: - description: 'See more details at:' - properties: - actions: - items: - properties: - constraints: - description: Optional. - items: - properties: - key: - description: Key of the constraint. - format: string - type: string - values: - description: List of valid values for the constraint. - items: - format: string - type: string - type: array - type: object - type: array - hosts: - items: - format: string - type: string - type: array - methods: - description: Optional. - items: - format: string - type: string - type: array - notHosts: - items: - format: string - type: string - type: array - notMethods: - items: - format: string - type: string - type: array - notPaths: - items: - format: string - type: string - type: array - notPorts: - items: - format: int32 - type: integer - type: array - paths: - description: Optional. - items: - format: string - type: string - type: array - ports: - items: - format: int32 - type: integer - type: array - services: - description: A list of service names. - items: - format: string - type: string - type: array - type: object - type: array - mode: - enum: - - ENFORCED - - PERMISSIVE - type: string - role: - format: string - type: string - roleRef: - description: Reference to the ServiceRole object. - properties: - kind: - description: The type of the role being referenced. - format: string - type: string - name: - description: The name of the ServiceRole object being referenced. - format: string - type: string - type: object - subjects: - description: List of subjects that are assigned the ServiceRole object. - items: - properties: - group: - format: string - type: string - groups: - items: - format: string - type: string - type: array - ips: - items: - format: string - type: string - type: array - names: - items: - format: string - type: string - type: array - namespaces: - items: - format: string - type: string - type: array - notGroups: - items: - format: string - type: string - type: array - notIps: - items: - format: string - type: string - type: array - notNames: - items: - format: string - type: string - type: array - notNamespaces: - items: - format: string - type: string - type: array - properties: - additionalProperties: - format: string - type: string - description: Optional. - type: object - user: - description: Optional. - format: string - type: string - type: object - type: array - type: object - status: - type: object - x-kubernetes-preserve-unknown-fields: true - type: object - versions: - - name: v1alpha1 - served: true - storage: true - --- apiVersion: apiextensions.k8s.io/v1beta1 kind: CustomResourceDefinition diff --git a/proto.lock b/proto.lock index 0e7d4982..e2c448ea 100644 --- a/proto.lock +++ b/proto.lock @@ -43188,6 +43188,11 @@ "name": "cni", "type": "ComponentSpec" }, + { + "id": 39, + "name": "istiod_remote", + "type": "ComponentSpec" + }, { "id": 40, "name": "ingress_gateways", @@ -45575,367 +45580,6 @@ ] } }, - { - "protopath": "rbac:/:v1alpha1:/:rbac.proto", - "def": { - "enums": [ - { - "name": "EnforcementMode", - "enum_fields": [ - { - "name": "ENFORCED" - }, - { - "name": "PERMISSIVE", - "integer": 1 - } - ] - }, - { - "name": "RbacConfig.Mode", - "enum_fields": [ - { - "name": "OFF" - }, - { - "name": "ON", - "integer": 1 - }, - { - "name": "ON_WITH_INCLUSION", - "integer": 2 - }, - { - "name": "ON_WITH_EXCLUSION", - "integer": 3 - } - ] - } - ], - "messages": [ - { - "name": "ServiceRole", - "fields": [ - { - "id": 1, - "name": "rules", - "type": "AccessRule", - "is_repeated": true, - "options": [ - { - "name": "(google.api.field_behavior)", - "value": "REQUIRED" - } - ] - } - ] - }, - { - "name": "AccessRule", - "fields": [ - { - "id": 1, - "name": "services", - "type": "string", - "is_repeated": true, - "options": [ - { - "name": "(google.api.field_behavior)", - "value": "REQUIRED" - } - ] - }, - { - "id": 5, - "name": "hosts", - "type": "string", - "is_repeated": true - }, - { - "id": 6, - "name": "not_hosts", - "type": "string", - "is_repeated": true - }, - { - "id": 2, - "name": "paths", - "type": "string", - "is_repeated": true - }, - { - "id": 7, - "name": "not_paths", - "type": "string", - "is_repeated": true - }, - { - "id": 3, - "name": "methods", - "type": "string", - "is_repeated": true - }, - { - "id": 8, - "name": "not_methods", - "type": "string", - "is_repeated": true - }, - { - "id": 9, - "name": "ports", - "type": "int32", - "is_repeated": true - }, - { - "id": 10, - "name": "not_ports", - "type": "int32", - "is_repeated": true - }, - { - "id": 4, - "name": "constraints", - "type": "Constraint", - "is_repeated": true - } - ], - "messages": [ - { - "name": "Constraint", - "fields": [ - { - "id": 1, - "name": "key", - "type": "string" - }, - { - "id": 2, - "name": "values", - "type": "string", - "is_repeated": true - } - ] - } - ] - }, - { - "name": "ServiceRoleBinding", - "fields": [ - { - "id": 1, - "name": "subjects", - "type": "Subject", - "is_repeated": true, - "options": [ - { - "name": "(google.api.field_behavior)", - "value": "REQUIRED" - } - ] - }, - { - "id": 2, - "name": "roleRef", - "type": "RoleRef", - "options": [ - { - "name": "(google.api.field_behavior)", - "value": "REQUIRED" - } - ] - }, - { - "id": 3, - "name": "mode", - "type": "EnforcementMode" - }, - { - "id": 4, - "name": "actions", - "type": "AccessRule", - "is_repeated": true, - "options": [ - { - "name": "(google.api.field_behavior)", - "value": "REQUIRED" - } - ] - }, - { - "id": 5, - "name": "role", - "type": "string" - } - ] - }, - { - "name": "Subject", - "fields": [ - { - "id": 1, - "name": "user", - "type": "string" - }, - { - "id": 4, - "name": "names", - "type": "string", - "is_repeated": true - }, - { - "id": 5, - "name": "not_names", - "type": "string", - "is_repeated": true - }, - { - "id": 2, - "name": "group", - "type": "string", - "options": [ - { - "name": "deprecated", - "value": "true" - } - ] - }, - { - "id": 6, - "name": "groups", - "type": "string", - "is_repeated": true - }, - { - "id": 7, - "name": "not_groups", - "type": "string", - "is_repeated": true - }, - { - "id": 8, - "name": "namespaces", - "type": "string", - "is_repeated": true - }, - { - "id": 9, - "name": "not_namespaces", - "type": "string", - "is_repeated": true - }, - { - "id": 10, - "name": "ips", - "type": "string", - "is_repeated": true - }, - { - "id": 11, - "name": "not_ips", - "type": "string", - "is_repeated": true - } - ], - "maps": [ - { - "key_type": "string", - "field": { - "id": 3, - "name": "properties", - "type": "string" - } - } - ] - }, - { - "name": "RoleRef", - "fields": [ - { - "id": 1, - "name": "kind", - "type": "string", - "options": [ - { - "name": "(google.api.field_behavior)", - "value": "REQUIRED" - } - ] - }, - { - "id": 2, - "name": "name", - "type": "string", - "options": [ - { - "name": "(google.api.field_behavior)", - "value": "REQUIRED" - } - ] - } - ] - }, - { - "name": "RbacConfig", - "fields": [ - { - "id": 1, - "name": "mode", - "type": "Mode" - }, - { - "id": 2, - "name": "inclusion", - "type": "Target" - }, - { - "id": 3, - "name": "exclusion", - "type": "Target" - }, - { - "id": 4, - "name": "enforcement_mode", - "type": "EnforcementMode" - } - ], - "messages": [ - { - "name": "Target", - "fields": [ - { - "id": 1, - "name": "services", - "type": "string", - "is_repeated": true - }, - { - "id": 2, - "name": "namespaces", - "type": "string", - "is_repeated": true - } - ] - } - ] - } - ], - "imports": [ - { - "path": "google/api/field_behavior.proto" - } - ], - "package": { - "name": "istio.rbac.v1alpha1" - }, - "options": [ - { - "name": "go_package", - "value": "istio.io/api/rbac/v1alpha1" - } - ] - } - }, { "protopath": "security:/:v1beta1:/:authorization.proto", "def": { diff --git a/prototool.yaml b/prototool.yaml index f8903407..f590e85d 100644 --- a/prototool.yaml +++ b/prototool.yaml @@ -15,7 +15,6 @@ lint: files: - operator/v1alpha1/component.proto - operator/v1alpha1/kubernetes.proto - - rbac/v1alpha1/rbac.proto - id: ENUM_FIELD_NAMES_UPPER_SNAKE_CASE files: - networking/v1alpha3/gateway.proto diff --git a/python/istio_api/rbac/v1alpha1/rbac_pb2.py b/python/istio_api/rbac/v1alpha1/rbac_pb2.py deleted file mode 100644 index 78f95ee1..00000000 --- a/python/istio_api/rbac/v1alpha1/rbac_pb2.py +++ /dev/null @@ -1,674 +0,0 @@ -# -*- coding: utf-8 -*- -# Generated by the protocol buffer compiler. DO NOT EDIT! -# source: rbac/v1alpha1/rbac.proto - -import sys -_b=sys.version_info[0]<3 and (lambda x:x) or (lambda x:x.encode('latin1')) -from google.protobuf.internal import enum_type_wrapper -from google.protobuf import descriptor as _descriptor -from google.protobuf import message as _message -from google.protobuf import reflection as _reflection -from google.protobuf import symbol_database as _symbol_database -# @@protoc_insertion_point(imports) - -_sym_db = _symbol_database.Default() - - -from google.api import field_behavior_pb2 as google_dot_api_dot_field__behavior__pb2 - - -DESCRIPTOR = _descriptor.FileDescriptor( - name='rbac/v1alpha1/rbac.proto', - package='istio.rbac.v1alpha1', - syntax='proto3', - serialized_options=_b('Z\032istio.io/api/rbac/v1alpha1'), - serialized_pb=_b('\n\x18rbac/v1alpha1/rbac.proto\x12\x13istio.rbac.v1alpha1\x1a\x1fgoogle/api/field_behavior.proto\"B\n\x0bServiceRole\x12\x33\n\x05rules\x18\x01 \x03(\x0b\x32\x1f.istio.rbac.v1alpha1.AccessRuleB\x03\xe0\x41\x02\"\x9b\x02\n\nAccessRule\x12\x15\n\x08services\x18\x01 \x03(\tB\x03\xe0\x41\x02\x12\r\n\x05hosts\x18\x05 \x03(\t\x12\x11\n\tnot_hosts\x18\x06 \x03(\t\x12\r\n\x05paths\x18\x02 \x03(\t\x12\x11\n\tnot_paths\x18\x07 \x03(\t\x12\x0f\n\x07methods\x18\x03 \x03(\t\x12\x13\n\x0bnot_methods\x18\x08 \x03(\t\x12\r\n\x05ports\x18\t \x03(\x05\x12\x11\n\tnot_ports\x18\n \x03(\x05\x12?\n\x0b\x63onstraints\x18\x04 \x03(\x0b\x32*.istio.rbac.v1alpha1.AccessRule.Constraint\x1a)\n\nConstraint\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\x0e\n\x06values\x18\x02 \x03(\t\"\xf6\x01\n\x12ServiceRoleBinding\x12\x33\n\x08subjects\x18\x01 \x03(\x0b\x32\x1c.istio.rbac.v1alpha1.SubjectB\x03\xe0\x41\x02\x12\x32\n\x07roleRef\x18\x02 \x01(\x0b\x32\x1c.istio.rbac.v1alpha1.RoleRefB\x03\xe0\x41\x02\x12\x32\n\x04mode\x18\x03 \x01(\x0e\x32$.istio.rbac.v1alpha1.EnforcementMode\x12\x35\n\x07\x61\x63tions\x18\x04 \x03(\x0b\x32\x1f.istio.rbac.v1alpha1.AccessRuleB\x03\xe0\x41\x02\x12\x0c\n\x04role\x18\x05 \x01(\t\"\xaf\x02\n\x07Subject\x12\x0c\n\x04user\x18\x01 \x01(\t\x12\r\n\x05names\x18\x04 \x03(\t\x12\x11\n\tnot_names\x18\x05 \x03(\t\x12\x11\n\x05group\x18\x02 \x01(\tB\x02\x18\x01\x12\x0e\n\x06groups\x18\x06 \x03(\t\x12\x12\n\nnot_groups\x18\x07 \x03(\t\x12\x12\n\nnamespaces\x18\x08 \x03(\t\x12\x16\n\x0enot_namespaces\x18\t \x03(\t\x12\x0b\n\x03ips\x18\n \x03(\t\x12\x0f\n\x07not_ips\x18\x0b \x03(\t\x12@\n\nproperties\x18\x03 \x03(\x0b\x32,.istio.rbac.v1alpha1.Subject.PropertiesEntry\x1a\x31\n\x0fPropertiesEntry\x12\x0b\n\x03key\x18\x01 \x01(\t\x12\r\n\x05value\x18\x02 \x01(\t:\x02\x38\x01\"/\n\x07RoleRef\x12\x11\n\x04kind\x18\x01 \x01(\tB\x03\xe0\x41\x02\x12\x11\n\x04name\x18\x02 \x01(\tB\x03\xe0\x41\x02\"\xed\x02\n\nRbacConfig\x12\x32\n\x04mode\x18\x01 \x01(\x0e\x32$.istio.rbac.v1alpha1.RbacConfig.Mode\x12\x39\n\tinclusion\x18\x02 \x01(\x0b\x32&.istio.rbac.v1alpha1.RbacConfig.Target\x12\x39\n\texclusion\x18\x03 \x01(\x0b\x32&.istio.rbac.v1alpha1.RbacConfig.Target\x12>\n\x10\x65nforcement_mode\x18\x04 \x01(\x0e\x32$.istio.rbac.v1alpha1.EnforcementMode\x1a.\n\x06Target\x12\x10\n\x08services\x18\x01 \x03(\t\x12\x12\n\nnamespaces\x18\x02 \x03(\t\"E\n\x04Mode\x12\x07\n\x03OFF\x10\x00\x12\x06\n\x02ON\x10\x01\x12\x15\n\x11ON_WITH_INCLUSION\x10\x02\x12\x15\n\x11ON_WITH_EXCLUSION\x10\x03*/\n\x0f\x45nforcementMode\x12\x0c\n\x08\x45NFORCED\x10\x00\x12\x0e\n\nPERMISSIVE\x10\x01\x42\x1cZ\x1aistio.io/api/rbac/v1alpha1b\x06proto3') - , - dependencies=[google_dot_api_dot_field__behavior__pb2.DESCRIPTOR,]) - -_ENFORCEMENTMODE = _descriptor.EnumDescriptor( - name='EnforcementMode', - full_name='istio.rbac.v1alpha1.EnforcementMode', - filename=None, - file=DESCRIPTOR, - values=[ - _descriptor.EnumValueDescriptor( - name='ENFORCED', index=0, number=0, - serialized_options=None, - type=None), - _descriptor.EnumValueDescriptor( - name='PERMISSIVE', index=1, number=1, - serialized_options=None, - type=None), - ], - containing_type=None, - serialized_options=None, - serialized_start=1408, - serialized_end=1455, -) -_sym_db.RegisterEnumDescriptor(_ENFORCEMENTMODE) - -EnforcementMode = enum_type_wrapper.EnumTypeWrapper(_ENFORCEMENTMODE) -ENFORCED = 0 -PERMISSIVE = 1 - - -_RBACCONFIG_MODE = _descriptor.EnumDescriptor( - name='Mode', - full_name='istio.rbac.v1alpha1.RbacConfig.Mode', - filename=None, - file=DESCRIPTOR, - values=[ - _descriptor.EnumValueDescriptor( - name='OFF', index=0, number=0, - serialized_options=None, - type=None), - _descriptor.EnumValueDescriptor( - name='ON', index=1, number=1, - serialized_options=None, - type=None), - _descriptor.EnumValueDescriptor( - name='ON_WITH_INCLUSION', index=2, number=2, - serialized_options=None, - type=None), - _descriptor.EnumValueDescriptor( - name='ON_WITH_EXCLUSION', index=3, number=3, - serialized_options=None, - type=None), - ], - containing_type=None, - serialized_options=None, - serialized_start=1337, - serialized_end=1406, -) -_sym_db.RegisterEnumDescriptor(_RBACCONFIG_MODE) - - -_SERVICEROLE = _descriptor.Descriptor( - name='ServiceRole', - full_name='istio.rbac.v1alpha1.ServiceRole', - filename=None, - file=DESCRIPTOR, - containing_type=None, - fields=[ - _descriptor.FieldDescriptor( - name='rules', full_name='istio.rbac.v1alpha1.ServiceRole.rules', index=0, - number=1, type=11, cpp_type=10, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=_b('\340A\002'), file=DESCRIPTOR), - ], - extensions=[ - ], - nested_types=[], - enum_types=[ - ], - serialized_options=None, - is_extendable=False, - syntax='proto3', - extension_ranges=[], - oneofs=[ - ], - serialized_start=82, - serialized_end=148, -) - - -_ACCESSRULE_CONSTRAINT = _descriptor.Descriptor( - name='Constraint', - full_name='istio.rbac.v1alpha1.AccessRule.Constraint', - filename=None, - file=DESCRIPTOR, - containing_type=None, - fields=[ - _descriptor.FieldDescriptor( - name='key', full_name='istio.rbac.v1alpha1.AccessRule.Constraint.key', index=0, - number=1, type=9, cpp_type=9, label=1, - has_default_value=False, default_value=_b("").decode('utf-8'), - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='values', full_name='istio.rbac.v1alpha1.AccessRule.Constraint.values', index=1, - number=2, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - ], - extensions=[ - ], - nested_types=[], - enum_types=[ - ], - serialized_options=None, - is_extendable=False, - syntax='proto3', - extension_ranges=[], - oneofs=[ - ], - serialized_start=393, - serialized_end=434, -) - -_ACCESSRULE = _descriptor.Descriptor( - name='AccessRule', - full_name='istio.rbac.v1alpha1.AccessRule', - filename=None, - file=DESCRIPTOR, - containing_type=None, - fields=[ - _descriptor.FieldDescriptor( - name='services', full_name='istio.rbac.v1alpha1.AccessRule.services', index=0, - number=1, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=_b('\340A\002'), file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='hosts', full_name='istio.rbac.v1alpha1.AccessRule.hosts', index=1, - number=5, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='not_hosts', full_name='istio.rbac.v1alpha1.AccessRule.not_hosts', index=2, - number=6, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='paths', full_name='istio.rbac.v1alpha1.AccessRule.paths', index=3, - number=2, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='not_paths', full_name='istio.rbac.v1alpha1.AccessRule.not_paths', index=4, - number=7, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='methods', full_name='istio.rbac.v1alpha1.AccessRule.methods', index=5, - number=3, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='not_methods', full_name='istio.rbac.v1alpha1.AccessRule.not_methods', index=6, - number=8, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='ports', full_name='istio.rbac.v1alpha1.AccessRule.ports', index=7, - number=9, type=5, cpp_type=1, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='not_ports', full_name='istio.rbac.v1alpha1.AccessRule.not_ports', index=8, - number=10, type=5, cpp_type=1, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='constraints', full_name='istio.rbac.v1alpha1.AccessRule.constraints', index=9, - number=4, type=11, cpp_type=10, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - ], - extensions=[ - ], - nested_types=[_ACCESSRULE_CONSTRAINT, ], - enum_types=[ - ], - serialized_options=None, - is_extendable=False, - syntax='proto3', - extension_ranges=[], - oneofs=[ - ], - serialized_start=151, - serialized_end=434, -) - - -_SERVICEROLEBINDING = _descriptor.Descriptor( - name='ServiceRoleBinding', - full_name='istio.rbac.v1alpha1.ServiceRoleBinding', - filename=None, - file=DESCRIPTOR, - containing_type=None, - fields=[ - _descriptor.FieldDescriptor( - name='subjects', full_name='istio.rbac.v1alpha1.ServiceRoleBinding.subjects', index=0, - number=1, type=11, cpp_type=10, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=_b('\340A\002'), file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='roleRef', full_name='istio.rbac.v1alpha1.ServiceRoleBinding.roleRef', index=1, - number=2, type=11, cpp_type=10, label=1, - has_default_value=False, default_value=None, - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=_b('\340A\002'), file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='mode', full_name='istio.rbac.v1alpha1.ServiceRoleBinding.mode', index=2, - number=3, type=14, cpp_type=8, label=1, - has_default_value=False, default_value=0, - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='actions', full_name='istio.rbac.v1alpha1.ServiceRoleBinding.actions', index=3, - number=4, type=11, cpp_type=10, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=_b('\340A\002'), file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='role', full_name='istio.rbac.v1alpha1.ServiceRoleBinding.role', index=4, - number=5, type=9, cpp_type=9, label=1, - has_default_value=False, default_value=_b("").decode('utf-8'), - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - ], - extensions=[ - ], - nested_types=[], - enum_types=[ - ], - serialized_options=None, - is_extendable=False, - syntax='proto3', - extension_ranges=[], - oneofs=[ - ], - serialized_start=437, - serialized_end=683, -) - - -_SUBJECT_PROPERTIESENTRY = _descriptor.Descriptor( - name='PropertiesEntry', - full_name='istio.rbac.v1alpha1.Subject.PropertiesEntry', - filename=None, - file=DESCRIPTOR, - containing_type=None, - fields=[ - _descriptor.FieldDescriptor( - name='key', full_name='istio.rbac.v1alpha1.Subject.PropertiesEntry.key', index=0, - number=1, type=9, cpp_type=9, label=1, - has_default_value=False, default_value=_b("").decode('utf-8'), - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='value', full_name='istio.rbac.v1alpha1.Subject.PropertiesEntry.value', index=1, - number=2, type=9, cpp_type=9, label=1, - has_default_value=False, default_value=_b("").decode('utf-8'), - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - ], - extensions=[ - ], - nested_types=[], - enum_types=[ - ], - serialized_options=_b('8\001'), - is_extendable=False, - syntax='proto3', - extension_ranges=[], - oneofs=[ - ], - serialized_start=940, - serialized_end=989, -) - -_SUBJECT = _descriptor.Descriptor( - name='Subject', - full_name='istio.rbac.v1alpha1.Subject', - filename=None, - file=DESCRIPTOR, - containing_type=None, - fields=[ - _descriptor.FieldDescriptor( - name='user', full_name='istio.rbac.v1alpha1.Subject.user', index=0, - number=1, type=9, cpp_type=9, label=1, - has_default_value=False, default_value=_b("").decode('utf-8'), - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='names', full_name='istio.rbac.v1alpha1.Subject.names', index=1, - number=4, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='not_names', full_name='istio.rbac.v1alpha1.Subject.not_names', index=2, - number=5, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='group', full_name='istio.rbac.v1alpha1.Subject.group', index=3, - number=2, type=9, cpp_type=9, label=1, - has_default_value=False, default_value=_b("").decode('utf-8'), - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=_b('\030\001'), file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='groups', full_name='istio.rbac.v1alpha1.Subject.groups', index=4, - number=6, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='not_groups', full_name='istio.rbac.v1alpha1.Subject.not_groups', index=5, - number=7, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='namespaces', full_name='istio.rbac.v1alpha1.Subject.namespaces', index=6, - number=8, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='not_namespaces', full_name='istio.rbac.v1alpha1.Subject.not_namespaces', index=7, - number=9, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='ips', full_name='istio.rbac.v1alpha1.Subject.ips', index=8, - number=10, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='not_ips', full_name='istio.rbac.v1alpha1.Subject.not_ips', index=9, - number=11, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='properties', full_name='istio.rbac.v1alpha1.Subject.properties', index=10, - number=3, type=11, cpp_type=10, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - ], - extensions=[ - ], - nested_types=[_SUBJECT_PROPERTIESENTRY, ], - enum_types=[ - ], - serialized_options=None, - is_extendable=False, - syntax='proto3', - extension_ranges=[], - oneofs=[ - ], - serialized_start=686, - serialized_end=989, -) - - -_ROLEREF = _descriptor.Descriptor( - name='RoleRef', - full_name='istio.rbac.v1alpha1.RoleRef', - filename=None, - file=DESCRIPTOR, - containing_type=None, - fields=[ - _descriptor.FieldDescriptor( - name='kind', full_name='istio.rbac.v1alpha1.RoleRef.kind', index=0, - number=1, type=9, cpp_type=9, label=1, - has_default_value=False, default_value=_b("").decode('utf-8'), - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=_b('\340A\002'), file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='name', full_name='istio.rbac.v1alpha1.RoleRef.name', index=1, - number=2, type=9, cpp_type=9, label=1, - has_default_value=False, default_value=_b("").decode('utf-8'), - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=_b('\340A\002'), file=DESCRIPTOR), - ], - extensions=[ - ], - nested_types=[], - enum_types=[ - ], - serialized_options=None, - is_extendable=False, - syntax='proto3', - extension_ranges=[], - oneofs=[ - ], - serialized_start=991, - serialized_end=1038, -) - - -_RBACCONFIG_TARGET = _descriptor.Descriptor( - name='Target', - full_name='istio.rbac.v1alpha1.RbacConfig.Target', - filename=None, - file=DESCRIPTOR, - containing_type=None, - fields=[ - _descriptor.FieldDescriptor( - name='services', full_name='istio.rbac.v1alpha1.RbacConfig.Target.services', index=0, - number=1, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='namespaces', full_name='istio.rbac.v1alpha1.RbacConfig.Target.namespaces', index=1, - number=2, type=9, cpp_type=9, label=3, - has_default_value=False, default_value=[], - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - ], - extensions=[ - ], - nested_types=[], - enum_types=[ - ], - serialized_options=None, - is_extendable=False, - syntax='proto3', - extension_ranges=[], - oneofs=[ - ], - serialized_start=1289, - serialized_end=1335, -) - -_RBACCONFIG = _descriptor.Descriptor( - name='RbacConfig', - full_name='istio.rbac.v1alpha1.RbacConfig', - filename=None, - file=DESCRIPTOR, - containing_type=None, - fields=[ - _descriptor.FieldDescriptor( - name='mode', full_name='istio.rbac.v1alpha1.RbacConfig.mode', index=0, - number=1, type=14, cpp_type=8, label=1, - has_default_value=False, default_value=0, - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='inclusion', full_name='istio.rbac.v1alpha1.RbacConfig.inclusion', index=1, - number=2, type=11, cpp_type=10, label=1, - has_default_value=False, default_value=None, - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='exclusion', full_name='istio.rbac.v1alpha1.RbacConfig.exclusion', index=2, - number=3, type=11, cpp_type=10, label=1, - has_default_value=False, default_value=None, - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - _descriptor.FieldDescriptor( - name='enforcement_mode', full_name='istio.rbac.v1alpha1.RbacConfig.enforcement_mode', index=3, - number=4, type=14, cpp_type=8, label=1, - has_default_value=False, default_value=0, - message_type=None, enum_type=None, containing_type=None, - is_extension=False, extension_scope=None, - serialized_options=None, file=DESCRIPTOR), - ], - extensions=[ - ], - nested_types=[_RBACCONFIG_TARGET, ], - enum_types=[ - _RBACCONFIG_MODE, - ], - serialized_options=None, - is_extendable=False, - syntax='proto3', - extension_ranges=[], - oneofs=[ - ], - serialized_start=1041, - serialized_end=1406, -) - -_SERVICEROLE.fields_by_name['rules'].message_type = _ACCESSRULE -_ACCESSRULE_CONSTRAINT.containing_type = _ACCESSRULE -_ACCESSRULE.fields_by_name['constraints'].message_type = _ACCESSRULE_CONSTRAINT -_SERVICEROLEBINDING.fields_by_name['subjects'].message_type = _SUBJECT -_SERVICEROLEBINDING.fields_by_name['roleRef'].message_type = _ROLEREF -_SERVICEROLEBINDING.fields_by_name['mode'].enum_type = _ENFORCEMENTMODE -_SERVICEROLEBINDING.fields_by_name['actions'].message_type = _ACCESSRULE -_SUBJECT_PROPERTIESENTRY.containing_type = _SUBJECT -_SUBJECT.fields_by_name['properties'].message_type = _SUBJECT_PROPERTIESENTRY -_RBACCONFIG_TARGET.containing_type = _RBACCONFIG -_RBACCONFIG.fields_by_name['mode'].enum_type = _RBACCONFIG_MODE -_RBACCONFIG.fields_by_name['inclusion'].message_type = _RBACCONFIG_TARGET -_RBACCONFIG.fields_by_name['exclusion'].message_type = _RBACCONFIG_TARGET -_RBACCONFIG.fields_by_name['enforcement_mode'].enum_type = _ENFORCEMENTMODE -_RBACCONFIG_MODE.containing_type = _RBACCONFIG -DESCRIPTOR.message_types_by_name['ServiceRole'] = _SERVICEROLE -DESCRIPTOR.message_types_by_name['AccessRule'] = _ACCESSRULE -DESCRIPTOR.message_types_by_name['ServiceRoleBinding'] = _SERVICEROLEBINDING -DESCRIPTOR.message_types_by_name['Subject'] = _SUBJECT -DESCRIPTOR.message_types_by_name['RoleRef'] = _ROLEREF -DESCRIPTOR.message_types_by_name['RbacConfig'] = _RBACCONFIG -DESCRIPTOR.enum_types_by_name['EnforcementMode'] = _ENFORCEMENTMODE -_sym_db.RegisterFileDescriptor(DESCRIPTOR) - -ServiceRole = _reflection.GeneratedProtocolMessageType('ServiceRole', (_message.Message,), { - 'DESCRIPTOR' : _SERVICEROLE, - '__module__' : 'rbac.v1alpha1.rbac_pb2' - # @@protoc_insertion_point(class_scope:istio.rbac.v1alpha1.ServiceRole) - }) -_sym_db.RegisterMessage(ServiceRole) - -AccessRule = _reflection.GeneratedProtocolMessageType('AccessRule', (_message.Message,), { - - 'Constraint' : _reflection.GeneratedProtocolMessageType('Constraint', (_message.Message,), { - 'DESCRIPTOR' : _ACCESSRULE_CONSTRAINT, - '__module__' : 'rbac.v1alpha1.rbac_pb2' - # @@protoc_insertion_point(class_scope:istio.rbac.v1alpha1.AccessRule.Constraint) - }) - , - 'DESCRIPTOR' : _ACCESSRULE, - '__module__' : 'rbac.v1alpha1.rbac_pb2' - # @@protoc_insertion_point(class_scope:istio.rbac.v1alpha1.AccessRule) - }) -_sym_db.RegisterMessage(AccessRule) -_sym_db.RegisterMessage(AccessRule.Constraint) - -ServiceRoleBinding = _reflection.GeneratedProtocolMessageType('ServiceRoleBinding', (_message.Message,), { - 'DESCRIPTOR' : _SERVICEROLEBINDING, - '__module__' : 'rbac.v1alpha1.rbac_pb2' - # @@protoc_insertion_point(class_scope:istio.rbac.v1alpha1.ServiceRoleBinding) - }) -_sym_db.RegisterMessage(ServiceRoleBinding) - -Subject = _reflection.GeneratedProtocolMessageType('Subject', (_message.Message,), { - - 'PropertiesEntry' : _reflection.GeneratedProtocolMessageType('PropertiesEntry', (_message.Message,), { - 'DESCRIPTOR' : _SUBJECT_PROPERTIESENTRY, - '__module__' : 'rbac.v1alpha1.rbac_pb2' - # @@protoc_insertion_point(class_scope:istio.rbac.v1alpha1.Subject.PropertiesEntry) - }) - , - 'DESCRIPTOR' : _SUBJECT, - '__module__' : 'rbac.v1alpha1.rbac_pb2' - # @@protoc_insertion_point(class_scope:istio.rbac.v1alpha1.Subject) - }) -_sym_db.RegisterMessage(Subject) -_sym_db.RegisterMessage(Subject.PropertiesEntry) - -RoleRef = _reflection.GeneratedProtocolMessageType('RoleRef', (_message.Message,), { - 'DESCRIPTOR' : _ROLEREF, - '__module__' : 'rbac.v1alpha1.rbac_pb2' - # @@protoc_insertion_point(class_scope:istio.rbac.v1alpha1.RoleRef) - }) -_sym_db.RegisterMessage(RoleRef) - -RbacConfig = _reflection.GeneratedProtocolMessageType('RbacConfig', (_message.Message,), { - - 'Target' : _reflection.GeneratedProtocolMessageType('Target', (_message.Message,), { - 'DESCRIPTOR' : _RBACCONFIG_TARGET, - '__module__' : 'rbac.v1alpha1.rbac_pb2' - # @@protoc_insertion_point(class_scope:istio.rbac.v1alpha1.RbacConfig.Target) - }) - , - 'DESCRIPTOR' : _RBACCONFIG, - '__module__' : 'rbac.v1alpha1.rbac_pb2' - # @@protoc_insertion_point(class_scope:istio.rbac.v1alpha1.RbacConfig) - }) -_sym_db.RegisterMessage(RbacConfig) -_sym_db.RegisterMessage(RbacConfig.Target) - - -DESCRIPTOR._options = None -_SERVICEROLE.fields_by_name['rules']._options = None -_ACCESSRULE.fields_by_name['services']._options = None -_SERVICEROLEBINDING.fields_by_name['subjects']._options = None -_SERVICEROLEBINDING.fields_by_name['roleRef']._options = None -_SERVICEROLEBINDING.fields_by_name['actions']._options = None -_SUBJECT_PROPERTIESENTRY._options = None -_SUBJECT.fields_by_name['group']._options = None -_ROLEREF.fields_by_name['kind']._options = None -_ROLEREF.fields_by_name['name']._options = None -# @@protoc_insertion_point(module_scope) diff --git a/rbac/v1alpha1/istio.rbac.v1alpha1.gen.json b/rbac/v1alpha1/istio.rbac.v1alpha1.gen.json deleted file mode 100644 index 92a25343..00000000 --- a/rbac/v1alpha1/istio.rbac.v1alpha1.gen.json +++ /dev/null @@ -1,321 +0,0 @@ -{ - "openapi": "3.0.0", - "info": { - "title": "", - "version": "v1alpha1" - }, - "components": { - "schemas": { - "istio.rbac.v1alpha1.ServiceRole": { - "description": "ServiceRole specification contains a list of access rules (permissions).", - "type": "object", - "properties": { - "rules": { - "description": "The set of access rules (permissions) that the role has.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.rbac.v1alpha1.AccessRule" - } - } - } - }, - "istio.rbac.v1alpha1.AccessRule": { - "description": "AccessRule defines a permission to access a list of services.", - "type": "object", - "properties": { - "services": { - "description": "A list of service names. Exact match, prefix match, and suffix match are supported for service names. For example, the service name \"bookstore.mtv.cluster.local\" matches \"bookstore.mtv.cluster.local\" (exact match), or \"bookstore\\*\" (prefix match), or \"\\*.mtv.cluster.local\" (suffix match). If set to [\"\\*\"], it refers to all services in the namespace.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "hosts": { - "description": "Optional. A list of HTTP hosts. This is matched against the HOST header in a HTTP request. Exact match, prefix match and suffix match are supported. For example, the host \"test.abc.com\" matches \"test.abc.com\" (exact match), or \"\\*.abc.com\" (prefix match), or \"test.abc.\\*\" (suffix match). If not specified, it matches to any host. This field should not be set for TCP services. The policy will be ignored.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "notHosts": { - "description": "Optional. A list of HTTP hosts that must not be matched.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "paths": { - "description": "Optional. A list of HTTP paths or gRPC methods. gRPC methods must be presented as fully-qualified name in the form of \"/packageName.serviceName/methodName\" and are case sensitive. Exact match, prefix match, and suffix match are supported. For example, the path \"/books/review\" matches \"/books/review\" (exact match), or \"/books/\\*\" (prefix match), or \"\\*/review\" (suffix match). If not specified, it matches to any path. This field should not be set for TCP services. The policy will be ignored.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "notPaths": { - "description": "Optional. A list of HTTP paths or gRPC methods that must not be matched.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "methods": { - "description": "Optional. A list of HTTP methods (e.g., \"GET\", \"POST\"). If not specified or specified as \"\\*\", it matches to any methods. This field should not be set for TCP services. The policy will be ignored. For gRPC services, only `POST` is allowed; other methods will result in denying services.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "notMethods": { - "description": "Optional. A list of HTTP methods that must not be matched. Note: It's an error to set methods and not_methods at the same time.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "ports": { - "description": "Optional. A list of port numbers of the request. If not specified, it matches to any port number. Note: It's an error to set ports and not_ports at the same time.", - "type": "array", - "items": { - "type": "integer", - "format": "int32" - } - }, - "notPorts": { - "description": "Optional. A list of port numbers that must not be matched. Note: It's an error to set ports and not_ports at the same time.", - "type": "array", - "items": { - "type": "integer", - "format": "int32" - } - }, - "constraints": { - "description": "Optional. Extra constraints in the ServiceRole specification.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.rbac.v1alpha1.AccessRule.Constraint" - } - } - } - }, - "istio.rbac.v1alpha1.AccessRule.Constraint": { - "description": "Definition of a custom constraint. The supported keys are listed in the \"constraint and properties\" page.", - "type": "object", - "properties": { - "key": { - "description": "Key of the constraint.", - "type": "string", - "format": "string" - }, - "values": { - "description": "List of valid values for the constraint. Exact match, prefix match, and suffix match are supported. For example, the value \"v1alpha2\" matches \"v1alpha2\" (exact match), or \"v1\\*\" (prefix match), or \"\\*alpha2\" (suffix match).", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - } - } - }, - "istio.rbac.v1alpha1.EnforcementMode": { - "description": "RBAC ServiceRoleBinding enforcement mode, used to verify new ServiceRoleBinding configs work as expected before rolling to production. RBAC engine only logs results from configs that are in permissive mode, and discards result before returning to the user.", - "type": "string", - "enum": [ - "ENFORCED", - "PERMISSIVE" - ] - }, - "istio.rbac.v1alpha1.ServiceRoleBinding": { - "description": "ServiceRoleBinding assigns a ServiceRole to a list of subjects.", - "type": "object", - "properties": { - "subjects": { - "description": "List of subjects that are assigned the ServiceRole object.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.rbac.v1alpha1.Subject" - } - }, - "roleRef": { - "$ref": "#/components/schemas/istio.rbac.v1alpha1.RoleRef" - }, - "mode": { - "$ref": "#/components/schemas/istio.rbac.v1alpha1.EnforcementMode" - }, - "actions": { - "description": "Inline role definition. An inline role is a role that is defined inside an authorization policy, instead of explicitly defined in a ServiceRole object. Inline roles can be used for the role definitions that are not intended to be reused in other bindings, while explicit roles are reusable. Both inline roles (defined in \"actions\" field) and explicit roles (defined in ServiceRole) are supported. Users should use only one of them in a single binding. For example, the following \"product-frontend\" AuthorizationPolicy allows \"frontend\" service to view \"product\" service on \"/info\" path. ```yaml apiVersion: \"rbac.istio.io/v1alpha1\" kind: AuthorizationPolicy metadata: name: product-frontend namespace: ns1 spec: selector: labels: app: product allow: - subjects: - names: [\"cluster.local/ns/default/sa/frontend\"] actions: - paths: [\"/info\"] methods: [\"GET\"] The set of access rules (permissions) that the role has.", - "type": "array", - "items": { - "$ref": "#/components/schemas/istio.rbac.v1alpha1.AccessRule" - } - }, - "role": { - "description": "A `role` inside a ServiceRoleBinding refers to the ServiceRole that this ServiceRoleBinding binds to. A ServiceRoleBinding can bind to a ServiceRole in the same namespace or the root namespace. A ServiceRole in the root namespace represents a mesh global ServiceRole. The value of `role` is the name of the ServiceRole, and it can start with or without a forward slash (\"/\"). When a `role` starts with \"/\", e.g. \"/service-viewer\", it means that this ServiceRoleBinding refers to the ServiceRole in the configurable Istio root namespace. When a `role` starts without \"/\", this ServiceRoleBinding refers to the ServiceRole in the same namespace as the AuthorizationPolicy's, which contains said ServiceRoleBinding.", - "type": "string", - "format": "string" - } - } - }, - "istio.rbac.v1alpha1.Subject": { - "description": "Subject defines an identity. The identity is either a user or identified by a set of `properties`. The supported keys in `properties` are listed in \"constraint and properties\" page.", - "type": "object", - "properties": { - "user": { - "description": "Optional. The user name/ID that the subject represents.", - "type": "string", - "format": "string" - }, - "names": { - "description": "Optional. A list of subject names. This is matched to the `source.principal` attribute. If one of subject names is \"\\*\", it matches to a subject with any name. Prefix and suffix matches are supported.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "notNames": { - "description": "Optional. A list of subject names that must not be matched.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "group": { - "description": "Optional. The group that the subject belongs to. Deprecated. Use groups and not_groups instead.", - "type": "string", - "format": "string", - "deprecated": true - }, - "groups": { - "description": "Optional. A list of groups that the subject represents. This is matched to the `request.auth.claims[groups]` attribute. If not specified, it applies to any groups.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "notGroups": { - "description": "Optional. A list of groups that must not be matched.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "namespaces": { - "description": "Optional. A list of namespaces that the subject represents. This is matched to the `source.namespace` attribute. If not specified, it applies to any namespaces.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "notNamespaces": { - "description": "Optional. A list of namespaces that must not be matched.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "ips": { - "description": "Optional. A list of IP address or CIDR ranges that the subject represents. E.g. 192.168.100.2 or 10.1.0.0/16. If not specified, it applies to any IP addresses.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "notIps": { - "description": "Optional. A list of IP addresses or CIDR ranges that must not be matched.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "properties": { - "description": "Optional. The set of properties that identify the subject.", - "type": "object", - "additionalProperties": { - "type": "string", - "format": "string" - } - } - } - }, - "istio.rbac.v1alpha1.RoleRef": { - "description": "RoleRef refers to a role object.", - "type": "object", - "properties": { - "name": { - "description": "The name of the ServiceRole object being referenced. The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.", - "type": "string", - "format": "string" - }, - "kind": { - "description": "The type of the role being referenced. Currently, \"ServiceRole\" is the only supported value for \"kind\".", - "type": "string", - "format": "string" - } - } - }, - "istio.rbac.v1alpha1.RbacConfig": { - "description": "RbacConfig implements the ClusterRbacConfig Custom Resource Definition for controlling Istio RBAC behavior. The ClusterRbacConfig Custom Resource is a singleton where only one ClusterRbacConfig should be created globally in the mesh and the namespace should be the same to other Istio components, which usually is `istio-system`.", - "type": "object", - "properties": { - "mode": { - "$ref": "#/components/schemas/istio.rbac.v1alpha1.RbacConfig.Mode" - }, - "inclusion": { - "$ref": "#/components/schemas/istio.rbac.v1alpha1.RbacConfig.Target" - }, - "exclusion": { - "$ref": "#/components/schemas/istio.rbac.v1alpha1.RbacConfig.Target" - }, - "enforcementMode": { - "$ref": "#/components/schemas/istio.rbac.v1alpha1.EnforcementMode" - } - } - }, - "istio.rbac.v1alpha1.RbacConfig.Mode": { - "type": "string", - "enum": [ - "OFF", - "ON", - "ON_WITH_INCLUSION", - "ON_WITH_EXCLUSION" - ] - }, - "istio.rbac.v1alpha1.RbacConfig.Target": { - "description": "Target defines a list of services or namespaces.", - "type": "object", - "properties": { - "services": { - "description": "A list of services.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - }, - "namespaces": { - "description": "A list of namespaces.", - "type": "array", - "items": { - "type": "string", - "format": "string" - } - } - } - } - } - } -} \ No newline at end of file diff --git a/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html b/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html deleted file mode 100644 index 1fce2281..00000000 --- a/rbac/v1alpha1/istio.rbac.v1alpha1.pb.html +++ /dev/null @@ -1,81 +0,0 @@ ---- -title: istio.rbac.v1alpha1 -layout: protoc-gen-docs -generator: protoc-gen-docs -schema: istio.rbac.v1alpha1.RbacConfig -schema: istio.rbac.v1alpha1.ServiceRole -schema: istio.rbac.v1alpha1.ServiceRoleBinding -number_of_entries: 0 ---- -

Note: The v1alpha1 RBAC policy is deprecated by the v1beta1 Authorization policy. -This page is kept for migration purpose and will be removed in Istio 1.6.

- -

Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding -objects.

- -

A ServiceRole specification includes a list of rules (permissions). Each rule has -the following standard fields:

- - - -

In addition to the standard fields, operators can also use custom keys in the constraints field, -the supported keys are listed in the “constraints and properties” page.

- -

Below is an example of ServiceRole object “product-viewer”, which has “read” (“GET” and “HEAD”) -access to “products.svc.cluster.local” service at versions “v1” and “v2”. “path” is not specified, -so it applies to any path in the service.

- -
apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRole
-metadata:
-  name: products-viewer
-  namespace: default
-spec:
-  rules:
-  - services: ["products.svc.cluster.local"]
-    methods: ["GET", "HEAD"]
-    constraints:
-    - key: "destination.labels[version]"
-      values: ["v1", "v2"]
-
- -

A ServiceRoleBinding specification includes two parts:

- - - -

In addition to a simple user field, operators can also use custom keys in the properties field, -the supported keys are listed in the “constraints and properties” page.

- -

Below is an example of ServiceRoleBinding object “test-binding-products”, which binds two subjects -to ServiceRole “product-viewer”:

- - - -
apiVersion: "rbac.istio.io/v1alpha1"
-kind: ServiceRoleBinding
-metadata:
-  name: test-binding-products
-  namespace: default
-spec:
-  subjects:
-  - user: alice@yahoo.com
-  - properties:
-      source.namespace: "abc"
-  roleRef:
-    kind: ServiceRole
-    name: "products-viewer"
-
- diff --git a/rbac/v1alpha1/rbac.pb.go b/rbac/v1alpha1/rbac.pb.go deleted file mode 100644 index e6fd9048..00000000 --- a/rbac/v1alpha1/rbac.pb.go +++ /dev/null @@ -1,3874 +0,0 @@ -// Code generated by protoc-gen-gogo. DO NOT EDIT. -// source: rbac/v1alpha1/rbac.proto - -// Note: The v1alpha1 RBAC policy is deprecated by the v1beta1 Authorization policy. -// This page is kept for migration purpose and will be removed in Istio 1.6. -// -// Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding -// objects. -// -// A ServiceRole specification includes a list of rules (permissions). Each rule has -// the following standard fields: -// -// * services: a list of services. -// * methods: A list of HTTP methods. You can set the value to `["*"]` to include all HTTP methods. -// This field should not be set for TCP services. The policy will be ignored. -// For gRPC services, only `POST` is allowed; other methods will result in denying services. -// * paths: HTTP paths or gRPC methods. Note that gRPC methods should be -// presented in the form of "/packageName.serviceName/methodName" and are case sensitive. -// -// In addition to the standard fields, operators can also use custom keys in the `constraints` field, -// the supported keys are listed in the "constraints and properties" page. -// -// Below is an example of ServiceRole object "product-viewer", which has "read" ("GET" and "HEAD") -// access to "products.svc.cluster.local" service at versions "v1" and "v2". "path" is not specified, -// so it applies to any path in the service. -// -// ```yaml -// apiVersion: "rbac.istio.io/v1alpha1" -// kind: ServiceRole -// metadata: -// name: products-viewer -// namespace: default -// spec: -// rules: -// - services: ["products.svc.cluster.local"] -// methods: ["GET", "HEAD"] -// constraints: -// - key: "destination.labels[version]" -// values: ["v1", "v2"] -// ``` -// -// A ServiceRoleBinding specification includes two parts: -// -// * The `roleRef` field that refers to a ServiceRole object in the same namespace. -// * A list of `subjects` that are assigned the roles. -// -// In addition to a simple `user` field, operators can also use custom keys in the `properties` field, -// the supported keys are listed in the "constraints and properties" page. -// -// Below is an example of ServiceRoleBinding object "test-binding-products", which binds two subjects -// to ServiceRole "product-viewer": -// -// * User "alice@yahoo.com" -// * Services in "abc" namespace. -// -// ```yaml -// apiVersion: "rbac.istio.io/v1alpha1" -// kind: ServiceRoleBinding -// metadata: -// name: test-binding-products -// namespace: default -// spec: -// subjects: -// - user: alice@yahoo.com -// - properties: -// source.namespace: "abc" -// roleRef: -// kind: ServiceRole -// name: "products-viewer" -// ``` - -package v1alpha1 - -import ( - fmt "fmt" - proto "github.com/gogo/protobuf/proto" - io "io" - _ "istio.io/gogo-genproto/googleapis/google/api" - math "math" - math_bits "math/bits" -) - -// Reference imports to suppress errors if they are not otherwise used. -var _ = proto.Marshal -var _ = fmt.Errorf -var _ = math.Inf - -// This is a compile-time assertion to ensure that this generated file -// is compatible with the proto package it is being compiled against. -// A compilation error at this line likely means your copy of the -// proto package needs to be updated. -const _ = proto.GoGoProtoPackageIsVersion3 // please upgrade the proto package - -// $hide_from_docs -// RBAC ServiceRoleBinding enforcement mode, used to verify new ServiceRoleBinding -// configs work as expected before rolling to production. RBAC engine only logs results -// from configs that are in permissive mode, and discards result before returning -// to the user. -type EnforcementMode int32 - -const ( - // Policy in ENFORCED mode has impact on user experience. - // Policy is in ENFORCED mode by default. - EnforcementMode_ENFORCED EnforcementMode = 0 - // Policy in PERMISSIVE mode isn't enforced and has no impact on users. - // RBAC engine run policies in PERMISSIVE mode and logs stats. - EnforcementMode_PERMISSIVE EnforcementMode = 1 -) - -var EnforcementMode_name = map[int32]string{ - 0: "ENFORCED", - 1: "PERMISSIVE", -} - -var EnforcementMode_value = map[string]int32{ - "ENFORCED": 0, - "PERMISSIVE": 1, -} - -func (x EnforcementMode) String() string { - return proto.EnumName(EnforcementMode_name, int32(x)) -} - -func (EnforcementMode) EnumDescriptor() ([]byte, []int) { - return fileDescriptor_3462954d26c055c0, []int{0} -} - -// $hide_from_docs -type RbacConfig_Mode int32 - -const ( - // Disable Istio RBAC completely, Istio RBAC policies will not be enforced. - RbacConfig_OFF RbacConfig_Mode = 0 - // Enable Istio RBAC for all services and namespaces. Note Istio RBAC is deny-by-default - // which means all requests will be denied if it's not allowed by RBAC rules. - RbacConfig_ON RbacConfig_Mode = 1 - // Enable Istio RBAC only for services and namespaces specified in the inclusion field. Any other - // services and namespaces not in the inclusion field will not be enforced by Istio RBAC policies. - RbacConfig_ON_WITH_INCLUSION RbacConfig_Mode = 2 - // Enable Istio RBAC for all services and namespaces except those specified in the exclusion field. Any other - // services and namespaces not in the exclusion field will be enforced by Istio RBAC policies. - RbacConfig_ON_WITH_EXCLUSION RbacConfig_Mode = 3 -) - -var RbacConfig_Mode_name = map[int32]string{ - 0: "OFF", - 1: "ON", - 2: "ON_WITH_INCLUSION", - 3: "ON_WITH_EXCLUSION", -} - -var RbacConfig_Mode_value = map[string]int32{ - "OFF": 0, - "ON": 1, - "ON_WITH_INCLUSION": 2, - "ON_WITH_EXCLUSION": 3, -} - -func (x RbacConfig_Mode) String() string { - return proto.EnumName(RbacConfig_Mode_name, int32(x)) -} - -func (RbacConfig_Mode) EnumDescriptor() ([]byte, []int) { - return fileDescriptor_3462954d26c055c0, []int{5, 0} -} - -// $hide_from_docs -// ServiceRole specification contains a list of access rules (permissions). -// -// -// -// -type ServiceRole struct { - // The set of access rules (permissions) that the role has. - Rules []*AccessRule `protobuf:"bytes,1,rep,name=rules,proto3" json:"rules,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *ServiceRole) Reset() { *m = ServiceRole{} } -func (m *ServiceRole) String() string { return proto.CompactTextString(m) } -func (*ServiceRole) ProtoMessage() {} -func (*ServiceRole) Descriptor() ([]byte, []int) { - return fileDescriptor_3462954d26c055c0, []int{0} -} -func (m *ServiceRole) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *ServiceRole) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_ServiceRole.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *ServiceRole) XXX_Merge(src proto.Message) { - xxx_messageInfo_ServiceRole.Merge(m, src) -} -func (m *ServiceRole) XXX_Size() int { - return m.Size() -} -func (m *ServiceRole) XXX_DiscardUnknown() { - xxx_messageInfo_ServiceRole.DiscardUnknown(m) -} - -var xxx_messageInfo_ServiceRole proto.InternalMessageInfo - -func (m *ServiceRole) GetRules() []*AccessRule { - if m != nil { - return m.Rules - } - return nil -} - -// $hide_from_docs -// AccessRule defines a permission to access a list of services. -type AccessRule struct { - // A list of service names. - // Exact match, prefix match, and suffix match are supported for service names. - // For example, the service name "bookstore.mtv.cluster.local" matches - // "bookstore.mtv.cluster.local" (exact match), or "bookstore\*" (prefix match), - // or "\*.mtv.cluster.local" (suffix match). - // If set to ["\*"], it refers to all services in the namespace. - Services []string `protobuf:"bytes,1,rep,name=services,proto3" json:"services,omitempty"` - // $hide_from_docs - // Optional. A list of HTTP hosts. This is matched against the HOST header in - // a HTTP request. Exact match, prefix match and suffix match are supported. - // For example, the host "test.abc.com" matches "test.abc.com" (exact match), - // or "\*.abc.com" (prefix match), or "test.abc.\*" (suffix match). - // If not specified, it matches to any host. - // This field should not be set for TCP services. The policy will be ignored. - Hosts []string `protobuf:"bytes,5,rep,name=hosts,proto3" json:"hosts,omitempty"` - // $hide_from_docs - // Optional. A list of HTTP hosts that must not be matched. - NotHosts []string `protobuf:"bytes,6,rep,name=not_hosts,json=notHosts,proto3" json:"not_hosts,omitempty"` - // Optional. A list of HTTP paths or gRPC methods. - // gRPC methods must be presented as fully-qualified name in the form of - // "/packageName.serviceName/methodName" and are case sensitive. - // Exact match, prefix match, and suffix match are supported. For example, - // the path "/books/review" matches "/books/review" (exact match), - // or "/books/\*" (prefix match), or "\*/review" (suffix match). - // If not specified, it matches to any path. - // This field should not be set for TCP services. The policy will be ignored. - Paths []string `protobuf:"bytes,2,rep,name=paths,proto3" json:"paths,omitempty"` - // $hide_from_docs - // Optional. A list of HTTP paths or gRPC methods that must not be matched. - NotPaths []string `protobuf:"bytes,7,rep,name=not_paths,json=notPaths,proto3" json:"not_paths,omitempty"` - // Optional. A list of HTTP methods (e.g., "GET", "POST"). - // If not specified or specified as "\*", it matches to any methods. - // This field should not be set for TCP services. The policy will be ignored. - // For gRPC services, only `POST` is allowed; other methods will result in denying services. - Methods []string `protobuf:"bytes,3,rep,name=methods,proto3" json:"methods,omitempty"` - // $hide_from_docs - // Optional. A list of HTTP methods that must not be matched. - // Note: It's an error to set methods and not_methods at the same time. - NotMethods []string `protobuf:"bytes,8,rep,name=not_methods,json=notMethods,proto3" json:"not_methods,omitempty"` - // $hide_from_docs - // Optional. A list of port numbers of the request. If not specified, it matches - // to any port number. - // Note: It's an error to set ports and not_ports at the same time. - Ports []int32 `protobuf:"varint,9,rep,packed,name=ports,proto3" json:"ports,omitempty"` - // $hide_from_docs - // Optional. A list of port numbers that must not be matched. - // Note: It's an error to set ports and not_ports at the same time. - NotPorts []int32 `protobuf:"varint,10,rep,packed,name=not_ports,json=notPorts,proto3" json:"not_ports,omitempty"` - // Optional. Extra constraints in the ServiceRole specification. - Constraints []*AccessRule_Constraint `protobuf:"bytes,4,rep,name=constraints,proto3" json:"constraints,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *AccessRule) Reset() { *m = AccessRule{} } -func (m *AccessRule) String() string { return proto.CompactTextString(m) } -func (*AccessRule) ProtoMessage() {} -func (*AccessRule) Descriptor() ([]byte, []int) { - return fileDescriptor_3462954d26c055c0, []int{1} -} -func (m *AccessRule) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *AccessRule) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_AccessRule.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *AccessRule) XXX_Merge(src proto.Message) { - xxx_messageInfo_AccessRule.Merge(m, src) -} -func (m *AccessRule) XXX_Size() int { - return m.Size() -} -func (m *AccessRule) XXX_DiscardUnknown() { - xxx_messageInfo_AccessRule.DiscardUnknown(m) -} - -var xxx_messageInfo_AccessRule proto.InternalMessageInfo - -func (m *AccessRule) GetServices() []string { - if m != nil { - return m.Services - } - return nil -} - -func (m *AccessRule) GetHosts() []string { - if m != nil { - return m.Hosts - } - return nil -} - -func (m *AccessRule) GetNotHosts() []string { - if m != nil { - return m.NotHosts - } - return nil -} - -func (m *AccessRule) GetPaths() []string { - if m != nil { - return m.Paths - } - return nil -} - -func (m *AccessRule) GetNotPaths() []string { - if m != nil { - return m.NotPaths - } - return nil -} - -func (m *AccessRule) GetMethods() []string { - if m != nil { - return m.Methods - } - return nil -} - -func (m *AccessRule) GetNotMethods() []string { - if m != nil { - return m.NotMethods - } - return nil -} - -func (m *AccessRule) GetPorts() []int32 { - if m != nil { - return m.Ports - } - return nil -} - -func (m *AccessRule) GetNotPorts() []int32 { - if m != nil { - return m.NotPorts - } - return nil -} - -func (m *AccessRule) GetConstraints() []*AccessRule_Constraint { - if m != nil { - return m.Constraints - } - return nil -} - -// $hide_from_docs -// Definition of a custom constraint. The supported keys are listed in the "constraint and properties" page. -type AccessRule_Constraint struct { - // Key of the constraint. - Key string `protobuf:"bytes,1,opt,name=key,proto3" json:"key,omitempty"` - // List of valid values for the constraint. - // Exact match, prefix match, and suffix match are supported. - // For example, the value "v1alpha2" matches "v1alpha2" (exact match), - // or "v1\*" (prefix match), or "\*alpha2" (suffix match). - Values []string `protobuf:"bytes,2,rep,name=values,proto3" json:"values,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *AccessRule_Constraint) Reset() { *m = AccessRule_Constraint{} } -func (m *AccessRule_Constraint) String() string { return proto.CompactTextString(m) } -func (*AccessRule_Constraint) ProtoMessage() {} -func (*AccessRule_Constraint) Descriptor() ([]byte, []int) { - return fileDescriptor_3462954d26c055c0, []int{1, 0} -} -func (m *AccessRule_Constraint) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *AccessRule_Constraint) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_AccessRule_Constraint.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *AccessRule_Constraint) XXX_Merge(src proto.Message) { - xxx_messageInfo_AccessRule_Constraint.Merge(m, src) -} -func (m *AccessRule_Constraint) XXX_Size() int { - return m.Size() -} -func (m *AccessRule_Constraint) XXX_DiscardUnknown() { - xxx_messageInfo_AccessRule_Constraint.DiscardUnknown(m) -} - -var xxx_messageInfo_AccessRule_Constraint proto.InternalMessageInfo - -func (m *AccessRule_Constraint) GetKey() string { - if m != nil { - return m.Key - } - return "" -} - -func (m *AccessRule_Constraint) GetValues() []string { - if m != nil { - return m.Values - } - return nil -} - -// $hide_from_docs -// ServiceRoleBinding assigns a ServiceRole to a list of subjects. -// -// -// -// -type ServiceRoleBinding struct { - // List of subjects that are assigned the ServiceRole object. - Subjects []*Subject `protobuf:"bytes,1,rep,name=subjects,proto3" json:"subjects,omitempty"` - // Reference to the ServiceRole object. - RoleRef *RoleRef `protobuf:"bytes,2,opt,name=roleRef,proto3" json:"roleRef,omitempty"` - // $hide_from_docs - // Indicates enforcement mode of the ServiceRoleBinding. - Mode EnforcementMode `protobuf:"varint,3,opt,name=mode,proto3,enum=istio.rbac.v1alpha1.EnforcementMode" json:"mode,omitempty"` - // $hide_from_docs - // Inline role definition. An inline role is a role that is defined inside an - // authorization policy, instead of explicitly defined in a ServiceRole object. - // Inline roles can be used for the role definitions that are not intended to - // be reused in other bindings, while explicit roles are reusable. Both inline - // roles (defined in "actions" field) and explicit roles (defined in ServiceRole) - // are supported. Users should use only one of them in a single binding. - // For example, the following "product-frontend" AuthorizationPolicy allows "frontend" - // service to view "product" service on "/info" path. - // ```yaml - // apiVersion: "rbac.istio.io/v1alpha1" - // kind: AuthorizationPolicy - // metadata: - // name: product-frontend - // namespace: ns1 - // spec: - // selector: - // labels: - // app: product - // allow: - // - subjects: - // - names: ["cluster.local/ns/default/sa/frontend"] - // actions: - // - paths: ["/info"] - // methods: ["GET"] - // The set of access rules (permissions) that the role has. - Actions []*AccessRule `protobuf:"bytes,4,rep,name=actions,proto3" json:"actions,omitempty"` - // $hide_from_docs - // A `role` inside a ServiceRoleBinding refers to the ServiceRole that this - // ServiceRoleBinding binds to. A ServiceRoleBinding can bind to a ServiceRole - // in the same namespace or the root namespace. A ServiceRole in the root namespace - // represents a mesh global ServiceRole. - // The value of `role` is the name of the ServiceRole, and it can start with or without a forward slash ("/"). - // When a `role` starts with "/", e.g. "/service-viewer", it means that this ServiceRoleBinding - // refers to the ServiceRole in the configurable Istio root namespace. - // When a `role` starts without "/", this ServiceRoleBinding refers to the ServiceRole in the - // same namespace as the AuthorizationPolicy's, which contains said ServiceRoleBinding. - Role string `protobuf:"bytes,5,opt,name=role,proto3" json:"role,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *ServiceRoleBinding) Reset() { *m = ServiceRoleBinding{} } -func (m *ServiceRoleBinding) String() string { return proto.CompactTextString(m) } -func (*ServiceRoleBinding) ProtoMessage() {} -func (*ServiceRoleBinding) Descriptor() ([]byte, []int) { - return fileDescriptor_3462954d26c055c0, []int{2} -} -func (m *ServiceRoleBinding) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *ServiceRoleBinding) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_ServiceRoleBinding.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *ServiceRoleBinding) XXX_Merge(src proto.Message) { - xxx_messageInfo_ServiceRoleBinding.Merge(m, src) -} -func (m *ServiceRoleBinding) XXX_Size() int { - return m.Size() -} -func (m *ServiceRoleBinding) XXX_DiscardUnknown() { - xxx_messageInfo_ServiceRoleBinding.DiscardUnknown(m) -} - -var xxx_messageInfo_ServiceRoleBinding proto.InternalMessageInfo - -func (m *ServiceRoleBinding) GetSubjects() []*Subject { - if m != nil { - return m.Subjects - } - return nil -} - -func (m *ServiceRoleBinding) GetRoleRef() *RoleRef { - if m != nil { - return m.RoleRef - } - return nil -} - -func (m *ServiceRoleBinding) GetMode() EnforcementMode { - if m != nil { - return m.Mode - } - return EnforcementMode_ENFORCED -} - -func (m *ServiceRoleBinding) GetActions() []*AccessRule { - if m != nil { - return m.Actions - } - return nil -} - -func (m *ServiceRoleBinding) GetRole() string { - if m != nil { - return m.Role - } - return "" -} - -// $hide_from_docs -// Subject defines an identity. The identity is either a user or identified by a set of `properties`. -// The supported keys in `properties` are listed in "constraint and properties" page. -type Subject struct { - // Optional. The user name/ID that the subject represents. - User string `protobuf:"bytes,1,opt,name=user,proto3" json:"user,omitempty"` - // $hide_from_docs - // Optional. A list of subject names. This is matched to the - // `source.principal` attribute. If one of subject names is "\*", it matches to a subject with any name. - // Prefix and suffix matches are supported. - Names []string `protobuf:"bytes,4,rep,name=names,proto3" json:"names,omitempty"` - // $hide_from_docs - // Optional. A list of subject names that must not be matched. - NotNames []string `protobuf:"bytes,5,rep,name=not_names,json=notNames,proto3" json:"not_names,omitempty"` - // $hide_from_docs - // Optional. The group that the subject belongs to. - // Deprecated. Use groups and not_groups instead. - Group string `protobuf:"bytes,2,opt,name=group,proto3" json:"group,omitempty"` // Deprecated: Do not use. - // $hide_from_docs - // Optional. A list of groups that the subject represents. This is matched to the - // `request.auth.claims[groups]` attribute. If not specified, it applies to any groups. - Groups []string `protobuf:"bytes,6,rep,name=groups,proto3" json:"groups,omitempty"` - // $hide_from_docs - // Optional. A list of groups that must not be matched. - NotGroups []string `protobuf:"bytes,7,rep,name=not_groups,json=notGroups,proto3" json:"not_groups,omitempty"` - // $hide_from_docs - // Optional. A list of namespaces that the subject represents. This is matched to - // the `source.namespace` attribute. If not specified, it applies to any namespaces. - Namespaces []string `protobuf:"bytes,8,rep,name=namespaces,proto3" json:"namespaces,omitempty"` - // $hide_from_docs - // Optional. A list of namespaces that must not be matched. - NotNamespaces []string `protobuf:"bytes,9,rep,name=not_namespaces,json=notNamespaces,proto3" json:"not_namespaces,omitempty"` - // $hide_from_docs - // Optional. A list of IP address or CIDR ranges that the subject represents. - // E.g. 192.168.100.2 or 10.1.0.0/16. If not specified, it applies to any IP addresses. - Ips []string `protobuf:"bytes,10,rep,name=ips,proto3" json:"ips,omitempty"` - // $hide_from_docs - // Optional. A list of IP addresses or CIDR ranges that must not be matched. - NotIps []string `protobuf:"bytes,11,rep,name=not_ips,json=notIps,proto3" json:"not_ips,omitempty"` - // Optional. The set of properties that identify the subject. - Properties map[string]string `protobuf:"bytes,3,rep,name=properties,proto3" json:"properties,omitempty" protobuf_key:"bytes,1,opt,name=key,proto3" protobuf_val:"bytes,2,opt,name=value,proto3"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *Subject) Reset() { *m = Subject{} } -func (m *Subject) String() string { return proto.CompactTextString(m) } -func (*Subject) ProtoMessage() {} -func (*Subject) Descriptor() ([]byte, []int) { - return fileDescriptor_3462954d26c055c0, []int{3} -} -func (m *Subject) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *Subject) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_Subject.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *Subject) XXX_Merge(src proto.Message) { - xxx_messageInfo_Subject.Merge(m, src) -} -func (m *Subject) XXX_Size() int { - return m.Size() -} -func (m *Subject) XXX_DiscardUnknown() { - xxx_messageInfo_Subject.DiscardUnknown(m) -} - -var xxx_messageInfo_Subject proto.InternalMessageInfo - -func (m *Subject) GetUser() string { - if m != nil { - return m.User - } - return "" -} - -func (m *Subject) GetNames() []string { - if m != nil { - return m.Names - } - return nil -} - -func (m *Subject) GetNotNames() []string { - if m != nil { - return m.NotNames - } - return nil -} - -// Deprecated: Do not use. -func (m *Subject) GetGroup() string { - if m != nil { - return m.Group - } - return "" -} - -func (m *Subject) GetGroups() []string { - if m != nil { - return m.Groups - } - return nil -} - -func (m *Subject) GetNotGroups() []string { - if m != nil { - return m.NotGroups - } - return nil -} - -func (m *Subject) GetNamespaces() []string { - if m != nil { - return m.Namespaces - } - return nil -} - -func (m *Subject) GetNotNamespaces() []string { - if m != nil { - return m.NotNamespaces - } - return nil -} - -func (m *Subject) GetIps() []string { - if m != nil { - return m.Ips - } - return nil -} - -func (m *Subject) GetNotIps() []string { - if m != nil { - return m.NotIps - } - return nil -} - -func (m *Subject) GetProperties() map[string]string { - if m != nil { - return m.Properties - } - return nil -} - -// $hide_from_docs -// RoleRef refers to a role object. -type RoleRef struct { - // The type of the role being referenced. - // Currently, "ServiceRole" is the only supported value for "kind". - Kind string `protobuf:"bytes,1,opt,name=kind,proto3" json:"kind,omitempty"` - // The name of the ServiceRole object being referenced. - // The ServiceRole object must be in the same namespace as the ServiceRoleBinding object. - Name string `protobuf:"bytes,2,opt,name=name,proto3" json:"name,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *RoleRef) Reset() { *m = RoleRef{} } -func (m *RoleRef) String() string { return proto.CompactTextString(m) } -func (*RoleRef) ProtoMessage() {} -func (*RoleRef) Descriptor() ([]byte, []int) { - return fileDescriptor_3462954d26c055c0, []int{4} -} -func (m *RoleRef) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *RoleRef) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_RoleRef.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *RoleRef) XXX_Merge(src proto.Message) { - xxx_messageInfo_RoleRef.Merge(m, src) -} -func (m *RoleRef) XXX_Size() int { - return m.Size() -} -func (m *RoleRef) XXX_DiscardUnknown() { - xxx_messageInfo_RoleRef.DiscardUnknown(m) -} - -var xxx_messageInfo_RoleRef proto.InternalMessageInfo - -func (m *RoleRef) GetKind() string { - if m != nil { - return m.Kind - } - return "" -} - -func (m *RoleRef) GetName() string { - if m != nil { - return m.Name - } - return "" -} - -// $hide_from_docs -// RbacConfig implements the ClusterRbacConfig Custom Resource Definition for controlling Istio RBAC behavior. -// The ClusterRbacConfig Custom Resource is a singleton where only one ClusterRbacConfig should be created -// globally in the mesh and the namespace should be the same to other Istio components, which usually is `istio-system`. -// -// Below is an example of an `ClusterRbacConfig` resource called `istio-rbac-config` which enables Istio RBAC for all -// services in the default namespace. -// -// ```yaml -// apiVersion: "rbac.istio.io/v1alpha1" -// kind: ClusterRbacConfig -// metadata: -// name: default -// namespace: istio-system -// spec: -// mode: ON_WITH_INCLUSION -// inclusion: -// namespaces: [ "default" ] -// ``` -// -// -// -// -// -// -type RbacConfig struct { - // Istio RBAC mode. - Mode RbacConfig_Mode `protobuf:"varint,1,opt,name=mode,proto3,enum=istio.rbac.v1alpha1.RbacConfig_Mode" json:"mode,omitempty"` - // A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have - // effect only when mode is ON_WITH_INCLUSION and will be ignored for any other modes. - Inclusion *RbacConfig_Target `protobuf:"bytes,2,opt,name=inclusion,proto3" json:"inclusion,omitempty"` - // A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have - // effect only when mode is ON_WITH_EXCLUSION and will be ignored for any other modes. - Exclusion *RbacConfig_Target `protobuf:"bytes,3,opt,name=exclusion,proto3" json:"exclusion,omitempty"` - // $hide_from_docs - // Indicates enforcement mode of the RbacConfig, in ENFORCED mode by default. - // It's used to verify new RbacConfig work as expected before rolling to production. - // When setting as PERMISSIVE, RBAC isn't enforced and has no impact on users. - // RBAC engine run RbacConfig in PERMISSIVE mode and logs stats. - // Invalid to set RbacConfig in PERMISSIVE and ServiceRoleBinding in ENFORCED mode. - EnforcementMode EnforcementMode `protobuf:"varint,4,opt,name=enforcement_mode,json=enforcementMode,proto3,enum=istio.rbac.v1alpha1.EnforcementMode" json:"enforcement_mode,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *RbacConfig) Reset() { *m = RbacConfig{} } -func (m *RbacConfig) String() string { return proto.CompactTextString(m) } -func (*RbacConfig) ProtoMessage() {} -func (*RbacConfig) Descriptor() ([]byte, []int) { - return fileDescriptor_3462954d26c055c0, []int{5} -} -func (m *RbacConfig) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *RbacConfig) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_RbacConfig.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *RbacConfig) XXX_Merge(src proto.Message) { - xxx_messageInfo_RbacConfig.Merge(m, src) -} -func (m *RbacConfig) XXX_Size() int { - return m.Size() -} -func (m *RbacConfig) XXX_DiscardUnknown() { - xxx_messageInfo_RbacConfig.DiscardUnknown(m) -} - -var xxx_messageInfo_RbacConfig proto.InternalMessageInfo - -func (m *RbacConfig) GetMode() RbacConfig_Mode { - if m != nil { - return m.Mode - } - return RbacConfig_OFF -} - -func (m *RbacConfig) GetInclusion() *RbacConfig_Target { - if m != nil { - return m.Inclusion - } - return nil -} - -func (m *RbacConfig) GetExclusion() *RbacConfig_Target { - if m != nil { - return m.Exclusion - } - return nil -} - -func (m *RbacConfig) GetEnforcementMode() EnforcementMode { - if m != nil { - return m.EnforcementMode - } - return EnforcementMode_ENFORCED -} - -// $hide_from_docs -// Target defines a list of services or namespaces. -type RbacConfig_Target struct { - // A list of services. - Services []string `protobuf:"bytes,1,rep,name=services,proto3" json:"services,omitempty"` - // A list of namespaces. - Namespaces []string `protobuf:"bytes,2,rep,name=namespaces,proto3" json:"namespaces,omitempty"` - XXX_NoUnkeyedLiteral struct{} `json:"-"` - XXX_unrecognized []byte `json:"-"` - XXX_sizecache int32 `json:"-"` -} - -func (m *RbacConfig_Target) Reset() { *m = RbacConfig_Target{} } -func (m *RbacConfig_Target) String() string { return proto.CompactTextString(m) } -func (*RbacConfig_Target) ProtoMessage() {} -func (*RbacConfig_Target) Descriptor() ([]byte, []int) { - return fileDescriptor_3462954d26c055c0, []int{5, 0} -} -func (m *RbacConfig_Target) XXX_Unmarshal(b []byte) error { - return m.Unmarshal(b) -} -func (m *RbacConfig_Target) XXX_Marshal(b []byte, deterministic bool) ([]byte, error) { - if deterministic { - return xxx_messageInfo_RbacConfig_Target.Marshal(b, m, deterministic) - } else { - b = b[:cap(b)] - n, err := m.MarshalToSizedBuffer(b) - if err != nil { - return nil, err - } - return b[:n], nil - } -} -func (m *RbacConfig_Target) XXX_Merge(src proto.Message) { - xxx_messageInfo_RbacConfig_Target.Merge(m, src) -} -func (m *RbacConfig_Target) XXX_Size() int { - return m.Size() -} -func (m *RbacConfig_Target) XXX_DiscardUnknown() { - xxx_messageInfo_RbacConfig_Target.DiscardUnknown(m) -} - -var xxx_messageInfo_RbacConfig_Target proto.InternalMessageInfo - -func (m *RbacConfig_Target) GetServices() []string { - if m != nil { - return m.Services - } - return nil -} - -func (m *RbacConfig_Target) GetNamespaces() []string { - if m != nil { - return m.Namespaces - } - return nil -} - -func init() { - proto.RegisterEnum("istio.rbac.v1alpha1.EnforcementMode", EnforcementMode_name, EnforcementMode_value) - proto.RegisterEnum("istio.rbac.v1alpha1.RbacConfig_Mode", RbacConfig_Mode_name, RbacConfig_Mode_value) - proto.RegisterType((*ServiceRole)(nil), "istio.rbac.v1alpha1.ServiceRole") - proto.RegisterType((*AccessRule)(nil), "istio.rbac.v1alpha1.AccessRule") - proto.RegisterType((*AccessRule_Constraint)(nil), "istio.rbac.v1alpha1.AccessRule.Constraint") - proto.RegisterType((*ServiceRoleBinding)(nil), "istio.rbac.v1alpha1.ServiceRoleBinding") - proto.RegisterType((*Subject)(nil), "istio.rbac.v1alpha1.Subject") - proto.RegisterMapType((map[string]string)(nil), "istio.rbac.v1alpha1.Subject.PropertiesEntry") - proto.RegisterType((*RoleRef)(nil), "istio.rbac.v1alpha1.RoleRef") - proto.RegisterType((*RbacConfig)(nil), "istio.rbac.v1alpha1.RbacConfig") - proto.RegisterType((*RbacConfig_Target)(nil), "istio.rbac.v1alpha1.RbacConfig.Target") -} - -func init() { proto.RegisterFile("rbac/v1alpha1/rbac.proto", fileDescriptor_3462954d26c055c0) } - -var fileDescriptor_3462954d26c055c0 = []byte{ - // 838 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x94, 0x55, 0xef, 0x6e, 0xdb, 0x36, - 0x10, 0xaf, 0x24, 0xcb, 0xb2, 0xce, 0x5b, 0xa2, 0x71, 0xd9, 0x2a, 0x78, 0x5b, 0x62, 0x18, 0xdb, - 0x60, 0x14, 0x83, 0x8d, 0x66, 0xc0, 0x50, 0xb4, 0xe8, 0x80, 0x26, 0x51, 0x56, 0x03, 0x8d, 0x1d, - 0xd0, 0xdd, 0x1f, 0xec, 0x8b, 0x21, 0xcb, 0x8c, 0xcd, 0x55, 0x21, 0x05, 0x89, 0x36, 0xd6, 0x27, - 0xd8, 0x5b, 0x0c, 0x7b, 0x84, 0x3d, 0xc6, 0x3e, 0xee, 0x11, 0x8a, 0x3c, 0xc9, 0x40, 0x52, 0x94, - 0x1d, 0xc3, 0x6b, 0x9b, 0x6f, 0xbc, 0xfb, 0xdd, 0xef, 0xee, 0x74, 0xf7, 0xa3, 0x08, 0x61, 0x3e, - 0x8d, 0x93, 0xfe, 0xea, 0x61, 0x9c, 0x66, 0x8b, 0xf8, 0x61, 0x5f, 0x5a, 0xbd, 0x2c, 0xe7, 0x82, - 0xa3, 0x8f, 0x69, 0x21, 0x28, 0xef, 0x29, 0x8f, 0xc1, 0x5b, 0x47, 0x73, 0xce, 0xe7, 0x29, 0xe9, - 0xc7, 0x19, 0xed, 0x5f, 0x51, 0x92, 0xce, 0x26, 0x53, 0xb2, 0x88, 0x57, 0x94, 0xe7, 0x9a, 0xd5, - 0x19, 0x40, 0x73, 0x4c, 0xf2, 0x15, 0x4d, 0x08, 0xe6, 0x29, 0x41, 0x8f, 0xc1, 0xcd, 0x97, 0x29, - 0x29, 0x42, 0xab, 0xed, 0x74, 0x9b, 0xc7, 0x47, 0xbd, 0x1d, 0x49, 0x7b, 0xcf, 0x92, 0x84, 0x14, - 0x05, 0x5e, 0xa6, 0xe4, 0xc4, 0x79, 0xf3, 0xcc, 0xc6, 0x9a, 0xd2, 0xf9, 0xc3, 0x01, 0x58, 0x43, - 0xe8, 0x08, 0x1a, 0x85, 0xce, 0xac, 0xb3, 0xf9, 0x3a, 0xb8, 0x72, 0xa2, 0x03, 0x70, 0x17, 0xbc, - 0x10, 0x45, 0xe8, 0x4a, 0x14, 0x6b, 0x03, 0x7d, 0x06, 0x3e, 0xe3, 0x62, 0xa2, 0x91, 0xba, 0x42, - 0x1a, 0x8c, 0x8b, 0xe7, 0x0a, 0x3c, 0x00, 0x37, 0x8b, 0xc5, 0xa2, 0x08, 0x6d, 0x4d, 0x51, 0x86, - 0xa1, 0x68, 0xc4, 0xab, 0x28, 0x97, 0x0a, 0x0c, 0xc1, 0xbb, 0x26, 0x62, 0xc1, 0x67, 0x45, 0xe8, - 0x28, 0xc8, 0x98, 0xe8, 0x08, 0x9a, 0x92, 0x66, 0xd0, 0x86, 0x42, 0x81, 0x71, 0x71, 0x51, 0x06, - 0xc8, 0x6a, 0x3c, 0x17, 0x45, 0xe8, 0xb7, 0x9d, 0xae, 0x8b, 0xb5, 0x51, 0x55, 0x53, 0x08, 0x28, - 0x44, 0x55, 0x53, 0xe0, 0x0b, 0x68, 0x26, 0x9c, 0x15, 0x22, 0x8f, 0x29, 0x13, 0x45, 0x58, 0x53, - 0x53, 0x7c, 0xf0, 0x8e, 0x29, 0xf6, 0x4e, 0x2b, 0x0a, 0xde, 0xa4, 0xb7, 0xbe, 0x03, 0x58, 0x43, - 0x28, 0x00, 0xe7, 0x15, 0x79, 0x1d, 0x5a, 0x6d, 0xab, 0xeb, 0x63, 0x79, 0x44, 0x9f, 0x42, 0x7d, - 0x15, 0xa7, 0x4b, 0x62, 0xe6, 0x51, 0x5a, 0x9d, 0x3f, 0x6d, 0x40, 0x1b, 0x5b, 0x3d, 0xa1, 0x6c, - 0x46, 0xd9, 0x1c, 0x3d, 0x85, 0x46, 0xb1, 0x9c, 0xfe, 0x46, 0x12, 0x61, 0xf6, 0xfb, 0xf9, 0xce, - 0xce, 0xc6, 0x3a, 0xc8, 0xec, 0xab, 0xa4, 0xa0, 0x27, 0xe0, 0xe5, 0x3c, 0x25, 0x98, 0x5c, 0x85, - 0x76, 0xdb, 0xfa, 0x5f, 0x36, 0xd6, 0x31, 0x9a, 0x6d, 0x18, 0xe8, 0x11, 0xd4, 0xae, 0xf9, 0x8c, - 0x84, 0x4e, 0xdb, 0xea, 0xee, 0x1d, 0x7f, 0xb9, 0x93, 0x19, 0xb1, 0x2b, 0x9e, 0x27, 0xe4, 0x9a, - 0x30, 0x71, 0xc1, 0x67, 0x04, 0x2b, 0x06, 0xfa, 0x1e, 0xbc, 0x38, 0x11, 0x94, 0x33, 0x33, 0xce, - 0xf7, 0x13, 0xa5, 0x21, 0x21, 0x04, 0x35, 0xd9, 0x44, 0xe8, 0xaa, 0xb9, 0xa9, 0x73, 0xe7, 0x2f, - 0x07, 0xbc, 0xf2, 0x2b, 0x25, 0xbe, 0x2c, 0x48, 0x5e, 0xce, 0x55, 0x9d, 0xe5, 0xe6, 0x59, 0x7c, - 0x4d, 0x74, 0x45, 0x1f, 0x6b, 0xc3, 0x6c, 0x5e, 0x23, 0x6e, 0xa5, 0xb3, 0xa1, 0x02, 0x43, 0x70, - 0xe7, 0x39, 0x5f, 0x66, 0x6a, 0x36, 0xfe, 0x89, 0x1d, 0x5a, 0x58, 0x3b, 0xe4, 0x96, 0xd4, 0xc1, - 0xc8, 0xb9, 0xb4, 0xd0, 0x17, 0x20, 0xc5, 0x36, 0x29, 0x31, 0xad, 0x5b, 0x59, 0xe0, 0x07, 0x0d, - 0x1f, 0x02, 0xa8, 0x4a, 0x59, 0x2c, 0x6f, 0x90, 0x51, 0x67, 0xe5, 0x41, 0x5f, 0xc1, 0x5e, 0xd5, - 0x8d, 0x8e, 0xf1, 0x55, 0xcc, 0x87, 0xa6, 0x25, 0x1d, 0x16, 0x80, 0x43, 0x33, 0x2d, 0x54, 0x1f, - 0xcb, 0x23, 0xba, 0x0f, 0x9e, 0x24, 0x4a, 0x6f, 0x53, 0x37, 0xc4, 0xb8, 0x18, 0x64, 0x52, 0xbc, - 0x90, 0xe5, 0x3c, 0x23, 0xb9, 0xa0, 0x44, 0xdf, 0x96, 0xe6, 0xf1, 0x37, 0x6f, 0x53, 0x48, 0xef, - 0xb2, 0x0a, 0x8f, 0x98, 0xc8, 0x5f, 0xe3, 0x0d, 0x7e, 0xeb, 0x29, 0xec, 0x6f, 0xc1, 0x3b, 0x14, - 0x7c, 0x00, 0xae, 0xd2, 0xac, 0x9e, 0x1a, 0xd6, 0xc6, 0x63, 0xfb, 0x91, 0xd5, 0x79, 0x02, 0x5e, - 0xa9, 0x24, 0x74, 0x1f, 0x6a, 0xaf, 0x28, 0x9b, 0x69, 0x9e, 0xde, 0xae, 0x72, 0x48, 0x40, 0x7e, - 0x7e, 0x39, 0x72, 0x0d, 0x48, 0x47, 0xe7, 0x6f, 0x07, 0x00, 0x4f, 0xe3, 0xe4, 0x94, 0xb3, 0x2b, - 0x3a, 0xaf, 0xc4, 0x67, 0xbd, 0x45, 0x7c, 0xeb, 0xf0, 0xde, 0x86, 0xf8, 0xce, 0xc0, 0xa7, 0x2c, - 0x49, 0x97, 0x05, 0xe5, 0xac, 0x54, 0xfd, 0xd7, 0xef, 0xa2, 0xbf, 0x8c, 0xf3, 0x39, 0x11, 0x78, - 0x4d, 0x94, 0x59, 0xc8, 0xef, 0x26, 0x8b, 0x73, 0xb7, 0x2c, 0x15, 0x11, 0x8d, 0x20, 0x20, 0xeb, - 0x1b, 0x32, 0x51, 0x5f, 0x54, 0xbb, 0xc3, 0x75, 0xda, 0x27, 0xb7, 0x1d, 0xad, 0x33, 0xa8, 0xeb, - 0x2a, 0xa8, 0xb5, 0xfd, 0xaf, 0xde, 0xf8, 0x4d, 0xdf, 0xd6, 0xa1, 0xbd, 0xad, 0xc3, 0x4e, 0x04, - 0x35, 0x99, 0x0d, 0x79, 0xe0, 0x8c, 0xce, 0xcf, 0x83, 0x7b, 0xa8, 0x0e, 0xf6, 0x68, 0x18, 0x58, - 0xe8, 0x13, 0xf8, 0x68, 0x34, 0x9c, 0xfc, 0x3c, 0x78, 0xf9, 0x7c, 0x32, 0x18, 0x9e, 0xbe, 0xf8, - 0x71, 0x3c, 0x18, 0x0d, 0x03, 0x7b, 0xd3, 0x1d, 0xfd, 0x62, 0xdc, 0xce, 0x83, 0x3e, 0xec, 0x6f, - 0x35, 0x8c, 0x3e, 0x80, 0x46, 0x34, 0x3c, 0x1f, 0xe1, 0xd3, 0xe8, 0x2c, 0xb8, 0x87, 0xf6, 0x00, - 0x2e, 0x23, 0x7c, 0x31, 0x18, 0x8f, 0x07, 0x3f, 0x45, 0x81, 0x75, 0xd2, 0xfd, 0xe7, 0xe6, 0xd0, - 0xfa, 0xf7, 0xe6, 0xd0, 0x7a, 0x73, 0x73, 0x68, 0xfd, 0xda, 0xd2, 0x13, 0xa0, 0x5c, 0x3d, 0x75, - 0xb7, 0x1e, 0xc9, 0x69, 0x5d, 0x3d, 0x75, 0xdf, 0xfe, 0x17, 0x00, 0x00, 0xff, 0xff, 0x0a, 0xb5, - 0x43, 0x55, 0x3c, 0x07, 0x00, 0x00, -} - -func (m *ServiceRole) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *ServiceRole) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *ServiceRole) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.XXX_unrecognized != nil { - i -= len(m.XXX_unrecognized) - copy(dAtA[i:], m.XXX_unrecognized) - } - if len(m.Rules) > 0 { - for iNdEx := len(m.Rules) - 1; iNdEx >= 0; iNdEx-- { - { - size, err := m.Rules[iNdEx].MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintRbac(dAtA, i, uint64(size)) - } - i-- - dAtA[i] = 0xa - } - } - return len(dAtA) - i, nil -} - -func (m *AccessRule) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *AccessRule) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *AccessRule) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.XXX_unrecognized != nil { - i -= len(m.XXX_unrecognized) - copy(dAtA[i:], m.XXX_unrecognized) - } - if len(m.NotPorts) > 0 { - dAtA2 := make([]byte, len(m.NotPorts)*10) - var j1 int - for _, num1 := range m.NotPorts { - num := uint64(num1) - for num >= 1<<7 { - dAtA2[j1] = uint8(uint64(num)&0x7f | 0x80) - num >>= 7 - j1++ - } - dAtA2[j1] = uint8(num) - j1++ - } - i -= j1 - copy(dAtA[i:], dAtA2[:j1]) - i = encodeVarintRbac(dAtA, i, uint64(j1)) - i-- - dAtA[i] = 0x52 - } - if len(m.Ports) > 0 { - dAtA4 := make([]byte, len(m.Ports)*10) - var j3 int - for _, num1 := range m.Ports { - num := uint64(num1) - for num >= 1<<7 { - dAtA4[j3] = uint8(uint64(num)&0x7f | 0x80) - num >>= 7 - j3++ - } - dAtA4[j3] = uint8(num) - j3++ - } - i -= j3 - copy(dAtA[i:], dAtA4[:j3]) - i = encodeVarintRbac(dAtA, i, uint64(j3)) - i-- - dAtA[i] = 0x4a - } - if len(m.NotMethods) > 0 { - for iNdEx := len(m.NotMethods) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.NotMethods[iNdEx]) - copy(dAtA[i:], m.NotMethods[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.NotMethods[iNdEx]))) - i-- - dAtA[i] = 0x42 - } - } - if len(m.NotPaths) > 0 { - for iNdEx := len(m.NotPaths) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.NotPaths[iNdEx]) - copy(dAtA[i:], m.NotPaths[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.NotPaths[iNdEx]))) - i-- - dAtA[i] = 0x3a - } - } - if len(m.NotHosts) > 0 { - for iNdEx := len(m.NotHosts) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.NotHosts[iNdEx]) - copy(dAtA[i:], m.NotHosts[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.NotHosts[iNdEx]))) - i-- - dAtA[i] = 0x32 - } - } - if len(m.Hosts) > 0 { - for iNdEx := len(m.Hosts) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.Hosts[iNdEx]) - copy(dAtA[i:], m.Hosts[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Hosts[iNdEx]))) - i-- - dAtA[i] = 0x2a - } - } - if len(m.Constraints) > 0 { - for iNdEx := len(m.Constraints) - 1; iNdEx >= 0; iNdEx-- { - { - size, err := m.Constraints[iNdEx].MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintRbac(dAtA, i, uint64(size)) - } - i-- - dAtA[i] = 0x22 - } - } - if len(m.Methods) > 0 { - for iNdEx := len(m.Methods) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.Methods[iNdEx]) - copy(dAtA[i:], m.Methods[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Methods[iNdEx]))) - i-- - dAtA[i] = 0x1a - } - } - if len(m.Paths) > 0 { - for iNdEx := len(m.Paths) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.Paths[iNdEx]) - copy(dAtA[i:], m.Paths[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Paths[iNdEx]))) - i-- - dAtA[i] = 0x12 - } - } - if len(m.Services) > 0 { - for iNdEx := len(m.Services) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.Services[iNdEx]) - copy(dAtA[i:], m.Services[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Services[iNdEx]))) - i-- - dAtA[i] = 0xa - } - } - return len(dAtA) - i, nil -} - -func (m *AccessRule_Constraint) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *AccessRule_Constraint) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *AccessRule_Constraint) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.XXX_unrecognized != nil { - i -= len(m.XXX_unrecognized) - copy(dAtA[i:], m.XXX_unrecognized) - } - if len(m.Values) > 0 { - for iNdEx := len(m.Values) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.Values[iNdEx]) - copy(dAtA[i:], m.Values[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Values[iNdEx]))) - i-- - dAtA[i] = 0x12 - } - } - if len(m.Key) > 0 { - i -= len(m.Key) - copy(dAtA[i:], m.Key) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Key))) - i-- - dAtA[i] = 0xa - } - return len(dAtA) - i, nil -} - -func (m *ServiceRoleBinding) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *ServiceRoleBinding) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *ServiceRoleBinding) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.XXX_unrecognized != nil { - i -= len(m.XXX_unrecognized) - copy(dAtA[i:], m.XXX_unrecognized) - } - if len(m.Role) > 0 { - i -= len(m.Role) - copy(dAtA[i:], m.Role) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Role))) - i-- - dAtA[i] = 0x2a - } - if len(m.Actions) > 0 { - for iNdEx := len(m.Actions) - 1; iNdEx >= 0; iNdEx-- { - { - size, err := m.Actions[iNdEx].MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintRbac(dAtA, i, uint64(size)) - } - i-- - dAtA[i] = 0x22 - } - } - if m.Mode != 0 { - i = encodeVarintRbac(dAtA, i, uint64(m.Mode)) - i-- - dAtA[i] = 0x18 - } - if m.RoleRef != nil { - { - size, err := m.RoleRef.MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintRbac(dAtA, i, uint64(size)) - } - i-- - dAtA[i] = 0x12 - } - if len(m.Subjects) > 0 { - for iNdEx := len(m.Subjects) - 1; iNdEx >= 0; iNdEx-- { - { - size, err := m.Subjects[iNdEx].MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintRbac(dAtA, i, uint64(size)) - } - i-- - dAtA[i] = 0xa - } - } - return len(dAtA) - i, nil -} - -func (m *Subject) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *Subject) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *Subject) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.XXX_unrecognized != nil { - i -= len(m.XXX_unrecognized) - copy(dAtA[i:], m.XXX_unrecognized) - } - if len(m.NotIps) > 0 { - for iNdEx := len(m.NotIps) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.NotIps[iNdEx]) - copy(dAtA[i:], m.NotIps[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.NotIps[iNdEx]))) - i-- - dAtA[i] = 0x5a - } - } - if len(m.Ips) > 0 { - for iNdEx := len(m.Ips) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.Ips[iNdEx]) - copy(dAtA[i:], m.Ips[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Ips[iNdEx]))) - i-- - dAtA[i] = 0x52 - } - } - if len(m.NotNamespaces) > 0 { - for iNdEx := len(m.NotNamespaces) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.NotNamespaces[iNdEx]) - copy(dAtA[i:], m.NotNamespaces[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.NotNamespaces[iNdEx]))) - i-- - dAtA[i] = 0x4a - } - } - if len(m.Namespaces) > 0 { - for iNdEx := len(m.Namespaces) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.Namespaces[iNdEx]) - copy(dAtA[i:], m.Namespaces[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Namespaces[iNdEx]))) - i-- - dAtA[i] = 0x42 - } - } - if len(m.NotGroups) > 0 { - for iNdEx := len(m.NotGroups) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.NotGroups[iNdEx]) - copy(dAtA[i:], m.NotGroups[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.NotGroups[iNdEx]))) - i-- - dAtA[i] = 0x3a - } - } - if len(m.Groups) > 0 { - for iNdEx := len(m.Groups) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.Groups[iNdEx]) - copy(dAtA[i:], m.Groups[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Groups[iNdEx]))) - i-- - dAtA[i] = 0x32 - } - } - if len(m.NotNames) > 0 { - for iNdEx := len(m.NotNames) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.NotNames[iNdEx]) - copy(dAtA[i:], m.NotNames[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.NotNames[iNdEx]))) - i-- - dAtA[i] = 0x2a - } - } - if len(m.Names) > 0 { - for iNdEx := len(m.Names) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.Names[iNdEx]) - copy(dAtA[i:], m.Names[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Names[iNdEx]))) - i-- - dAtA[i] = 0x22 - } - } - if len(m.Properties) > 0 { - for k := range m.Properties { - v := m.Properties[k] - baseI := i - i -= len(v) - copy(dAtA[i:], v) - i = encodeVarintRbac(dAtA, i, uint64(len(v))) - i-- - dAtA[i] = 0x12 - i -= len(k) - copy(dAtA[i:], k) - i = encodeVarintRbac(dAtA, i, uint64(len(k))) - i-- - dAtA[i] = 0xa - i = encodeVarintRbac(dAtA, i, uint64(baseI-i)) - i-- - dAtA[i] = 0x1a - } - } - if len(m.Group) > 0 { - i -= len(m.Group) - copy(dAtA[i:], m.Group) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Group))) - i-- - dAtA[i] = 0x12 - } - if len(m.User) > 0 { - i -= len(m.User) - copy(dAtA[i:], m.User) - i = encodeVarintRbac(dAtA, i, uint64(len(m.User))) - i-- - dAtA[i] = 0xa - } - return len(dAtA) - i, nil -} - -func (m *RoleRef) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *RoleRef) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *RoleRef) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.XXX_unrecognized != nil { - i -= len(m.XXX_unrecognized) - copy(dAtA[i:], m.XXX_unrecognized) - } - if len(m.Name) > 0 { - i -= len(m.Name) - copy(dAtA[i:], m.Name) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Name))) - i-- - dAtA[i] = 0x12 - } - if len(m.Kind) > 0 { - i -= len(m.Kind) - copy(dAtA[i:], m.Kind) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Kind))) - i-- - dAtA[i] = 0xa - } - return len(dAtA) - i, nil -} - -func (m *RbacConfig) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *RbacConfig) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *RbacConfig) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.XXX_unrecognized != nil { - i -= len(m.XXX_unrecognized) - copy(dAtA[i:], m.XXX_unrecognized) - } - if m.EnforcementMode != 0 { - i = encodeVarintRbac(dAtA, i, uint64(m.EnforcementMode)) - i-- - dAtA[i] = 0x20 - } - if m.Exclusion != nil { - { - size, err := m.Exclusion.MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintRbac(dAtA, i, uint64(size)) - } - i-- - dAtA[i] = 0x1a - } - if m.Inclusion != nil { - { - size, err := m.Inclusion.MarshalToSizedBuffer(dAtA[:i]) - if err != nil { - return 0, err - } - i -= size - i = encodeVarintRbac(dAtA, i, uint64(size)) - } - i-- - dAtA[i] = 0x12 - } - if m.Mode != 0 { - i = encodeVarintRbac(dAtA, i, uint64(m.Mode)) - i-- - dAtA[i] = 0x8 - } - return len(dAtA) - i, nil -} - -func (m *RbacConfig_Target) Marshal() (dAtA []byte, err error) { - size := m.Size() - dAtA = make([]byte, size) - n, err := m.MarshalToSizedBuffer(dAtA[:size]) - if err != nil { - return nil, err - } - return dAtA[:n], nil -} - -func (m *RbacConfig_Target) MarshalTo(dAtA []byte) (int, error) { - size := m.Size() - return m.MarshalToSizedBuffer(dAtA[:size]) -} - -func (m *RbacConfig_Target) MarshalToSizedBuffer(dAtA []byte) (int, error) { - i := len(dAtA) - _ = i - var l int - _ = l - if m.XXX_unrecognized != nil { - i -= len(m.XXX_unrecognized) - copy(dAtA[i:], m.XXX_unrecognized) - } - if len(m.Namespaces) > 0 { - for iNdEx := len(m.Namespaces) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.Namespaces[iNdEx]) - copy(dAtA[i:], m.Namespaces[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Namespaces[iNdEx]))) - i-- - dAtA[i] = 0x12 - } - } - if len(m.Services) > 0 { - for iNdEx := len(m.Services) - 1; iNdEx >= 0; iNdEx-- { - i -= len(m.Services[iNdEx]) - copy(dAtA[i:], m.Services[iNdEx]) - i = encodeVarintRbac(dAtA, i, uint64(len(m.Services[iNdEx]))) - i-- - dAtA[i] = 0xa - } - } - return len(dAtA) - i, nil -} - -func encodeVarintRbac(dAtA []byte, offset int, v uint64) int { - offset -= sovRbac(v) - base := offset - for v >= 1<<7 { - dAtA[offset] = uint8(v&0x7f | 0x80) - v >>= 7 - offset++ - } - dAtA[offset] = uint8(v) - return base -} -func (m *ServiceRole) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - if len(m.Rules) > 0 { - for _, e := range m.Rules { - l = e.Size() - n += 1 + l + sovRbac(uint64(l)) - } - } - if m.XXX_unrecognized != nil { - n += len(m.XXX_unrecognized) - } - return n -} - -func (m *AccessRule) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - if len(m.Services) > 0 { - for _, s := range m.Services { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.Paths) > 0 { - for _, s := range m.Paths { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.Methods) > 0 { - for _, s := range m.Methods { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.Constraints) > 0 { - for _, e := range m.Constraints { - l = e.Size() - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.Hosts) > 0 { - for _, s := range m.Hosts { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.NotHosts) > 0 { - for _, s := range m.NotHosts { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.NotPaths) > 0 { - for _, s := range m.NotPaths { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.NotMethods) > 0 { - for _, s := range m.NotMethods { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.Ports) > 0 { - l = 0 - for _, e := range m.Ports { - l += sovRbac(uint64(e)) - } - n += 1 + sovRbac(uint64(l)) + l - } - if len(m.NotPorts) > 0 { - l = 0 - for _, e := range m.NotPorts { - l += sovRbac(uint64(e)) - } - n += 1 + sovRbac(uint64(l)) + l - } - if m.XXX_unrecognized != nil { - n += len(m.XXX_unrecognized) - } - return n -} - -func (m *AccessRule_Constraint) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - l = len(m.Key) - if l > 0 { - n += 1 + l + sovRbac(uint64(l)) - } - if len(m.Values) > 0 { - for _, s := range m.Values { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if m.XXX_unrecognized != nil { - n += len(m.XXX_unrecognized) - } - return n -} - -func (m *ServiceRoleBinding) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - if len(m.Subjects) > 0 { - for _, e := range m.Subjects { - l = e.Size() - n += 1 + l + sovRbac(uint64(l)) - } - } - if m.RoleRef != nil { - l = m.RoleRef.Size() - n += 1 + l + sovRbac(uint64(l)) - } - if m.Mode != 0 { - n += 1 + sovRbac(uint64(m.Mode)) - } - if len(m.Actions) > 0 { - for _, e := range m.Actions { - l = e.Size() - n += 1 + l + sovRbac(uint64(l)) - } - } - l = len(m.Role) - if l > 0 { - n += 1 + l + sovRbac(uint64(l)) - } - if m.XXX_unrecognized != nil { - n += len(m.XXX_unrecognized) - } - return n -} - -func (m *Subject) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - l = len(m.User) - if l > 0 { - n += 1 + l + sovRbac(uint64(l)) - } - l = len(m.Group) - if l > 0 { - n += 1 + l + sovRbac(uint64(l)) - } - if len(m.Properties) > 0 { - for k, v := range m.Properties { - _ = k - _ = v - mapEntrySize := 1 + len(k) + sovRbac(uint64(len(k))) + 1 + len(v) + sovRbac(uint64(len(v))) - n += mapEntrySize + 1 + sovRbac(uint64(mapEntrySize)) - } - } - if len(m.Names) > 0 { - for _, s := range m.Names { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.NotNames) > 0 { - for _, s := range m.NotNames { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.Groups) > 0 { - for _, s := range m.Groups { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.NotGroups) > 0 { - for _, s := range m.NotGroups { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.Namespaces) > 0 { - for _, s := range m.Namespaces { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.NotNamespaces) > 0 { - for _, s := range m.NotNamespaces { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.Ips) > 0 { - for _, s := range m.Ips { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.NotIps) > 0 { - for _, s := range m.NotIps { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if m.XXX_unrecognized != nil { - n += len(m.XXX_unrecognized) - } - return n -} - -func (m *RoleRef) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - l = len(m.Kind) - if l > 0 { - n += 1 + l + sovRbac(uint64(l)) - } - l = len(m.Name) - if l > 0 { - n += 1 + l + sovRbac(uint64(l)) - } - if m.XXX_unrecognized != nil { - n += len(m.XXX_unrecognized) - } - return n -} - -func (m *RbacConfig) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - if m.Mode != 0 { - n += 1 + sovRbac(uint64(m.Mode)) - } - if m.Inclusion != nil { - l = m.Inclusion.Size() - n += 1 + l + sovRbac(uint64(l)) - } - if m.Exclusion != nil { - l = m.Exclusion.Size() - n += 1 + l + sovRbac(uint64(l)) - } - if m.EnforcementMode != 0 { - n += 1 + sovRbac(uint64(m.EnforcementMode)) - } - if m.XXX_unrecognized != nil { - n += len(m.XXX_unrecognized) - } - return n -} - -func (m *RbacConfig_Target) Size() (n int) { - if m == nil { - return 0 - } - var l int - _ = l - if len(m.Services) > 0 { - for _, s := range m.Services { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if len(m.Namespaces) > 0 { - for _, s := range m.Namespaces { - l = len(s) - n += 1 + l + sovRbac(uint64(l)) - } - } - if m.XXX_unrecognized != nil { - n += len(m.XXX_unrecognized) - } - return n -} - -func sovRbac(x uint64) (n int) { - return (math_bits.Len64(x|1) + 6) / 7 -} -func sozRbac(x uint64) (n int) { - return sovRbac(uint64((x << 1) ^ uint64((int64(x) >> 63)))) -} -func (m *ServiceRole) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: ServiceRole: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: ServiceRole: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Rules", wireType) - } - var msglen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - msglen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if msglen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + msglen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Rules = append(m.Rules, &AccessRule{}) - if err := m.Rules[len(m.Rules)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { - return err - } - iNdEx = postIndex - default: - iNdEx = preIndex - skippy, err := skipRbac(dAtA[iNdEx:]) - if err != nil { - return err - } - if skippy < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} -func (m *AccessRule) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: AccessRule: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: AccessRule: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Services", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Services = append(m.Services, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 2: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Paths", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Paths = append(m.Paths, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 3: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Methods", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Methods = append(m.Methods, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 4: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Constraints", wireType) - } - var msglen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - msglen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if msglen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + msglen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Constraints = append(m.Constraints, &AccessRule_Constraint{}) - if err := m.Constraints[len(m.Constraints)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { - return err - } - iNdEx = postIndex - case 5: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Hosts", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Hosts = append(m.Hosts, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 6: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field NotHosts", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.NotHosts = append(m.NotHosts, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 7: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field NotPaths", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.NotPaths = append(m.NotPaths, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 8: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field NotMethods", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.NotMethods = append(m.NotMethods, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 9: - if wireType == 0 { - var v int32 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - v |= int32(b&0x7F) << shift - if b < 0x80 { - break - } - } - m.Ports = append(m.Ports, v) - } else if wireType == 2 { - var packedLen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - packedLen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if packedLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + packedLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - var elementCount int - var count int - for _, integer := range dAtA[iNdEx:postIndex] { - if integer < 128 { - count++ - } - } - elementCount = count - if elementCount != 0 && len(m.Ports) == 0 { - m.Ports = make([]int32, 0, elementCount) - } - for iNdEx < postIndex { - var v int32 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - v |= int32(b&0x7F) << shift - if b < 0x80 { - break - } - } - m.Ports = append(m.Ports, v) - } - } else { - return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType) - } - case 10: - if wireType == 0 { - var v int32 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - v |= int32(b&0x7F) << shift - if b < 0x80 { - break - } - } - m.NotPorts = append(m.NotPorts, v) - } else if wireType == 2 { - var packedLen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - packedLen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if packedLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + packedLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - var elementCount int - var count int - for _, integer := range dAtA[iNdEx:postIndex] { - if integer < 128 { - count++ - } - } - elementCount = count - if elementCount != 0 && len(m.NotPorts) == 0 { - m.NotPorts = make([]int32, 0, elementCount) - } - for iNdEx < postIndex { - var v int32 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - v |= int32(b&0x7F) << shift - if b < 0x80 { - break - } - } - m.NotPorts = append(m.NotPorts, v) - } - } else { - return fmt.Errorf("proto: wrong wireType = %d for field NotPorts", wireType) - } - default: - iNdEx = preIndex - skippy, err := skipRbac(dAtA[iNdEx:]) - if err != nil { - return err - } - if skippy < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} -func (m *AccessRule_Constraint) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: Constraint: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: Constraint: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Key", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Key = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex - case 2: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Values", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Values = append(m.Values, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - default: - iNdEx = preIndex - skippy, err := skipRbac(dAtA[iNdEx:]) - if err != nil { - return err - } - if skippy < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} -func (m *ServiceRoleBinding) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: ServiceRoleBinding: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: ServiceRoleBinding: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Subjects", wireType) - } - var msglen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - msglen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if msglen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + msglen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Subjects = append(m.Subjects, &Subject{}) - if err := m.Subjects[len(m.Subjects)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { - return err - } - iNdEx = postIndex - case 2: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field RoleRef", wireType) - } - var msglen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - msglen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if msglen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + msglen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - if m.RoleRef == nil { - m.RoleRef = &RoleRef{} - } - if err := m.RoleRef.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { - return err - } - iNdEx = postIndex - case 3: - if wireType != 0 { - return fmt.Errorf("proto: wrong wireType = %d for field Mode", wireType) - } - m.Mode = 0 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - m.Mode |= EnforcementMode(b&0x7F) << shift - if b < 0x80 { - break - } - } - case 4: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Actions", wireType) - } - var msglen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - msglen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if msglen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + msglen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Actions = append(m.Actions, &AccessRule{}) - if err := m.Actions[len(m.Actions)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil { - return err - } - iNdEx = postIndex - case 5: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Role", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Role = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex - default: - iNdEx = preIndex - skippy, err := skipRbac(dAtA[iNdEx:]) - if err != nil { - return err - } - if skippy < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} -func (m *Subject) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: Subject: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: Subject: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field User", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.User = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex - case 2: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Group", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Group = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex - case 3: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Properties", wireType) - } - var msglen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - msglen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if msglen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + msglen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - if m.Properties == nil { - m.Properties = make(map[string]string) - } - var mapkey string - var mapvalue string - for iNdEx < postIndex { - entryPreIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - if fieldNum == 1 { - var stringLenmapkey uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLenmapkey |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLenmapkey := int(stringLenmapkey) - if intStringLenmapkey < 0 { - return ErrInvalidLengthRbac - } - postStringIndexmapkey := iNdEx + intStringLenmapkey - if postStringIndexmapkey < 0 { - return ErrInvalidLengthRbac - } - if postStringIndexmapkey > l { - return io.ErrUnexpectedEOF - } - mapkey = string(dAtA[iNdEx:postStringIndexmapkey]) - iNdEx = postStringIndexmapkey - } else if fieldNum == 2 { - var stringLenmapvalue uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLenmapvalue |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLenmapvalue := int(stringLenmapvalue) - if intStringLenmapvalue < 0 { - return ErrInvalidLengthRbac - } - postStringIndexmapvalue := iNdEx + intStringLenmapvalue - if postStringIndexmapvalue < 0 { - return ErrInvalidLengthRbac - } - if postStringIndexmapvalue > l { - return io.ErrUnexpectedEOF - } - mapvalue = string(dAtA[iNdEx:postStringIndexmapvalue]) - iNdEx = postStringIndexmapvalue - } else { - iNdEx = entryPreIndex - skippy, err := skipRbac(dAtA[iNdEx:]) - if err != nil { - return err - } - if skippy < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) > postIndex { - return io.ErrUnexpectedEOF - } - iNdEx += skippy - } - } - m.Properties[mapkey] = mapvalue - iNdEx = postIndex - case 4: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Names", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Names = append(m.Names, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 5: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field NotNames", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.NotNames = append(m.NotNames, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 6: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Groups", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Groups = append(m.Groups, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 7: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field NotGroups", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.NotGroups = append(m.NotGroups, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 8: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Namespaces", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Namespaces = append(m.Namespaces, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 9: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field NotNamespaces", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.NotNamespaces = append(m.NotNamespaces, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 10: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Ips", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Ips = append(m.Ips, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 11: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field NotIps", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.NotIps = append(m.NotIps, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - default: - iNdEx = preIndex - skippy, err := skipRbac(dAtA[iNdEx:]) - if err != nil { - return err - } - if skippy < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} -func (m *RoleRef) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: RoleRef: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: RoleRef: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Kind", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Kind = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex - case 2: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Name", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Name = string(dAtA[iNdEx:postIndex]) - iNdEx = postIndex - default: - iNdEx = preIndex - skippy, err := skipRbac(dAtA[iNdEx:]) - if err != nil { - return err - } - if skippy < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} -func (m *RbacConfig) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: RbacConfig: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: RbacConfig: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 0 { - return fmt.Errorf("proto: wrong wireType = %d for field Mode", wireType) - } - m.Mode = 0 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - m.Mode |= RbacConfig_Mode(b&0x7F) << shift - if b < 0x80 { - break - } - } - case 2: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Inclusion", wireType) - } - var msglen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - msglen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if msglen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + msglen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - if m.Inclusion == nil { - m.Inclusion = &RbacConfig_Target{} - } - if err := m.Inclusion.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { - return err - } - iNdEx = postIndex - case 3: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Exclusion", wireType) - } - var msglen int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - msglen |= int(b&0x7F) << shift - if b < 0x80 { - break - } - } - if msglen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + msglen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - if m.Exclusion == nil { - m.Exclusion = &RbacConfig_Target{} - } - if err := m.Exclusion.Unmarshal(dAtA[iNdEx:postIndex]); err != nil { - return err - } - iNdEx = postIndex - case 4: - if wireType != 0 { - return fmt.Errorf("proto: wrong wireType = %d for field EnforcementMode", wireType) - } - m.EnforcementMode = 0 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - m.EnforcementMode |= EnforcementMode(b&0x7F) << shift - if b < 0x80 { - break - } - } - default: - iNdEx = preIndex - skippy, err := skipRbac(dAtA[iNdEx:]) - if err != nil { - return err - } - if skippy < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} -func (m *RbacConfig_Target) Unmarshal(dAtA []byte) error { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - preIndex := iNdEx - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - fieldNum := int32(wire >> 3) - wireType := int(wire & 0x7) - if wireType == 4 { - return fmt.Errorf("proto: Target: wiretype end group for non-group") - } - if fieldNum <= 0 { - return fmt.Errorf("proto: Target: illegal tag %d (wire type %d)", fieldNum, wire) - } - switch fieldNum { - case 1: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Services", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Services = append(m.Services, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - case 2: - if wireType != 2 { - return fmt.Errorf("proto: wrong wireType = %d for field Namespaces", wireType) - } - var stringLen uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return ErrIntOverflowRbac - } - if iNdEx >= l { - return io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - stringLen |= uint64(b&0x7F) << shift - if b < 0x80 { - break - } - } - intStringLen := int(stringLen) - if intStringLen < 0 { - return ErrInvalidLengthRbac - } - postIndex := iNdEx + intStringLen - if postIndex < 0 { - return ErrInvalidLengthRbac - } - if postIndex > l { - return io.ErrUnexpectedEOF - } - m.Namespaces = append(m.Namespaces, string(dAtA[iNdEx:postIndex])) - iNdEx = postIndex - default: - iNdEx = preIndex - skippy, err := skipRbac(dAtA[iNdEx:]) - if err != nil { - return err - } - if skippy < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) < 0 { - return ErrInvalidLengthRbac - } - if (iNdEx + skippy) > l { - return io.ErrUnexpectedEOF - } - m.XXX_unrecognized = append(m.XXX_unrecognized, dAtA[iNdEx:iNdEx+skippy]...) - iNdEx += skippy - } - } - - if iNdEx > l { - return io.ErrUnexpectedEOF - } - return nil -} -func skipRbac(dAtA []byte) (n int, err error) { - l := len(dAtA) - iNdEx := 0 - for iNdEx < l { - var wire uint64 - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return 0, ErrIntOverflowRbac - } - if iNdEx >= l { - return 0, io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - wire |= (uint64(b) & 0x7F) << shift - if b < 0x80 { - break - } - } - wireType := int(wire & 0x7) - switch wireType { - case 0: - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return 0, ErrIntOverflowRbac - } - if iNdEx >= l { - return 0, io.ErrUnexpectedEOF - } - iNdEx++ - if dAtA[iNdEx-1] < 0x80 { - break - } - } - return iNdEx, nil - case 1: - iNdEx += 8 - return iNdEx, nil - case 2: - var length int - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return 0, ErrIntOverflowRbac - } - if iNdEx >= l { - return 0, io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - length |= (int(b) & 0x7F) << shift - if b < 0x80 { - break - } - } - if length < 0 { - return 0, ErrInvalidLengthRbac - } - iNdEx += length - if iNdEx < 0 { - return 0, ErrInvalidLengthRbac - } - return iNdEx, nil - case 3: - for { - var innerWire uint64 - var start int = iNdEx - for shift := uint(0); ; shift += 7 { - if shift >= 64 { - return 0, ErrIntOverflowRbac - } - if iNdEx >= l { - return 0, io.ErrUnexpectedEOF - } - b := dAtA[iNdEx] - iNdEx++ - innerWire |= (uint64(b) & 0x7F) << shift - if b < 0x80 { - break - } - } - innerWireType := int(innerWire & 0x7) - if innerWireType == 4 { - break - } - next, err := skipRbac(dAtA[start:]) - if err != nil { - return 0, err - } - iNdEx = start + next - if iNdEx < 0 { - return 0, ErrInvalidLengthRbac - } - } - return iNdEx, nil - case 4: - return iNdEx, nil - case 5: - iNdEx += 4 - return iNdEx, nil - default: - return 0, fmt.Errorf("proto: illegal wireType %d", wireType) - } - } - panic("unreachable") -} - -var ( - ErrInvalidLengthRbac = fmt.Errorf("proto: negative length found during unmarshaling") - ErrIntOverflowRbac = fmt.Errorf("proto: integer overflow") -) diff --git a/rbac/v1alpha1/rbac.proto b/rbac/v1alpha1/rbac.proto deleted file mode 100644 index 58c46d2f..00000000 --- a/rbac/v1alpha1/rbac.proto +++ /dev/null @@ -1,458 +0,0 @@ -// Copyright 2019 Istio Authors -// -// Licensed under the Apache License, Version 2.0 (the "License"); -// you may not use this file except in compliance with the License. -// You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -// distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. - -syntax = "proto3"; - -import "google/api/field_behavior.proto"; - -// $schema: istio.rbac.v1alpha1.RbacConfig -// $schema: istio.rbac.v1alpha1.ServiceRole -// $schema: istio.rbac.v1alpha1.ServiceRoleBinding - -// Note: The v1alpha1 RBAC policy is deprecated by the v1beta1 Authorization policy. -// This page is kept for migration purpose and will be removed in Istio 1.6. -// -// Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding -// objects. -// -// A ServiceRole specification includes a list of rules (permissions). Each rule has -// the following standard fields: -// -// * services: a list of services. -// * methods: A list of HTTP methods. You can set the value to `["*"]` to include all HTTP methods. -// This field should not be set for TCP services. The policy will be ignored. -// For gRPC services, only `POST` is allowed; other methods will result in denying services. -// * paths: HTTP paths or gRPC methods. Note that gRPC methods should be -// presented in the form of "/packageName.serviceName/methodName" and are case sensitive. -// -// In addition to the standard fields, operators can also use custom keys in the `constraints` field, -// the supported keys are listed in the "constraints and properties" page. -// -// Below is an example of ServiceRole object "product-viewer", which has "read" ("GET" and "HEAD") -// access to "products.svc.cluster.local" service at versions "v1" and "v2". "path" is not specified, -// so it applies to any path in the service. -// -// ```yaml -// apiVersion: "rbac.istio.io/v1alpha1" -// kind: ServiceRole -// metadata: -// name: products-viewer -// namespace: default -// spec: -// rules: -// - services: ["products.svc.cluster.local"] -// methods: ["GET", "HEAD"] -// constraints: -// - key: "destination.labels[version]" -// values: ["v1", "v2"] -// ``` -// -// A ServiceRoleBinding specification includes two parts: -// -// * The `roleRef` field that refers to a ServiceRole object in the same namespace. -// * A list of `subjects` that are assigned the roles. -// -// In addition to a simple `user` field, operators can also use custom keys in the `properties` field, -// the supported keys are listed in the "constraints and properties" page. -// -// Below is an example of ServiceRoleBinding object "test-binding-products", which binds two subjects -// to ServiceRole "product-viewer": -// -// * User "alice@yahoo.com" -// * Services in "abc" namespace. -// -// ```yaml -// apiVersion: "rbac.istio.io/v1alpha1" -// kind: ServiceRoleBinding -// metadata: -// name: test-binding-products -// namespace: default -// spec: -// subjects: -// - user: alice@yahoo.com -// - properties: -// source.namespace: "abc" -// roleRef: -// kind: ServiceRole -// name: "products-viewer" -// ``` -package istio.rbac.v1alpha1; - -option go_package="istio.io/api/rbac/v1alpha1"; - -// $hide_from_docs -// ServiceRole specification contains a list of access rules (permissions). -// -// -// -// -message ServiceRole { - // The set of access rules (permissions) that the role has. - repeated AccessRule rules = 1 [(google.api.field_behavior) = REQUIRED]; -} - -// $hide_from_docs -// AccessRule defines a permission to access a list of services. -message AccessRule { - // A list of service names. - // Exact match, prefix match, and suffix match are supported for service names. - // For example, the service name "bookstore.mtv.cluster.local" matches - // "bookstore.mtv.cluster.local" (exact match), or "bookstore\*" (prefix match), - // or "\*.mtv.cluster.local" (suffix match). - // If set to ["\*"], it refers to all services in the namespace. - repeated string services = 1 [(google.api.field_behavior) = REQUIRED]; - - // $hide_from_docs - // Optional. A list of HTTP hosts. This is matched against the HOST header in - // a HTTP request. Exact match, prefix match and suffix match are supported. - // For example, the host "test.abc.com" matches "test.abc.com" (exact match), - // or "\*.abc.com" (prefix match), or "test.abc.\*" (suffix match). - // If not specified, it matches to any host. - // This field should not be set for TCP services. The policy will be ignored. - repeated string hosts = 5; - - // $hide_from_docs - // Optional. A list of HTTP hosts that must not be matched. - repeated string not_hosts = 6; - - // Optional. A list of HTTP paths or gRPC methods. - // gRPC methods must be presented as fully-qualified name in the form of - // "/packageName.serviceName/methodName" and are case sensitive. - // Exact match, prefix match, and suffix match are supported. For example, - // the path "/books/review" matches "/books/review" (exact match), - // or "/books/\*" (prefix match), or "\*/review" (suffix match). - // If not specified, it matches to any path. - // This field should not be set for TCP services. The policy will be ignored. - repeated string paths = 2; - - // $hide_from_docs - // Optional. A list of HTTP paths or gRPC methods that must not be matched. - repeated string not_paths = 7; - - // Optional. A list of HTTP methods (e.g., "GET", "POST"). - // If not specified or specified as "\*", it matches to any methods. - // This field should not be set for TCP services. The policy will be ignored. - // For gRPC services, only `POST` is allowed; other methods will result in denying services. - repeated string methods = 3; - - // $hide_from_docs - // Optional. A list of HTTP methods that must not be matched. - // Note: It's an error to set methods and not_methods at the same time. - repeated string not_methods = 8; - - // $hide_from_docs - // Optional. A list of port numbers of the request. If not specified, it matches - // to any port number. - // Note: It's an error to set ports and not_ports at the same time. - repeated int32 ports = 9; - - // $hide_from_docs - // Optional. A list of port numbers that must not be matched. - // Note: It's an error to set ports and not_ports at the same time. - repeated int32 not_ports = 10; - - // $hide_from_docs - // Definition of a custom constraint. The supported keys are listed in the "constraint and properties" page. - message Constraint { - // Key of the constraint. - string key = 1; - - // List of valid values for the constraint. - // Exact match, prefix match, and suffix match are supported. - // For example, the value "v1alpha2" matches "v1alpha2" (exact match), - // or "v1\*" (prefix match), or "\*alpha2" (suffix match). - repeated string values = 2; - } - - // Optional. Extra constraints in the ServiceRole specification. - repeated Constraint constraints = 4; - - // $hide_from_docs - // Next available field number: 11 -} - -// $hide_from_docs -// RBAC ServiceRoleBinding enforcement mode, used to verify new ServiceRoleBinding -// configs work as expected before rolling to production. RBAC engine only logs results -// from configs that are in permissive mode, and discards result before returning -// to the user. -enum EnforcementMode { - // Policy in ENFORCED mode has impact on user experience. - // Policy is in ENFORCED mode by default. - ENFORCED = 0; - - // Policy in PERMISSIVE mode isn't enforced and has no impact on users. - // RBAC engine run policies in PERMISSIVE mode and logs stats. - PERMISSIVE = 1; -} - -// $hide_from_docs -// ServiceRoleBinding assigns a ServiceRole to a list of subjects. -// -// -// -// -message ServiceRoleBinding { - // List of subjects that are assigned the ServiceRole object. - repeated Subject subjects = 1 [(google.api.field_behavior) = REQUIRED]; - - // Reference to the ServiceRole object. - RoleRef roleRef = 2 [(google.api.field_behavior) = REQUIRED]; - - // $hide_from_docs - // Indicates enforcement mode of the ServiceRoleBinding. - EnforcementMode mode = 3; - - // $hide_from_docs - // Inline role definition. An inline role is a role that is defined inside an - // authorization policy, instead of explicitly defined in a ServiceRole object. - // Inline roles can be used for the role definitions that are not intended to - // be reused in other bindings, while explicit roles are reusable. Both inline - // roles (defined in "actions" field) and explicit roles (defined in ServiceRole) - // are supported. Users should use only one of them in a single binding. - // For example, the following "product-frontend" AuthorizationPolicy allows "frontend" - // service to view "product" service on "/info" path. - // ```yaml - // apiVersion: "rbac.istio.io/v1alpha1" - // kind: AuthorizationPolicy - // metadata: - // name: product-frontend - // namespace: ns1 - // spec: - // selector: - // labels: - // app: product - // allow: - // - subjects: - // - names: ["cluster.local/ns/default/sa/frontend"] - // actions: - // - paths: ["/info"] - // methods: ["GET"] - // The set of access rules (permissions) that the role has. - repeated AccessRule actions = 4 [(google.api.field_behavior) = REQUIRED]; - - // $hide_from_docs - // A `role` inside a ServiceRoleBinding refers to the ServiceRole that this - // ServiceRoleBinding binds to. A ServiceRoleBinding can bind to a ServiceRole - // in the same namespace or the root namespace. A ServiceRole in the root namespace - // represents a mesh global ServiceRole. - // The value of `role` is the name of the ServiceRole, and it can start with or without a forward slash ("/"). - // When a `role` starts with "/", e.g. "/service-viewer", it means that this ServiceRoleBinding - // refers to the ServiceRole in the configurable Istio root namespace. - // When a `role` starts without "/", this ServiceRoleBinding refers to the ServiceRole in the - // same namespace as the AuthorizationPolicy's, which contains said ServiceRoleBinding. - string role = 5; -} - -// $hide_from_docs -// Subject defines an identity. The identity is either a user or identified by a set of `properties`. -// The supported keys in `properties` are listed in "constraint and properties" page. -message Subject { - // Optional. The user name/ID that the subject represents. - string user = 1; - - // $hide_from_docs - // Optional. A list of subject names. This is matched to the - // `source.principal` attribute. If one of subject names is "\*", it matches to a subject with any name. - // Prefix and suffix matches are supported. - repeated string names = 4; - - // $hide_from_docs - // Optional. A list of subject names that must not be matched. - repeated string not_names = 5; - - // $hide_from_docs - // Optional. The group that the subject belongs to. - // Deprecated. Use groups and not_groups instead. - string group = 2 [deprecated = true]; - - // $hide_from_docs - // Optional. A list of groups that the subject represents. This is matched to the - // `request.auth.claims[groups]` attribute. If not specified, it applies to any groups. - repeated string groups = 6; - - // $hide_from_docs - // Optional. A list of groups that must not be matched. - repeated string not_groups = 7; - - // $hide_from_docs - // Optional. A list of namespaces that the subject represents. This is matched to - // the `source.namespace` attribute. If not specified, it applies to any namespaces. - repeated string namespaces = 8; - - // $hide_from_docs - // Optional. A list of namespaces that must not be matched. - repeated string not_namespaces = 9; - - // $hide_from_docs - // Optional. A list of IP address or CIDR ranges that the subject represents. - // E.g. 192.168.100.2 or 10.1.0.0/16. If not specified, it applies to any IP addresses. - repeated string ips = 10; - - // $hide_from_docs - // Optional. A list of IP addresses or CIDR ranges that must not be matched. - repeated string not_ips = 11; - - // Optional. The set of properties that identify the subject. - map properties = 3; - - // $hide_from_docs - // Next available field number: 12 -} - -// $hide_from_docs -// RoleRef refers to a role object. -message RoleRef { - // The type of the role being referenced. - // Currently, "ServiceRole" is the only supported value for "kind". - string kind = 1 [(google.api.field_behavior) = REQUIRED]; - - // The name of the ServiceRole object being referenced. - // The ServiceRole object must be in the same namespace as the ServiceRoleBinding object. - string name = 2 [(google.api.field_behavior) = REQUIRED]; -} - -// $hide_from_docs -// RbacConfig implements the ClusterRbacConfig Custom Resource Definition for controlling Istio RBAC behavior. -// The ClusterRbacConfig Custom Resource is a singleton where only one ClusterRbacConfig should be created -// globally in the mesh and the namespace should be the same to other Istio components, which usually is `istio-system`. -// -// Below is an example of an `ClusterRbacConfig` resource called `istio-rbac-config` which enables Istio RBAC for all -// services in the default namespace. -// -// ```yaml -// apiVersion: "rbac.istio.io/v1alpha1" -// kind: ClusterRbacConfig -// metadata: -// name: default -// namespace: istio-system -// spec: -// mode: ON_WITH_INCLUSION -// inclusion: -// namespaces: [ "default" ] -// ``` -// -// -// -// -// -// -message RbacConfig { - // $hide_from_docs - enum Mode { - // Disable Istio RBAC completely, Istio RBAC policies will not be enforced. - OFF = 0; - // Enable Istio RBAC for all services and namespaces. Note Istio RBAC is deny-by-default - // which means all requests will be denied if it's not allowed by RBAC rules. - ON = 1; - // Enable Istio RBAC only for services and namespaces specified in the inclusion field. Any other - // services and namespaces not in the inclusion field will not be enforced by Istio RBAC policies. - ON_WITH_INCLUSION = 2; - // Enable Istio RBAC for all services and namespaces except those specified in the exclusion field. Any other - // services and namespaces not in the exclusion field will be enforced by Istio RBAC policies. - ON_WITH_EXCLUSION = 3; - } - - // Istio RBAC mode. - Mode mode = 1; - - // $hide_from_docs - // Target defines a list of services or namespaces. - message Target { - // A list of services. - repeated string services = 1; - - // A list of namespaces. - repeated string namespaces = 2; - } - - // A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have - // effect only when mode is ON_WITH_INCLUSION and will be ignored for any other modes. - Target inclusion = 2; - - // A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have - // effect only when mode is ON_WITH_EXCLUSION and will be ignored for any other modes. - Target exclusion = 3; - - // $hide_from_docs - // Indicates enforcement mode of the RbacConfig, in ENFORCED mode by default. - // It's used to verify new RbacConfig work as expected before rolling to production. - // When setting as PERMISSIVE, RBAC isn't enforced and has no impact on users. - // RBAC engine run RbacConfig in PERMISSIVE mode and logs stats. - // Invalid to set RbacConfig in PERMISSIVE and ServiceRoleBinding in ENFORCED mode. - EnforcementMode enforcement_mode = 4; -} diff --git a/rbac/v1alpha1/rbac_deepcopy.gen.go b/rbac/v1alpha1/rbac_deepcopy.gen.go deleted file mode 100644 index f4d27834..00000000 --- a/rbac/v1alpha1/rbac_deepcopy.gen.go +++ /dev/null @@ -1,102 +0,0 @@ -// Code generated by protoc-gen-gogo. DO NOT EDIT. -// source: rbac/v1alpha1/rbac.proto - -// Note: The v1alpha1 RBAC policy is deprecated by the v1beta1 Authorization policy. -// This page is kept for migration purpose and will be removed in Istio 1.6. -// -// Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding -// objects. -// -// A ServiceRole specification includes a list of rules (permissions). Each rule has -// the following standard fields: -// -// * services: a list of services. -// * methods: A list of HTTP methods. You can set the value to `["*"]` to include all HTTP methods. -// This field should not be set for TCP services. The policy will be ignored. -// For gRPC services, only `POST` is allowed; other methods will result in denying services. -// * paths: HTTP paths or gRPC methods. Note that gRPC methods should be -// presented in the form of "/packageName.serviceName/methodName" and are case sensitive. -// -// In addition to the standard fields, operators can also use custom keys in the `constraints` field, -// the supported keys are listed in the "constraints and properties" page. -// -// Below is an example of ServiceRole object "product-viewer", which has "read" ("GET" and "HEAD") -// access to "products.svc.cluster.local" service at versions "v1" and "v2". "path" is not specified, -// so it applies to any path in the service. -// -// ```yaml -// apiVersion: "rbac.istio.io/v1alpha1" -// kind: ServiceRole -// metadata: -// name: products-viewer -// namespace: default -// spec: -// rules: -// - services: ["products.svc.cluster.local"] -// methods: ["GET", "HEAD"] -// constraints: -// - key: "destination.labels[version]" -// values: ["v1", "v2"] -// ``` -// -// A ServiceRoleBinding specification includes two parts: -// -// * The `roleRef` field that refers to a ServiceRole object in the same namespace. -// * A list of `subjects` that are assigned the roles. -// -// In addition to a simple `user` field, operators can also use custom keys in the `properties` field, -// the supported keys are listed in the "constraints and properties" page. -// -// Below is an example of ServiceRoleBinding object "test-binding-products", which binds two subjects -// to ServiceRole "product-viewer": -// -// * User "alice@yahoo.com" -// * Services in "abc" namespace. -// -// ```yaml -// apiVersion: "rbac.istio.io/v1alpha1" -// kind: ServiceRoleBinding -// metadata: -// name: test-binding-products -// namespace: default -// spec: -// subjects: -// - user: alice@yahoo.com -// - properties: -// source.namespace: "abc" -// roleRef: -// kind: ServiceRole -// name: "products-viewer" -// ``` - -package v1alpha1 - -import ( - fmt "fmt" - proto "github.com/gogo/protobuf/proto" - _ "istio.io/gogo-genproto/googleapis/google/api" - math "math" -) - -// Reference imports to suppress errors if they are not otherwise used. -var _ = proto.Marshal -var _ = fmt.Errorf -var _ = math.Inf - -// DeepCopyInto supports using ServiceRole within kubernetes types, where deepcopy-gen is used. -func (in *ServiceRole) DeepCopyInto(out *ServiceRole) { - p := proto.Clone(in).(*ServiceRole) - *out = *p -} - -// DeepCopyInto supports using ServiceRoleBinding within kubernetes types, where deepcopy-gen is used. -func (in *ServiceRoleBinding) DeepCopyInto(out *ServiceRoleBinding) { - p := proto.Clone(in).(*ServiceRoleBinding) - *out = *p -} - -// DeepCopyInto supports using RbacConfig within kubernetes types, where deepcopy-gen is used. -func (in *RbacConfig) DeepCopyInto(out *RbacConfig) { - p := proto.Clone(in).(*RbacConfig) - *out = *p -} diff --git a/rbac/v1alpha1/rbac_json.gen.go b/rbac/v1alpha1/rbac_json.gen.go deleted file mode 100644 index 769b9fab..00000000 --- a/rbac/v1alpha1/rbac_json.gen.go +++ /dev/null @@ -1,179 +0,0 @@ -// Code generated by protoc-gen-gogo. DO NOT EDIT. -// source: rbac/v1alpha1/rbac.proto - -// Note: The v1alpha1 RBAC policy is deprecated by the v1beta1 Authorization policy. -// This page is kept for migration purpose and will be removed in Istio 1.6. -// -// Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding -// objects. -// -// A ServiceRole specification includes a list of rules (permissions). Each rule has -// the following standard fields: -// -// * services: a list of services. -// * methods: A list of HTTP methods. You can set the value to `["*"]` to include all HTTP methods. -// This field should not be set for TCP services. The policy will be ignored. -// For gRPC services, only `POST` is allowed; other methods will result in denying services. -// * paths: HTTP paths or gRPC methods. Note that gRPC methods should be -// presented in the form of "/packageName.serviceName/methodName" and are case sensitive. -// -// In addition to the standard fields, operators can also use custom keys in the `constraints` field, -// the supported keys are listed in the "constraints and properties" page. -// -// Below is an example of ServiceRole object "product-viewer", which has "read" ("GET" and "HEAD") -// access to "products.svc.cluster.local" service at versions "v1" and "v2". "path" is not specified, -// so it applies to any path in the service. -// -// ```yaml -// apiVersion: "rbac.istio.io/v1alpha1" -// kind: ServiceRole -// metadata: -// name: products-viewer -// namespace: default -// spec: -// rules: -// - services: ["products.svc.cluster.local"] -// methods: ["GET", "HEAD"] -// constraints: -// - key: "destination.labels[version]" -// values: ["v1", "v2"] -// ``` -// -// A ServiceRoleBinding specification includes two parts: -// -// * The `roleRef` field that refers to a ServiceRole object in the same namespace. -// * A list of `subjects` that are assigned the roles. -// -// In addition to a simple `user` field, operators can also use custom keys in the `properties` field, -// the supported keys are listed in the "constraints and properties" page. -// -// Below is an example of ServiceRoleBinding object "test-binding-products", which binds two subjects -// to ServiceRole "product-viewer": -// -// * User "alice@yahoo.com" -// * Services in "abc" namespace. -// -// ```yaml -// apiVersion: "rbac.istio.io/v1alpha1" -// kind: ServiceRoleBinding -// metadata: -// name: test-binding-products -// namespace: default -// spec: -// subjects: -// - user: alice@yahoo.com -// - properties: -// source.namespace: "abc" -// roleRef: -// kind: ServiceRole -// name: "products-viewer" -// ``` - -package v1alpha1 - -import ( - bytes "bytes" - fmt "fmt" - github_com_gogo_protobuf_jsonpb "github.com/gogo/protobuf/jsonpb" - proto "github.com/gogo/protobuf/proto" - _ "istio.io/gogo-genproto/googleapis/google/api" - math "math" -) - -// Reference imports to suppress errors if they are not otherwise used. -var _ = proto.Marshal -var _ = fmt.Errorf -var _ = math.Inf - -// MarshalJSON is a custom marshaler for ServiceRole -func (this *ServiceRole) MarshalJSON() ([]byte, error) { - str, err := RbacMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for ServiceRole -func (this *ServiceRole) UnmarshalJSON(b []byte) error { - return RbacUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for AccessRule -func (this *AccessRule) MarshalJSON() ([]byte, error) { - str, err := RbacMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for AccessRule -func (this *AccessRule) UnmarshalJSON(b []byte) error { - return RbacUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for AccessRule_Constraint -func (this *AccessRule_Constraint) MarshalJSON() ([]byte, error) { - str, err := RbacMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for AccessRule_Constraint -func (this *AccessRule_Constraint) UnmarshalJSON(b []byte) error { - return RbacUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for ServiceRoleBinding -func (this *ServiceRoleBinding) MarshalJSON() ([]byte, error) { - str, err := RbacMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for ServiceRoleBinding -func (this *ServiceRoleBinding) UnmarshalJSON(b []byte) error { - return RbacUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for Subject -func (this *Subject) MarshalJSON() ([]byte, error) { - str, err := RbacMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for Subject -func (this *Subject) UnmarshalJSON(b []byte) error { - return RbacUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for RoleRef -func (this *RoleRef) MarshalJSON() ([]byte, error) { - str, err := RbacMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for RoleRef -func (this *RoleRef) UnmarshalJSON(b []byte) error { - return RbacUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for RbacConfig -func (this *RbacConfig) MarshalJSON() ([]byte, error) { - str, err := RbacMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for RbacConfig -func (this *RbacConfig) UnmarshalJSON(b []byte) error { - return RbacUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -// MarshalJSON is a custom marshaler for RbacConfig_Target -func (this *RbacConfig_Target) MarshalJSON() ([]byte, error) { - str, err := RbacMarshaler.MarshalToString(this) - return []byte(str), err -} - -// UnmarshalJSON is a custom unmarshaler for RbacConfig_Target -func (this *RbacConfig_Target) UnmarshalJSON(b []byte) error { - return RbacUnmarshaler.Unmarshal(bytes.NewReader(b), this) -} - -var ( - RbacMarshaler = &github_com_gogo_protobuf_jsonpb.Marshaler{} - RbacUnmarshaler = &github_com_gogo_protobuf_jsonpb.Unmarshaler{} -) diff --git a/releaselocks/release-1.0/proto.lock.status b/releaselocks/release-1.0/proto.lock.status index 0d06e249..5405808b 100644 --- a/releaselocks/release-1.0/proto.lock.status +++ b/releaselocks/release-1.0/proto.lock.status @@ -1,3 +1,11 @@ +CONFLICT: "AccessRule" field: "constraints" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "services" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "AuthenticationPolicy" field: "INHERIT" has been removed, but is not reserved [mesh/v1alpha1/config.proto] CONFLICT: "AuthenticationPolicy" field: "MUTUAL_TLS" has been removed, but is not reserved [mesh/v1alpha1/config.proto] CONFLICT: "AuthenticationPolicy" field: "NONE" has been removed, but is not reserved [mesh/v1alpha1/config.proto] @@ -25,6 +33,10 @@ CONFLICT: "DestinationWeight" field: "destination" has been removed, but is not CONFLICT: "DestinationWeight" field: "weight" has been removed, but is not reserved [networking/v1alpha3/virtual_service.proto] CONFLICT: "DestinationWeight" ID: "1" has been removed, but is not reserved [networking/v1alpha3/virtual_service.proto] CONFLICT: "DestinationWeight" ID: "2" has been removed, but is not reserved [networking/v1alpha3/virtual_service.proto] +CONFLICT: "EnforcementMode" field: "ENFORCED" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" field: "PERMISSIVE" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "Envelope" field: "metadata" has been removed, but is not reserved [mcp/v1alpha1/envelope.proto] CONFLICT: "Envelope" field: "resource" has been removed, but is not reserved [mcp/v1alpha1/envelope.proto] CONFLICT: "Envelope" ID: "1" has been removed, but is not reserved [mcp/v1alpha1/envelope.proto] @@ -123,6 +135,20 @@ CONFLICT: "ProxyConfig.InboundInterceptionMode" field: "TPROXY" has been removed CONFLICT: "ProxyConfig.InboundInterceptionMode" integer: "0" has been removed, but is not reserved [mesh/v1alpha1/config.proto] CONFLICT: "ProxyConfig.InboundInterceptionMode" integer: "1" has been removed, but is not reserved [mesh/v1alpha1/config.proto] CONFLICT: "Quota" field: "charge" has a different type: int32, previously int64 [mixer/v1/config/client/quota.proto] +CONFLICT: "RbacConfig" field: "exclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "inclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "OFF" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_EXCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_INCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "ReferencedAttributes" field: "attribute_matches" has been removed, but is not reserved [mixer/v1/check.proto] CONFLICT: "ReferencedAttributes" field: "words" has been removed, but is not reserved [mixer/v1/check.proto] CONFLICT: "ReferencedAttributes" ID: "1" has been removed, but is not reserved [mixer/v1/check.proto] @@ -141,6 +167,10 @@ CONFLICT: "ReportRequest" field: "global_word_count" has been removed, but is no CONFLICT: "ReportRequest" ID: "1" has been removed, but is not reserved [mixer/v1/report.proto] CONFLICT: "ReportRequest" ID: "2" has been removed, but is not reserved [mixer/v1/report.proto] CONFLICT: "ReportRequest" ID: "3" has been removed, but is not reserved [mixer/v1/report.proto] +CONFLICT: "RoleRef" field: "kind" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" field: "name" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "RouteDirective" field: "direct_response_body" has been removed, but is not reserved [mixer/v1/check.proto] CONFLICT: "RouteDirective" field: "direct_response_code" has been removed, but is not reserved [mixer/v1/check.proto] CONFLICT: "RouteDirective" field: "request_header_operations" has been removed, but is not reserved [mixer/v1/check.proto] @@ -151,6 +181,20 @@ CONFLICT: "RouteDirective" ID: "3" has been removed, but is not reserved [mixer/ CONFLICT: "RouteDirective" ID: "4" has been removed, but is not reserved [mixer/v1/check.proto] CONFLICT: "Server" field: "tls" has a different type: ServerTLSSettings, previously TLSOptions [networking/v1alpha3/gateway.proto] CONFLICT: "ServiceEntry" field: "endpoints" has a different type: WorkloadEntry, previously Endpoint [networking/v1alpha3/service_entry.proto] +CONFLICT: "ServiceRole" field: "rules" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRole" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "roleRef" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "subjects" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "group" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "properties" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "user" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "TCPRoute" field: "route" has a different type: RouteDestination, previously DestinationWeight [networking/v1alpha3/virtual_service.proto] CONFLICT: "TLSOptions.TLSmode" field: "MUTUAL" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] CONFLICT: "TLSOptions.TLSmode" field: "PASSTHROUGH" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] diff --git a/releaselocks/release-1.1/proto.lock.status b/releaselocks/release-1.1/proto.lock.status index 451f2d63..17103395 100644 --- a/releaselocks/release-1.1/proto.lock.status +++ b/releaselocks/release-1.1/proto.lock.status @@ -1,8 +1,32 @@ +CONFLICT: "AccessRule" field: "constraints" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "services" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "AuthorizationPolicy" field: "allow" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "AuthorizationPolicy" field: "workload_selector" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "AuthorizationPolicy" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "AuthorizationPolicy" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "ConfigSource" field: "tls_settings" has a different type: istio.networking.v1alpha3.ClientTLSSettings, previously istio.networking.v1alpha3.TLSSettings [mesh/v1alpha1/config.proto] +CONFLICT: "EnforcementMode" field: "ENFORCED" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" field: "PERMISSIVE" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "Filter.FilterType" field: "HTTP" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "Filter.FilterType" field: "INVALID" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "Filter.FilterType" field: "NETWORK" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] @@ -44,8 +68,58 @@ CONFLICT: "MeshConfig.IngressControllerMode" field: "STRICT" has a different int CONFLICT: "MeshConfig.IngressControllerMode" field: "UNSPECIFIED" integer: 0 has an updated name, previously "OFF" [mesh/v1alpha1/config.proto] CONFLICT: "ProxyConfig" field: "concurrency" has a different type: google.protobuf.Int32Value, previously int32 [mesh/v1alpha1/proxy.proto] CONFLICT: "Quota" field: "charge" has a different type: int32, previously int64 [mixer/v1/config/client/quota.proto] +CONFLICT: "RbacConfig" field: "enforcement_mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "exclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "inclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "OFF" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_EXCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_INCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" field: "kind" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" field: "name" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "Server" field: "tls" has a different type: ServerTLSSettings, previously TLSOptions [networking/v1alpha3/gateway.proto] CONFLICT: "ServiceEntry" field: "endpoints" has a different type: WorkloadEntry, previously Endpoint [networking/v1alpha3/service_entry.proto] +CONFLICT: "ServiceRole" field: "rules" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRole" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "roleRef" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "subjects" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "group" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "properties" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "user" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "11" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "TLSOptions.TLSmode" field: "AUTO_PASSTHROUGH" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] CONFLICT: "TLSOptions.TLSmode" field: "MUTUAL" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] CONFLICT: "TLSOptions.TLSmode" field: "PASSTHROUGH" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] diff --git a/releaselocks/release-1.2/proto.lock.status b/releaselocks/release-1.2/proto.lock.status index 451f2d63..1d8009f9 100644 --- a/releaselocks/release-1.2/proto.lock.status +++ b/releaselocks/release-1.2/proto.lock.status @@ -1,8 +1,32 @@ +CONFLICT: "AccessRule" field: "constraints" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "services" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "AuthorizationPolicy" field: "allow" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "AuthorizationPolicy" field: "workload_selector" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "AuthorizationPolicy" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "AuthorizationPolicy" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "ConfigSource" field: "tls_settings" has a different type: istio.networking.v1alpha3.ClientTLSSettings, previously istio.networking.v1alpha3.TLSSettings [mesh/v1alpha1/config.proto] +CONFLICT: "EnforcementMode" field: "ENFORCED" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" field: "PERMISSIVE" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "Filter.FilterType" field: "HTTP" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "Filter.FilterType" field: "INVALID" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "Filter.FilterType" field: "NETWORK" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] @@ -44,8 +68,62 @@ CONFLICT: "MeshConfig.IngressControllerMode" field: "STRICT" has a different int CONFLICT: "MeshConfig.IngressControllerMode" field: "UNSPECIFIED" integer: 0 has an updated name, previously "OFF" [mesh/v1alpha1/config.proto] CONFLICT: "ProxyConfig" field: "concurrency" has a different type: google.protobuf.Int32Value, previously int32 [mesh/v1alpha1/proxy.proto] CONFLICT: "Quota" field: "charge" has a different type: int32, previously int64 [mixer/v1/config/client/quota.proto] +CONFLICT: "RbacConfig" field: "enforcement_mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "exclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "inclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "OFF" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_EXCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_INCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" field: "kind" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" field: "name" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "Server" field: "tls" has a different type: ServerTLSSettings, previously TLSOptions [networking/v1alpha3/gateway.proto] CONFLICT: "ServiceEntry" field: "endpoints" has a different type: WorkloadEntry, previously Endpoint [networking/v1alpha3/service_entry.proto] +CONFLICT: "ServiceRole" field: "rules" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRole" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "actions" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "role" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "roleRef" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "subjects" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "group" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "properties" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "user" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "11" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "TLSOptions.TLSmode" field: "AUTO_PASSTHROUGH" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] CONFLICT: "TLSOptions.TLSmode" field: "MUTUAL" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] CONFLICT: "TLSOptions.TLSmode" field: "PASSTHROUGH" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] diff --git a/releaselocks/release-1.3/proto.lock.status b/releaselocks/release-1.3/proto.lock.status index dd3a48f9..8f0da745 100644 --- a/releaselocks/release-1.3/proto.lock.status +++ b/releaselocks/release-1.3/proto.lock.status @@ -1,3 +1,23 @@ +CONFLICT: "AccessRule" field: "constraints" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "services" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "AuthorizationPolicy" field: "selector" has a different type: istio.type.v1beta1.WorkloadSelector, previously istio.networking.v1alpha3.WorkloadSelector [security/v1beta1/authorization.proto] CONFLICT: "ConfigSource" field: "tls_settings" has a different type: istio.networking.v1alpha3.ClientTLSSettings, previously istio.networking.v1alpha3.TLSSettings [mesh/v1alpha1/config.proto] CONFLICT: "DeprecatedListenerMatch.ListenerProtocol" field: "ALL" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] @@ -14,6 +34,10 @@ CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "0" has been removed, CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "1" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "2" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "3" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] +CONFLICT: "EnforcementMode" field: "ENFORCED" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" field: "PERMISSIVE" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "Filter.FilterType" field: "HTTP" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "Filter.FilterType" field: "INVALID" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "Filter.FilterType" field: "NETWORK" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] @@ -41,9 +65,63 @@ CONFLICT: "MeshConfig.IngressControllerMode" field: "STRICT" has a different int CONFLICT: "MeshConfig.IngressControllerMode" field: "UNSPECIFIED" integer: 0 has an updated name, previously "OFF" [mesh/v1alpha1/config.proto] CONFLICT: "ProxyConfig" field: "concurrency" has a different type: google.protobuf.Int32Value, previously int32 [mesh/v1alpha1/proxy.proto] CONFLICT: "Quota" field: "charge" has a different type: int32, previously int64 [mixer/v1/config/client/quota.proto] +CONFLICT: "RbacConfig" field: "enforcement_mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "exclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "inclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "OFF" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_EXCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_INCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "RemoteService" field: "tls_settings" has a different type: istio.networking.v1alpha3.ClientTLSSettings, previously istio.networking.v1alpha3.TLSSettings [mesh/v1alpha1/proxy.proto] +CONFLICT: "RoleRef" field: "kind" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" field: "name" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "Server" field: "tls" has a different type: ServerTLSSettings, previously TLSOptions [networking/v1alpha3/gateway.proto] CONFLICT: "ServiceEntry" field: "endpoints" has a different type: WorkloadEntry, previously Endpoint [networking/v1alpha3/service_entry.proto] +CONFLICT: "ServiceRole" field: "rules" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRole" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "actions" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "role" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "roleRef" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "subjects" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "group" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "properties" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "user" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "11" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "TLSOptions.TLSmode" field: "AUTO_PASSTHROUGH" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] CONFLICT: "TLSOptions.TLSmode" field: "ISTIO_MUTUAL" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] CONFLICT: "TLSOptions.TLSmode" field: "MUTUAL" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] diff --git a/releaselocks/release-1.4/proto.lock.status b/releaselocks/release-1.4/proto.lock.status index 6028930b..7e14bf3a 100644 --- a/releaselocks/release-1.4/proto.lock.status +++ b/releaselocks/release-1.4/proto.lock.status @@ -1,3 +1,23 @@ +CONFLICT: "AccessRule" field: "constraints" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "services" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "ConfigSource" field: "tls_settings" has a different type: istio.networking.v1alpha3.ClientTLSSettings, previously istio.networking.v1alpha3.TLSSettings [mesh/v1alpha1/config.proto] CONFLICT: "DeprecatedListenerMatch.ListenerProtocol" field: "ALL" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "DeprecatedListenerMatch.ListenerProtocol" field: "HTTP" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] @@ -13,6 +33,10 @@ CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "0" has been removed, CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "1" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "2" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "3" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] +CONFLICT: "EnforcementMode" field: "ENFORCED" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" field: "PERMISSIVE" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "Filter.FilterType" field: "HTTP" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "Filter.FilterType" field: "INVALID" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "Filter.FilterType" field: "NETWORK" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] @@ -39,9 +63,63 @@ CONFLICT: "MeshConfig.IngressControllerMode" field: "OFF" integer: 1 has an upda CONFLICT: "MeshConfig.IngressControllerMode" field: "STRICT" has a different integer: 3, previously 2 [mesh/v1alpha1/config.proto] CONFLICT: "MeshConfig.IngressControllerMode" field: "UNSPECIFIED" integer: 0 has an updated name, previously "OFF" [mesh/v1alpha1/config.proto] CONFLICT: "ProxyConfig" field: "concurrency" has a different type: google.protobuf.Int32Value, previously int32 [mesh/v1alpha1/proxy.proto] +CONFLICT: "RbacConfig" field: "enforcement_mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "exclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "inclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "OFF" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_EXCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_INCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "RemoteService" field: "tls_settings" has a different type: istio.networking.v1alpha3.ClientTLSSettings, previously istio.networking.v1alpha3.TLSSettings [mesh/v1alpha1/proxy.proto] +CONFLICT: "RoleRef" field: "kind" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" field: "name" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "Server" field: "tls" has a different type: ServerTLSSettings, previously TLSOptions [networking/v1alpha3/gateway.proto] CONFLICT: "ServiceEntry" field: "endpoints" has a different type: WorkloadEntry, previously Endpoint [networking/v1alpha3/service_entry.proto] +CONFLICT: "ServiceRole" field: "rules" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRole" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "actions" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "role" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "roleRef" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "subjects" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "group" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "properties" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "user" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "11" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "TLSOptions.TLSmode" field: "AUTO_PASSTHROUGH" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] CONFLICT: "TLSOptions.TLSmode" field: "ISTIO_MUTUAL" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] CONFLICT: "TLSOptions.TLSmode" field: "MUTUAL" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] diff --git a/releaselocks/release-1.5/proto.lock.status b/releaselocks/release-1.5/proto.lock.status index d53a32b2..a5bb8e34 100644 --- a/releaselocks/release-1.5/proto.lock.status +++ b/releaselocks/release-1.5/proto.lock.status @@ -1,3 +1,23 @@ +CONFLICT: "AccessRule" field: "constraints" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "services" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "ConfigSource" field: "tls_settings" has a different type: istio.networking.v1alpha3.ClientTLSSettings, previously istio.networking.v1alpha3.TLSSettings [mesh/v1alpha1/config.proto] CONFLICT: "DeprecatedListenerMatch.ListenerProtocol" field: "ALL" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "DeprecatedListenerMatch.ListenerProtocol" field: "HTTP" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] @@ -13,6 +33,10 @@ CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "0" has been removed, CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "1" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "2" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "DeprecatedListenerMatch.ListenerType" integer: "3" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] +CONFLICT: "EnforcementMode" field: "ENFORCED" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" field: "PERMISSIVE" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "Filter.FilterType" field: "HTTP" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "Filter.FilterType" field: "INVALID" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] CONFLICT: "Filter.FilterType" field: "NETWORK" has been removed, but is not reserved [networking/v1alpha3/envoy_filter.proto] @@ -37,7 +61,27 @@ CONFLICT: "MeshConfig.IngressControllerMode" field: "OFF" integer: 1 has an upda CONFLICT: "MeshConfig.IngressControllerMode" field: "STRICT" has a different integer: 3, previously 2 [mesh/v1alpha1/config.proto] CONFLICT: "MeshConfig.IngressControllerMode" field: "UNSPECIFIED" integer: 0 has an updated name, previously "OFF" [mesh/v1alpha1/config.proto] CONFLICT: "ProxyConfig" field: "concurrency" has a different type: google.protobuf.Int32Value, previously int32 [mesh/v1alpha1/proxy.proto] +CONFLICT: "RbacConfig" field: "enforcement_mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "exclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "inclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "OFF" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_EXCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_INCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "RemoteService" field: "tls_settings" has a different type: istio.networking.v1alpha3.ClientTLSSettings, previously istio.networking.v1alpha3.TLSSettings [mesh/v1alpha1/proxy.proto] +CONFLICT: "RoleRef" field: "kind" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" field: "name" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "RollingUpdateDeployment" field: "maxSurge" has a different type: TypeInterface_kubernetes, previously TypeIntOrStringForPB [operator/v1alpha1/kubernetes.proto] CONFLICT: "RollingUpdateDeployment" field: "maxUnavailable" has a different type: TypeInterface_kubernetes, previously TypeIntOrStringForPB [operator/v1alpha1/kubernetes.proto] CONFLICT: "Server" field: "tls" has a different type: ServerTLSSettings, previously TLSOptions [networking/v1alpha3/gateway.proto] @@ -45,6 +89,40 @@ CONFLICT: "Server" field: "tls" has a different type: ServerTLSSettings, previou CONFLICT: "ServiceEntry" field: "endpoints" has a different type: WorkloadEntry, previously Endpoint [networking/v1alpha3/service_entry.proto] CONFLICT: "ServiceEntry" field: "endpoints" has a different type: WorkloadEntry, previously Endpoint [networking/v1beta1/service_entry.proto] CONFLICT: "ServicePort" field: "targetPort" has a different type: TypeInterface_kubernetes, previously TypeIntOrStringForPB [operator/v1alpha1/kubernetes.proto] +CONFLICT: "ServiceRole" field: "rules" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRole" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "actions" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "role" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "roleRef" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "subjects" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "group" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "properties" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "user" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "11" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "TCPSocketAction" field: "port" has a different type: TypeInterface_kubernetes, previously TypeIntOrStringForPB [operator/v1alpha1/kubernetes.proto] CONFLICT: "TLSOptions.TLSmode" field: "AUTO_PASSTHROUGH" has been removed, but is not reserved [networking/v1alpha3/gateway.proto] CONFLICT: "TLSOptions.TLSmode" field: "AUTO_PASSTHROUGH" has been removed, but is not reserved [networking/v1beta1/gateway.proto] diff --git a/releaselocks/release-1.6/proto.lock.status b/releaselocks/release-1.6/proto.lock.status index c0e58194..7dcb38b0 100644 --- a/releaselocks/release-1.6/proto.lock.status +++ b/releaselocks/release-1.6/proto.lock.status @@ -1 +1,79 @@ +CONFLICT: "AccessRule" field: "constraints" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_hosts" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_methods" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "not_ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "paths" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "ports" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" field: "services" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "AccessRule" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" field: "ENFORCED" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" field: "PERMISSIVE" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "EnforcementMode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] CONFLICT: "ProxyConfig" field: "concurrency" has a different type: google.protobuf.Int32Value, previously int32 [mesh/v1alpha1/proxy.proto] +CONFLICT: "RbacConfig" field: "enforcement_mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "exclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "inclusion" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "OFF" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_EXCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" field: "ON_WITH_INCLUSION" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "0" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RbacConfig.Mode" integer: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" field: "kind" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" field: "name" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "RoleRef" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRole" field: "rules" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRole" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "actions" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "mode" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "role" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "roleRef" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" field: "subjects" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "ServiceRoleBinding" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "group" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_groups" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_ips" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_names" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "not_namespaces" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "properties" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" field: "user" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "1" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "10" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "11" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "2" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "3" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "4" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "5" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "6" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "7" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "8" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto] +CONFLICT: "Subject" ID: "9" has been removed, but is not reserved [rbac/v1alpha1/rbac.proto]