replace quotes with backticks when referring to values (#2707)

Co-authored-by: Peter Jausovec <peter.jausovec@solo.io>
2023-03-02 06:41:06 -08:00 · 2023-03-02 06:41:06 -08:00 · ef3fe4fa15
parent 5386d7e392
commit ef3fe4fa15
6 changed files with 126 additions and 136 deletions
--- a/security/v1/authorization_policy.pb.go
+++ b/security/v1/authorization_policy.pb.go
@ -48,20 +48,20 @@
 //
 // Here is an example of Istio Authorization Policy:
 //
-// It sets the `action` to "ALLOW" to create an allow policy. The default action is "ALLOW"
+// It sets the `action` to `ALLOW` to create an allow policy. The default action is `ALLOW`
 // but it is useful to be explicit in the policy.
 //
 // It allows requests from:
 //
-// - service account "cluster.local/ns/default/sa/sleep" or
-// - namespace "test"
+// - service account `cluster.local/ns/default/sa/sleep` or
+// - namespace `test`
 //
 // to access the workload with:
 //
-// - "GET" method at paths of prefix "/info" or,
-// - "POST" method at path "/data".
+// - `GET` method at paths of prefix `/info` or,
+// - `POST` method at path `/data`.
 //
-// when the request has a valid JWT token issued by "https://accounts.google.com".
+// when the request has a valid JWT token issued by `https://accounts.google.com`.
 //
 // Any other requests will be denied.
 //
@ -91,9 +91,9 @@
 //       values: ["https://accounts.google.com"]
 // ```
 //
-// The following is another example that sets `action` to "DENY" to create a deny policy.
-// It denies requests from the "dev" namespace to the "POST" method on all workloads
-// in the "foo" namespace.
+// The following is another example that sets `action` to `DENY` to create a deny policy.
+// It denies requests from the `dev` namespace to the `POST` method on all workloads
+// in the `foo` namespace.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1
@ -113,7 +113,7 @@
 // ```
 //
 // The following is another example that sets `action` to `DENY` to create a deny policy.
-// It denies all the requests with "POST" method on port "8080" on all workloads
+// It denies all the requests with `POST` method on port `8080` on all workloads
 // in the `foo` namespace.
 //
 // ```yaml
@ -132,12 +132,12 @@
 // ```
 //
 // When this rule is applied to TCP traffic, the `method` field (as will all HTTP based attributes) cannot be processed.
-// For a `DENY` rule, missing attributes are treated as matches. This means all TCP traffic on port 8080 would be denied in the example above.
+// For a `DENY` rule, missing attributes are treated as matches. This means all TCP traffic on port `8080` would be denied in the example above.
 // If we were to remove the `ports` match, all TCP traffic would be denied. As a result, it is recommended to always scope `DENY` policies to a specific port,
 // especially when using HTTP attributes [Authorization Policy for TCP Ports](https://istio.io/latest/docs/tasks/security/authorization/authz-tcp/).
 //
-// The following authorization policy sets the `action` to "AUDIT". It will audit any GET requests to the path with the
-// prefix "/user/profile".
+// The following authorization policy sets the `action` to `AUDIT`. It will audit any GET requests to the path with the
+// prefix `/user/profile`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1
@ -158,16 +158,14 @@
 // ```
 //
 // Authorization Policy scope (target) is determined by "metadata/namespace" and
-// an optional "selector".
+// an optional `selector`.
 //
 // - "metadata/namespace" tells which namespace the policy applies. If set to root
 // namespace, the policy applies to all namespaces in a mesh.
-// - workload "selector" can be used to further restrict where a policy applies.
+// - workload `selector` can be used to further restrict where a policy applies.
 //
-// For example,
-//
-// The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
-// all requests to workloads in namespace foo.
+// For example, the following authorization policy applies to all workloads in namespace `foo`. It allows nothing and effectively denies
+// all requests to workloads in namespace `foo`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1
@ -179,7 +177,7 @@
 //   {}
 // ```
 //
-// The following authorization policy allows all requests to workloads in namespace foo.
+// The following authorization policy allows all requests to workloads in namespace `foo`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1
@ -192,7 +190,7 @@
 //  - {}
 // ```
 //
-// The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
+// The following authorization policy applies to workloads containing label `app: httpbin` in namespace `bar`. It allows
 // nothing and effectively denies all requests to the selected workloads.
 //
 // ```yaml
@ -207,8 +205,8 @@
 //       app: httpbin
 // ```
 //
-// The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
-// (Assuming the root namespace is configured to "istio-system").
+// The following authorization policy applies to workloads containing label `version: v1` in all namespaces in the mesh.
+// (Assuming the root namespace is configured to `istio-system`).
 //
 // ```yaml
 // apiVersion: security.istio.io/v1
--- a/security/v1/authorization_policy.pb.html
+++ b/security/v1/authorization_policy.pb.html
@ -28,19 +28,19 @@ A separate plugin must be configured and enabled to actually fulfill the audit d
 The request will not be audited if there are no such supporting plugins enabled.
 Currently, the only supported plugin is the <a href="https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/">Stackdriver</a> plugin.</p>
 <p>Here is an example of Istio Authorization Policy:</p>
-<p>It sets the <code>action</code> to &ldquo;ALLOW&rdquo; to create an allow policy. The default action is &ldquo;ALLOW&rdquo;
+<p>It sets the <code>action</code> to <code>ALLOW</code> to create an allow policy. The default action is <code>ALLOW</code>
 but it is useful to be explicit in the policy.</p>
 <p>It allows requests from:</p>
 <ul>
-<li>service account &ldquo;cluster.local/ns/default/sa/sleep&rdquo; or</li>
-<li>namespace &ldquo;test&rdquo;</li>
+<li>service account <code>cluster.local/ns/default/sa/sleep</code> or</li>
+<li>namespace <code>test</code></li>
 </ul>
 <p>to access the workload with:</p>
 <ul>
-<li>&ldquo;GET&rdquo; method at paths of prefix &ldquo;/info&rdquo; or,</li>
-<li>&ldquo;POST&rdquo; method at path &ldquo;/data&rdquo;.</li>
+<li><code>GET</code> method at paths of prefix <code>/info</code> or,</li>
+<li><code>POST</code> method at path <code>/data</code>.</li>
 </ul>
-<p>when the request has a valid JWT token issued by &ldquo;<a href="https://accounts.google.com">https://accounts.google.com</a>&rdquo;.</p>
+<p>when the request has a valid JWT token issued by <code>https://accounts.google.com</code>.</p>
 <p>Any other requests will be denied.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
@ -66,9 +66,9 @@ spec:
    - key: request.auth.claims[iss]
      values: [&quot;https://accounts.google.com&quot;]
 </code></pre>
-<p>The following is another example that sets <code>action</code> to &ldquo;DENY&rdquo; to create a deny policy.
-It denies requests from the &ldquo;dev&rdquo; namespace to the &ldquo;POST&rdquo; method on all workloads
-in the &ldquo;foo&rdquo; namespace.</p>
+<p>The following is another example that sets <code>action</code> to <code>DENY</code> to create a deny policy.
+It denies requests from the <code>dev</code> namespace to the <code>POST</code> method on all workloads
+in the <code>foo</code> namespace.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@ -85,7 +85,7 @@ spec:
        methods: [&quot;POST&quot;]
 </code></pre>
 <p>The following is another example that sets <code>action</code> to <code>DENY</code> to create a deny policy.
-It denies all the requests with &ldquo;POST&rdquo; method on port &ldquo;8080&rdquo; on all workloads
+It denies all the requests with <code>POST</code> method on port <code>8080</code> on all workloads
 in the <code>foo</code> namespace.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: AuthorizaionPolicy
@ -101,11 +101,11 @@ spec:
        ports: [&quot;8080&quot;]
 </code></pre>
 <p>When this rule is applied to TCP traffic, the <code>method</code> field (as will all HTTP based attributes) cannot be processed.
-For a <code>DENY</code> rule, missing attributes are treated as matches. This means all TCP traffic on port 8080 would be denied in the example above.
+For a <code>DENY</code> rule, missing attributes are treated as matches. This means all TCP traffic on port <code>8080</code> would be denied in the example above.
 If we were to remove the <code>ports</code> match, all TCP traffic would be denied. As a result, it is recommended to always scope <code>DENY</code> policies to a specific port,
 especially when using HTTP attributes <a href="https://istio.io/latest/docs/tasks/security/authorization/authz-tcp/">Authorization Policy for TCP Ports</a>.</p>
-<p>The following authorization policy sets the <code>action</code> to &ldquo;AUDIT&rdquo;. It will audit any GET requests to the path with the
-prefix &ldquo;/user/profile&rdquo;.</p>
+<p>The following authorization policy sets the <code>action</code> to <code>AUDIT</code>. It will audit any GET requests to the path with the
+prefix <code>/user/profile</code>.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@ -123,15 +123,14 @@ spec:
        paths: [&quot;/user/profile/*&quot;]
 </code></pre>
 <p>Authorization Policy scope (target) is determined by &ldquo;metadata/namespace&rdquo; and
-an optional &ldquo;selector&rdquo;.</p>
+an optional <code>selector</code>.</p>
 <ul>
 <li>&ldquo;metadata/namespace&rdquo; tells which namespace the policy applies. If set to root
 namespace, the policy applies to all namespaces in a mesh.</li>
-<li>workload &ldquo;selector&rdquo; can be used to further restrict where a policy applies.</li>
+<li>workload <code>selector</code> can be used to further restrict where a policy applies.</li>
 </ul>
-<p>For example,</p>
-<p>The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
-all requests to workloads in namespace foo.</p>
+<p>For example, the following authorization policy applies to all workloads in namespace <code>foo</code>. It allows nothing and effectively denies
+all requests to workloads in namespace <code>foo</code>.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@ -140,7 +139,7 @@ metadata:
 spec:
  {}
 </code></pre>
-<p>The following authorization policy allows all requests to workloads in namespace foo.</p>
+<p>The following authorization policy allows all requests to workloads in namespace <code>foo</code>.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
@ -150,7 +149,7 @@ spec:
 rules:
 - {}
 </code></pre>
-<p>The following authorization policy applies to workloads containing label &ldquo;app: httpbin&rdquo; in namespace bar. It allows
+<p>The following authorization policy applies to workloads containing label <code>app: httpbin</code> in namespace <code>bar</code>. It allows
 nothing and effectively denies all requests to the selected workloads.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
@ -162,8 +161,8 @@ spec:
    matchLabels:
      app: httpbin
 </code></pre>
-<p>The following authorization policy applies to workloads containing label &ldquo;version: v1&rdquo; in all namespaces in the mesh.
-(Assuming the root namespace is configured to &ldquo;istio-system&rdquo;).</p>
+<p>The following authorization policy applies to workloads containing label <code>version: v1</code> in all namespaces in the mesh.
+(Assuming the root namespace is configured to <code>istio-system</code>).</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1
 kind: AuthorizationPolicy
 metadata:
--- a/security/v1/authorization_policy.proto
+++ b/security/v1/authorization_policy.proto
@ -46,20 +46,20 @@ import "type/v1beta1/selector.proto";
 //
 // Here is an example of Istio Authorization Policy:
 //
-// It sets the `action` to "ALLOW" to create an allow policy. The default action is "ALLOW"
+// It sets the `action` to `ALLOW` to create an allow policy. The default action is `ALLOW`
 // but it is useful to be explicit in the policy.
 //
 // It allows requests from:
 //
-// - service account "cluster.local/ns/default/sa/sleep" or
-// - namespace "test"
+// - service account `cluster.local/ns/default/sa/sleep` or
+// - namespace `test`
 //
 // to access the workload with:
 //
-// - "GET" method at paths of prefix "/info" or,
-// - "POST" method at path "/data".
+// - `GET` method at paths of prefix `/info` or,
+// - `POST` method at path `/data`.
 //
-// when the request has a valid JWT token issued by "https://accounts.google.com".
+// when the request has a valid JWT token issued by `https://accounts.google.com`.
 //
 // Any other requests will be denied.
 //
@ -89,9 +89,9 @@ import "type/v1beta1/selector.proto";
 //       values: ["https://accounts.google.com"]
 // ```
 //
-// The following is another example that sets `action` to "DENY" to create a deny policy.
-// It denies requests from the "dev" namespace to the "POST" method on all workloads
-// in the "foo" namespace.
+// The following is another example that sets `action` to `DENY` to create a deny policy.
+// It denies requests from the `dev` namespace to the `POST` method on all workloads
+// in the `foo` namespace.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1
@ -111,7 +111,7 @@ import "type/v1beta1/selector.proto";
 // ```
 //
 // The following is another example that sets `action` to `DENY` to create a deny policy.
-// It denies all the requests with "POST" method on port "8080" on all workloads
+// It denies all the requests with `POST` method on port `8080` on all workloads
 // in the `foo` namespace.
 //
 // ```yaml
@ -130,12 +130,12 @@ import "type/v1beta1/selector.proto";
 // ```
 //
 // When this rule is applied to TCP traffic, the `method` field (as will all HTTP based attributes) cannot be processed.
-// For a `DENY` rule, missing attributes are treated as matches. This means all TCP traffic on port 8080 would be denied in the example above.
+// For a `DENY` rule, missing attributes are treated as matches. This means all TCP traffic on port `8080` would be denied in the example above.
 // If we were to remove the `ports` match, all TCP traffic would be denied. As a result, it is recommended to always scope `DENY` policies to a specific port,
 // especially when using HTTP attributes [Authorization Policy for TCP Ports](https://istio.io/latest/docs/tasks/security/authorization/authz-tcp/).
 //
-// The following authorization policy sets the `action` to "AUDIT". It will audit any GET requests to the path with the
-// prefix "/user/profile".
+// The following authorization policy sets the `action` to `AUDIT`. It will audit any GET requests to the path with the
+// prefix `/user/profile`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1
@ -156,16 +156,14 @@ import "type/v1beta1/selector.proto";
 // ```
 //
 // Authorization Policy scope (target) is determined by "metadata/namespace" and
-// an optional "selector".
+// an optional `selector`.
 //
 // - "metadata/namespace" tells which namespace the policy applies. If set to root
 // namespace, the policy applies to all namespaces in a mesh.
-// - workload "selector" can be used to further restrict where a policy applies.
+// - workload `selector` can be used to further restrict where a policy applies.
 //
-// For example,
-//
-// The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
-// all requests to workloads in namespace foo.
+// For example, the following authorization policy applies to all workloads in namespace `foo`. It allows nothing and effectively denies
+// all requests to workloads in namespace `foo`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1
@ -177,7 +175,7 @@ import "type/v1beta1/selector.proto";
 //   {}
 // ```
 //
-// The following authorization policy allows all requests to workloads in namespace foo.
+// The following authorization policy allows all requests to workloads in namespace `foo`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1
@ -190,7 +188,7 @@ import "type/v1beta1/selector.proto";
 //  - {}
 // ```
 //
-// The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
+// The following authorization policy applies to workloads containing label `app: httpbin` in namespace `bar`. It allows
 // nothing and effectively denies all requests to the selected workloads.
 //
 // ```yaml
@ -205,8 +203,8 @@ import "type/v1beta1/selector.proto";
 //       app: httpbin
 // ```
 //
-// The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
-// (Assuming the root namespace is configured to "istio-system").
+// The following authorization policy applies to workloads containing label `version: v1` in all namespaces in the mesh.
+// (Assuming the root namespace is configured to `istio-system`).
 //
 // ```yaml
 // apiVersion: security.istio.io/v1
--- a/security/v1beta1/authorization_policy.pb.go
+++ b/security/v1beta1/authorization_policy.pb.go
@ -48,20 +48,20 @@
 //
 // Here is an example of Istio Authorization Policy:
 //
-// It sets the `action` to "ALLOW" to create an allow policy. The default action is "ALLOW"
+// It sets the `action` to `ALLOW` to create an allow policy. The default action is `ALLOW`
 // but it is useful to be explicit in the policy.
 //
 // It allows requests from:
 //
-// - service account "cluster.local/ns/default/sa/sleep" or
-// - namespace "test"
+// - service account `cluster.local/ns/default/sa/sleep` or
+// - namespace `test`
 //
 // to access the workload with:
 //
-// - "GET" method at paths of prefix "/info" or,
-// - "POST" method at path "/data".
+// - `GET` method at paths of prefix `/info` or,
+// - `POST` method at path `/data`.
 //
-// when the request has a valid JWT token issued by "https://accounts.google.com".
+// when the request has a valid JWT token issued by `https://accounts.google.com`.
 //
 // Any other requests will be denied.
 //
@ -91,9 +91,9 @@
 //       values: ["https://accounts.google.com"]
 // ```
 //
-// The following is another example that sets `action` to "DENY" to create a deny policy.
-// It denies requests from the "dev" namespace to the "POST" method on all workloads
-// in the "foo" namespace.
+// The following is another example that sets `action` to `DENY` to create a deny policy.
+// It denies requests from the `dev` namespace to the `POST` method on all workloads
+// in the `foo` namespace.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1beta1
@ -113,7 +113,7 @@
 // ```
 //
 // The following is another example that sets `action` to `DENY` to create a deny policy.
-// It denies all the requests with "POST" method on port "8080" on all workloads
+// It denies all the requests with `POST` method on port `8080` on all workloads
 // in the `foo` namespace.
 //
 // ```yaml
@ -132,12 +132,12 @@
 // ```
 //
 // When this rule is applied to TCP traffic, the `method` field (as will all HTTP based attributes) cannot be processed.
-// For a `DENY` rule, missing attributes are treated as matches. This means all TCP traffic on port 8080 would be denied in the example above.
+// For a `DENY` rule, missing attributes are treated as matches. This means all TCP traffic on port `8080` would be denied in the example above.
 // If we were to remove the `ports` match, all TCP traffic would be denied. As a result, it is recommended to always scope `DENY` policies to a specific port,
 // especially when using HTTP attributes [Authorization Policy for TCP Ports](https://istio.io/latest/docs/tasks/security/authorization/authz-tcp/).
 //
-// The following authorization policy sets the `action` to "AUDIT". It will audit any GET requests to the path with the
-// prefix "/user/profile".
+// The following authorization policy sets the `action` to `AUDIT`. It will audit any `GET` requests to the path with the
+// prefix `/user/profile`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1beta1
@ -158,16 +158,14 @@
 // ```
 //
 // Authorization Policy scope (target) is determined by "metadata/namespace" and
-// an optional "selector".
+// an optional `selector`.
 //
 // - "metadata/namespace" tells which namespace the policy applies. If set to root
 // namespace, the policy applies to all namespaces in a mesh.
-// - workload "selector" can be used to further restrict where a policy applies.
+// - workload `selector` can be used to further restrict where a policy applies.
 //
-// For example,
-//
-// The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
-// all requests to workloads in namespace foo.
+// For example, the following authorization policy applies to all workloads in namespace `foo`. It allows nothing and effectively denies
+// all requests to workloads in namespace `foo`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1beta1
@ -179,7 +177,7 @@
 //   {}
 // ```
 //
-// The following authorization policy allows all requests to workloads in namespace foo.
+// The following authorization policy allows all requests to workloads in namespace `foo`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1beta1
@ -192,7 +190,7 @@
 //  - {}
 // ```
 //
-// The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
+// The following authorization policy applies to workloads containing label `app: httpbin` in namespace `bar`. It allows
 // nothing and effectively denies all requests to the selected workloads.
 //
 // ```yaml
@ -207,8 +205,8 @@
 //       app: httpbin
 // ```
 //
-// The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
-// (Assuming the root namespace is configured to "istio-system").
+// The following authorization policy applies to workloads containing label `version: v1` in all namespaces in the mesh.
+// (Assuming the root namespace is configured to `istio-system`).
 //
 // ```yaml
 // apiVersion: security.istio.io/v1beta1
--- a/security/v1beta1/authorization_policy.pb.html
+++ b/security/v1beta1/authorization_policy.pb.html
@ -28,19 +28,19 @@ A separate plugin must be configured and enabled to actually fulfill the audit d
 The request will not be audited if there are no such supporting plugins enabled.
 Currently, the only supported plugin is the <a href="https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/">Stackdriver</a> plugin.</p>
 <p>Here is an example of Istio Authorization Policy:</p>
-<p>It sets the <code>action</code> to &ldquo;ALLOW&rdquo; to create an allow policy. The default action is &ldquo;ALLOW&rdquo;
+<p>It sets the <code>action</code> to <code>ALLOW</code> to create an allow policy. The default action is <code>ALLOW</code>
 but it is useful to be explicit in the policy.</p>
 <p>It allows requests from:</p>
 <ul>
-<li>service account &ldquo;cluster.local/ns/default/sa/sleep&rdquo; or</li>
-<li>namespace &ldquo;test&rdquo;</li>
+<li>service account <code>cluster.local/ns/default/sa/sleep</code> or</li>
+<li>namespace <code>test</code></li>
 </ul>
 <p>to access the workload with:</p>
 <ul>
-<li>&ldquo;GET&rdquo; method at paths of prefix &ldquo;/info&rdquo; or,</li>
-<li>&ldquo;POST&rdquo; method at path &ldquo;/data&rdquo;.</li>
+<li><code>GET</code> method at paths of prefix <code>/info</code> or,</li>
+<li><code>POST</code> method at path <code>/data</code>.</li>
 </ul>
-<p>when the request has a valid JWT token issued by &ldquo;<a href="https://accounts.google.com">https://accounts.google.com</a>&rdquo;.</p>
+<p>when the request has a valid JWT token issued by <code>https://accounts.google.com</code>.</p>
 <p>Any other requests will be denied.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@ -66,9 +66,9 @@ spec:
    - key: request.auth.claims[iss]
      values: [&quot;https://accounts.google.com&quot;]
 </code></pre>
-<p>The following is another example that sets <code>action</code> to &ldquo;DENY&rdquo; to create a deny policy.
-It denies requests from the &ldquo;dev&rdquo; namespace to the &ldquo;POST&rdquo; method on all workloads
-in the &ldquo;foo&rdquo; namespace.</p>
+<p>The following is another example that sets <code>action</code> to <code>DENY</code> to create a deny policy.
+It denies requests from the <code>dev</code> namespace to the <code>POST</code> method on all workloads
+in the <code>foo</code> namespace.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@ -85,7 +85,7 @@ spec:
        methods: [&quot;POST&quot;]
 </code></pre>
 <p>The following is another example that sets <code>action</code> to <code>DENY</code> to create a deny policy.
-It denies all the requests with &ldquo;POST&rdquo; method on port &ldquo;8080&rdquo; on all workloads
+It denies all the requests with <code>POST</code> method on port <code>8080</code> on all workloads
 in the <code>foo</code> namespace.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizaionPolicy
@ -101,11 +101,11 @@ spec:
        ports: [&quot;8080&quot;]
 </code></pre>
 <p>When this rule is applied to TCP traffic, the <code>method</code> field (as will all HTTP based attributes) cannot be processed.
-For a <code>DENY</code> rule, missing attributes are treated as matches. This means all TCP traffic on port 8080 would be denied in the example above.
+For a <code>DENY</code> rule, missing attributes are treated as matches. This means all TCP traffic on port <code>8080</code> would be denied in the example above.
 If we were to remove the <code>ports</code> match, all TCP traffic would be denied. As a result, it is recommended to always scope <code>DENY</code> policies to a specific port,
 especially when using HTTP attributes <a href="https://istio.io/latest/docs/tasks/security/authorization/authz-tcp/">Authorization Policy for TCP Ports</a>.</p>
-<p>The following authorization policy sets the <code>action</code> to &ldquo;AUDIT&rdquo;. It will audit any GET requests to the path with the
-prefix &ldquo;/user/profile&rdquo;.</p>
+<p>The following authorization policy sets the <code>action</code> to <code>AUDIT</code>. It will audit any <code>GET</code> requests to the path with the
+prefix <code>/user/profile</code>.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@ -123,15 +123,14 @@ spec:
        paths: [&quot;/user/profile/*&quot;]
 </code></pre>
 <p>Authorization Policy scope (target) is determined by &ldquo;metadata/namespace&rdquo; and
-an optional &ldquo;selector&rdquo;.</p>
+an optional <code>selector</code>.</p>
 <ul>
 <li>&ldquo;metadata/namespace&rdquo; tells which namespace the policy applies. If set to root
 namespace, the policy applies to all namespaces in a mesh.</li>
-<li>workload &ldquo;selector&rdquo; can be used to further restrict where a policy applies.</li>
+<li>workload <code>selector</code> can be used to further restrict where a policy applies.</li>
 </ul>
-<p>For example,</p>
-<p>The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
-all requests to workloads in namespace foo.</p>
+<p>For example, the following authorization policy applies to all workloads in namespace <code>foo</code>. It allows nothing and effectively denies
+all requests to workloads in namespace <code>foo</code>.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@ -140,7 +139,7 @@ metadata:
 spec:
  {}
 </code></pre>
-<p>The following authorization policy allows all requests to workloads in namespace foo.</p>
+<p>The following authorization policy allows all requests to workloads in namespace <code>foo</code>.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
@ -150,7 +149,7 @@ spec:
 rules:
 - {}
 </code></pre>
-<p>The following authorization policy applies to workloads containing label &ldquo;app: httpbin&rdquo; in namespace bar. It allows
+<p>The following authorization policy applies to workloads containing label <code>app: httpbin</code> in namespace <code>bar</code>. It allows
 nothing and effectively denies all requests to the selected workloads.</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
@ -162,8 +161,8 @@ spec:
    matchLabels:
      app: httpbin
 </code></pre>
-<p>The following authorization policy applies to workloads containing label &ldquo;version: v1&rdquo; in all namespaces in the mesh.
-(Assuming the root namespace is configured to &ldquo;istio-system&rdquo;).</p>
+<p>The following authorization policy applies to workloads containing label <code>version: v1</code> in all namespaces in the mesh.
+(Assuming the root namespace is configured to <code>istio-system</code>).</p>
 <pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
--- a/security/v1beta1/authorization_policy.proto
+++ b/security/v1beta1/authorization_policy.proto
@ -46,20 +46,20 @@ import "type/v1beta1/selector.proto";
 //
 // Here is an example of Istio Authorization Policy:
 //
-// It sets the `action` to "ALLOW" to create an allow policy. The default action is "ALLOW"
+// It sets the `action` to `ALLOW` to create an allow policy. The default action is `ALLOW`
 // but it is useful to be explicit in the policy.
 //
 // It allows requests from:
 //
-// - service account "cluster.local/ns/default/sa/sleep" or
-// - namespace "test"
+// - service account `cluster.local/ns/default/sa/sleep` or
+// - namespace `test`
 //
 // to access the workload with:
 //
-// - "GET" method at paths of prefix "/info" or,
-// - "POST" method at path "/data".
+// - `GET` method at paths of prefix `/info` or,
+// - `POST` method at path `/data`.
 //
-// when the request has a valid JWT token issued by "https://accounts.google.com".
+// when the request has a valid JWT token issued by `https://accounts.google.com`.
 //
 // Any other requests will be denied.
 //
@ -89,9 +89,9 @@ import "type/v1beta1/selector.proto";
 //       values: ["https://accounts.google.com"]
 // ```
 //
-// The following is another example that sets `action` to "DENY" to create a deny policy.
-// It denies requests from the "dev" namespace to the "POST" method on all workloads
-// in the "foo" namespace.
+// The following is another example that sets `action` to `DENY` to create a deny policy.
+// It denies requests from the `dev` namespace to the `POST` method on all workloads
+// in the `foo` namespace.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1beta1
@ -111,7 +111,7 @@ import "type/v1beta1/selector.proto";
 // ```
 //
 // The following is another example that sets `action` to `DENY` to create a deny policy.
-// It denies all the requests with "POST" method on port "8080" on all workloads
+// It denies all the requests with `POST` method on port `8080` on all workloads
 // in the `foo` namespace.
 //
 // ```yaml
@ -130,12 +130,12 @@ import "type/v1beta1/selector.proto";
 // ```
 //
 // When this rule is applied to TCP traffic, the `method` field (as will all HTTP based attributes) cannot be processed.
-// For a `DENY` rule, missing attributes are treated as matches. This means all TCP traffic on port 8080 would be denied in the example above.
+// For a `DENY` rule, missing attributes are treated as matches. This means all TCP traffic on port `8080` would be denied in the example above.
 // If we were to remove the `ports` match, all TCP traffic would be denied. As a result, it is recommended to always scope `DENY` policies to a specific port,
 // especially when using HTTP attributes [Authorization Policy for TCP Ports](https://istio.io/latest/docs/tasks/security/authorization/authz-tcp/).
 //
-// The following authorization policy sets the `action` to "AUDIT". It will audit any GET requests to the path with the
-// prefix "/user/profile".
+// The following authorization policy sets the `action` to `AUDIT`. It will audit any `GET` requests to the path with the
+// prefix `/user/profile`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1beta1
@ -156,16 +156,14 @@ import "type/v1beta1/selector.proto";
 // ```
 //
 // Authorization Policy scope (target) is determined by "metadata/namespace" and
-// an optional "selector".
+// an optional `selector`.
 //
 // - "metadata/namespace" tells which namespace the policy applies. If set to root
 // namespace, the policy applies to all namespaces in a mesh.
-// - workload "selector" can be used to further restrict where a policy applies.
+// - workload `selector` can be used to further restrict where a policy applies.
 //
-// For example,
-//
-// The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
-// all requests to workloads in namespace foo.
+// For example, the following authorization policy applies to all workloads in namespace `foo`. It allows nothing and effectively denies
+// all requests to workloads in namespace `foo`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1beta1
@ -177,7 +175,7 @@ import "type/v1beta1/selector.proto";
 //   {}
 // ```
 //
-// The following authorization policy allows all requests to workloads in namespace foo.
+// The following authorization policy allows all requests to workloads in namespace `foo`.
 //
 // ```yaml
 // apiVersion: security.istio.io/v1beta1
@ -190,7 +188,7 @@ import "type/v1beta1/selector.proto";
 //  - {}
 // ```
 //
-// The following authorization policy applies to workloads containing label "app: httpbin" in namespace bar. It allows
+// The following authorization policy applies to workloads containing label `app: httpbin` in namespace `bar`. It allows
 // nothing and effectively denies all requests to the selected workloads.
 //
 // ```yaml
@ -205,8 +203,8 @@ import "type/v1beta1/selector.proto";
 //       app: httpbin
 // ```
 //
-// The following authorization policy applies to workloads containing label "version: v1" in all namespaces in the mesh.
-// (Assuming the root namespace is configured to "istio-system").
+// The following authorization policy applies to workloads containing label `version: v1` in all namespaces in the mesh.
+// (Assuming the root namespace is configured to `istio-system`).
 //
 // ```yaml
 // apiVersion: security.istio.io/v1beta1