mirror of https://github.com/istio/api.git
161 lines
5.1 KiB
Protocol Buffer
161 lines
5.1 KiB
Protocol Buffer
// Copyright 2020 Istio Authors
|
|
//
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
syntax = "proto3";
|
|
|
|
import "type/v1beta1/selector.proto";
|
|
|
|
// $schema: istio.security.v1beta1.PeerAuthentication
|
|
// $title: PeerAuthentication
|
|
// $description: Peer authentication configuration for workloads.
|
|
// $location: https://istio.io/docs/reference/config/security/peer_authentication.html
|
|
// $aliases: [/docs/reference/config/security/v1beta1/peer_authentication]
|
|
|
|
package istio.security.v1beta1;
|
|
|
|
option go_package="istio.io/api/security/v1beta1";
|
|
|
|
// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
|
|
//
|
|
// Examples:
|
|
//
|
|
// Policy to allow mTLS traffic for all workloads under namespace `foo`:
|
|
// ```yaml
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: PeerAuthentication
|
|
// metadata:
|
|
// name: default
|
|
// namespace: foo
|
|
// spec:
|
|
// mtls:
|
|
// mode: STRICT
|
|
// ```
|
|
// For mesh level, put the policy in root-namespace according to your Istio installation.
|
|
//
|
|
// Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but
|
|
// require mTLS for workload `finance`.
|
|
// ```yaml
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: PeerAuthentication
|
|
// metadata:
|
|
// name: default
|
|
// namespace: foo
|
|
// spec:
|
|
// mtls:
|
|
// mode: PERMISSIVE
|
|
// ---
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: PeerAuthentication
|
|
// metadata:
|
|
// name: default
|
|
// namespace: foo
|
|
// spec:
|
|
// selector:
|
|
// matchLabels:
|
|
// app: finance
|
|
// mtls:
|
|
// mode: STRICT
|
|
// ```
|
|
// Policy to allow mTLS strict for all workloads, but leave port 8080 to
|
|
// plaintext:
|
|
// ```yaml
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: PeerAuthentication
|
|
// metadata:
|
|
// name: default
|
|
// namespace: foo
|
|
// spec:
|
|
// selector:
|
|
// matchLabels:
|
|
// app: finance
|
|
// mtls:
|
|
// mode: STRICT
|
|
// portLevelMtls:
|
|
// 8080:
|
|
// mode: DISABLE
|
|
// ```
|
|
// Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
|
|
// settings for port 8080
|
|
// ```yaml
|
|
// apiVersion: security.istio.io/v1beta1
|
|
// kind: PeerAuthentication
|
|
// metadata:
|
|
// name: default
|
|
// namespace: foo
|
|
// spec:
|
|
// selector:
|
|
// matchLabels:
|
|
// app: finance
|
|
// mtls:
|
|
// mode: UNSET
|
|
// portLevelMtls:
|
|
// 8080:
|
|
// mode: DISABLE
|
|
// ```
|
|
//
|
|
// <!-- crd generation tags
|
|
// +cue-gen:PeerAuthentication:groupName:security.istio.io
|
|
// +cue-gen:PeerAuthentication:version:v1beta1
|
|
// +cue-gen:PeerAuthentication:storageVersion
|
|
// +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep
|
|
// +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
|
|
// +cue-gen:PeerAuthentication:subresource:status
|
|
// +cue-gen:PeerAuthentication:scope:Namespaced
|
|
// +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa
|
|
// +cue-gen:PeerAuthentication:preserveUnknownFields:false
|
|
// +cue-gen:PeerAuthentication:printerColumn:name=Mode,type=string,JSONPath=.spec.mtls.mode,description="Defines the mTLS mode used for peer authentication."
|
|
// +cue-gen:PeerAuthentication:printerColumn:name=Age,type=date,JSONPath=.metadata.creationTimestamp,description="CreationTimestamp is a timestamp
|
|
// representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations.
|
|
// Clients may not set this value. It is represented in RFC3339 form and is in UTC.
|
|
// Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata"
|
|
// -->
|
|
//
|
|
// <!-- go code generation tags
|
|
// +kubetype-gen
|
|
// +kubetype-gen:groupVersion=security.istio.io/v1beta1
|
|
// +genclient
|
|
// +k8s:deepcopy-gen=true
|
|
// -->
|
|
message PeerAuthentication {
|
|
// The selector determines the workloads to apply the ChannelAuthentication on.
|
|
// If not set, the policy will be applied to all workloads in the same namespace as the policy.
|
|
istio.type.v1beta1.WorkloadSelector selector = 1;
|
|
|
|
// Mutual TLS settings.
|
|
message MutualTLS {
|
|
enum Mode {
|
|
// Inherit from parent, if has one. Otherwise treated as PERMISSIVE.
|
|
UNSET = 0;
|
|
|
|
// Connection is not tunneled.
|
|
DISABLE = 1;
|
|
|
|
// Connection can be either plaintext or mTLS tunnel.
|
|
PERMISSIVE = 2;
|
|
|
|
// Connection is an mTLS tunnel (TLS with client cert must be presented).
|
|
STRICT = 3;
|
|
}
|
|
|
|
// Defines the mTLS mode used for peer authentication.
|
|
Mode mode = 1;
|
|
}
|
|
|
|
// Mutual TLS settings for workload. If not defined, inherit from parent.
|
|
MutualTLS mtls = 2;
|
|
|
|
// Port specific mutual TLS settings. These only apply when a workload selector
|
|
// is specified.
|
|
map<uint32, MutualTLS> port_level_mtls = 3;
|
|
}
|