istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

update the security documentation (#8541)

This commit is contained in:
Yangmin Zhu 2020-11-23 06:58:53 -08:00 committed by GitHub
parent 2a17b0863e
commit 0c6f5fc11c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 14 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
content/en/docs/reference/config/security/conditions/index.md
View File

@ -18,17 +18,17 @@ For more information, refer to the [authorization concept page](/docs/concepts/s
| Name | Description | Supported Protocols | Example |
|------|-------------|--------------------|---------|
| `request.headers` | HTTP request headers. The actual header name is surrounded by brackets | HTTP only | `key: request.headers[User-Agent]`<br/>`values: ["Mozilla/*"]` |
| `source.ip` | Source workload instance IP address, supports single IP or CIDR | HTTP and TCP | `key: source.ip`<br/>`values: ["10.1.2.3"]` |
| `remote.ip` | Original client IP address as determined by X-Forwarded-For header or Proxy Protocol, supports single IP or CIDR | HTTP and TCP | `key: remote.ip`<br />`values: ["10.1.2.3"]` |
| `request.headers` | HTTP request headers. The header name is surrounded by `[]` without any quotes | HTTP only | `key: request.headers[User-Agent]`<br/>`values: ["Mozilla/*"]` |
| `source.ip` | Source workload instance IP address, supports single IP or CIDR | HTTP and TCP | `key: source.ip`<br/>`values: ["10.1.2.3", "10.2.0.0/16"]` |
| `remote.ip` | Original client IP address as determined by X-Forwarded-For header or Proxy Protocol, supports single IP or CIDR | HTTP and TCP | `key: remote.ip`<br />`values: ["10.1.2.3", "10.2.0.0/16"]` |
| `source.namespace` | Source workload instance namespace, requires mutual TLS enabled | HTTP and TCP | `key: source.namespace`<br/>`values: ["default"]` |
| `source.principal` | The identity of the source workload, requires mutual TLS enabled | HTTP and TCP | `key: source.principal`<br/>`values: ["cluster.local/ns/default/sa/productpage"]` |
| `request.auth.principal` | The authenticated principal of the request. | HTTP only | `key: request.auth.principal`<br/>`values: ["accounts.my-svc.com/104958560606"]` |
| `request.auth.audiences` | The intended audience(s) for this authentication information | HTTP only | `key: request.auth.audiences`<br/>`values: ["my-svc.com"]` |
| `request.auth.presenter` | The authorized presenter of the credential | HTTP only | `key: request.auth.presenter`<br/>`values: ["123456789012.my-svc.com"]` |
| `request.auth.claims` | Claims from the origin JWT. The actual claim name is surrounded by brackets | HTTP only | `key: request.auth.claims[iss]`<br/>`values: ["*@foo.com"]` |
| `request.auth.principal` | The principal of the authenticated JWT token, constructed from the JWT claims in the format of `<iss>/<sub>`, requires request authentication policy applied | HTTP only | `key: request.auth.principal`<br/>`values: ["issuer.example.com/subject-admin"]` |
| `request.auth.audiences` | The intended audiences of the authenticated JWT token, constructed from the JWT claim `<aud>`, requires request authentication policy applied | HTTP only | `key: request.auth.audiences`<br/>`values: ["example.com"]` |
| `request.auth.presenter` | The authorized presenter of the authenticated JWT token, constructed from the JWT claim `<azp>`, requires request authentication policy applied | HTTP only | `key: request.auth.presenter`<br/>`values: ["123456789012.example.com"]` |
| `request.auth.claims` | Raw claims of the authenticated JWT token. The claim name is surrounded by `[]` without any quotes, nested claim can also be used, requires request authentication policy applied. Note only support claim of type string or list of string | HTTP only | `key: request.auth.claims[iss]`<br/>`values: ["*@foo.com"]`<br/>---<br/>`key: request.auth.claims[nested1][nested2]`<br/>`values: ["some-value"]` |
| `destination.ip` | Destination workload instance IP address, supports single IP or CIDR | HTTP and TCP | `key: destination.ip`<br/>`values: ["10.1.2.3", "10.2.0.0/16"]` |
| `destination.port` | The recipient port on the server IP address, must be in the range [0, 65535] | HTTP and TCP | `key: destination.port`<br/>`values: ["80", "443"]` |
| `destination.port` | Destination workload instance port, must be in the range [0, 65535]. Note this is not the service port | HTTP and TCP | `key: destination.port`<br/>`values: ["80", "443"]` |
| `connection.sni` | The server name indication, requires mutual TLS enabled | HTTP and TCP | `key: connection.sni`<br/>`values: ["www.example.com"]` |
| `experimental.envoy.filters.*` | Experimental metadata matching for filters, values wrapped in `[]` are matched as a list | HTTP and TCP | `key: experimental.envoy.filters.network.mysql_proxy[db.table]`<br/>`values: ["[update]"]` |

6
content/en/docs/reference/config/type/_index.md Normal file
View File

@ -0,0 +1,6 @@
---
title: Common Types
description: Describes common types in Istio API.
weight: 50
test: n/a
---