Automator: update istio.io@ reference docs (#12325)

content/en/docs/reference/config/security/authorization-policy/index.html

@@ -6,7 +6,7 @@ description: Configuration for access control on workloads.
 location: https://istio.io/docs/reference/config/security/authorization-policy.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-schema: istio.security.v1.AuthorizationPolicy
+schema: istio.security.v1beta1.AuthorizationPolicy
 weight: 20
 aliases: [/docs/reference/config/authorization/authorization-policy]
 number_of_entries: 9
@@ -44,7 +44,7 @@ but it is useful to be explicit in the policy.</p>
 </ul>
 <p>when the request has a valid JWT token issued by &ldquo;<a href="https://accounts.google.com">https://accounts.google.com</a>&rdquo;.</p>
 <p>Any other requests will be denied.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin
@@ -71,7 +71,7 @@ spec:
 <p>The following is another example that sets <code>action</code> to &ldquo;DENY&rdquo; to create a deny policy.
 It denies requests from the &ldquo;dev&rdquo; namespace to the &ldquo;POST&rdquo; method on all workloads
 in the &ldquo;foo&rdquo; namespace.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin
@@ -86,9 +86,32 @@ spec:
     - operation:
         methods: [&quot;POST&quot;]
 </code></pre>
-<p>The following authorization policy sets the <code>action</code> to &ldquo;AUDIT&rdquo;. It will audit any GET requests to the path with the
-prefix &ldquo;/user/profile&rdquo;.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<p>The following is another example that sets <code>action</code> to <code>DENY</code> to create a deny policy.
+It denies all the requests with &ldquo;POST&rdquo; method on port &ldquo;8080&rdquo; on all workloads
+in the <code>foo</code> namespace.</p>
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
+kind: AuthorizaionPolicy
+metadata:
+  name: httpbin
+  namespace: foo
+spec:
+  action: DENY
+  rules:
+  - to:
+    - operation:
+        methods: [&quot;POST&quot;]
+        ports: [&quot;8080&quot;]
+
+When this rule is applied to TCP traffic, the `method` field (as will all HTTP based attributes) cannot be processed. 
+For a `DENY` rule, missing attributes are treated as matches. This means all TCP traffic on port 8080 would be denied in the example above.
+If we were to remove the `ports` match, all TCP traffic would be denied. As a result, it is recommended to always scope `DENY` policies to a specific port, 
+especially when using HTTP attributes [Authorization Policy for TCP Ports] (https://istio.io/latest/docs/tasks/security/authorization/authz-tcp/).
+
+The following authorization policy sets the `action` to &quot;AUDIT&quot;. It will audit any GET requests to the path with the
+prefix &quot;/user/profile&quot;.
+
+```yaml
+apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   namespace: ns1
@@ -114,7 +137,7 @@ namespace, the policy applies to all namespaces in a mesh.</li>
 <p>For example,</p>
 <p>The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
 all requests to workloads in namespace foo.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
  name: allow-nothing
@@ -123,7 +146,7 @@ spec:
   {}
 </code></pre>
 <p>The following authorization policy allows all requests to workloads in namespace foo.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
  name: allow-all
@@ -134,7 +157,7 @@ spec:
 </code></pre>
 <p>The following authorization policy applies to workloads containing label &ldquo;app: httpbin&rdquo; in namespace bar. It allows
 nothing and effectively denies all requests to the selected workloads.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: allow-nothing
@@ -146,7 +169,7 @@ spec:
 </code></pre>
 <p>The following authorization policy applies to workloads containing label &ldquo;version: v1&rdquo; in all namespaces in the mesh.
 (Assuming the root namespace is configured to &ldquo;istio-system&rdquo;).</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
  name: allow-nothing

content/en/docs/reference/config/security/jwt/index.html

@@ -6,8 +6,8 @@ description: Configuration to validate JWT.
 location: https://istio.io/docs/reference/config/security/jwt.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-schema: istio.security.v1.JWTRule
-aliases: [/docs/reference/config/security/v1/jwt]
+schema: istio.security.v1beta1.JWTRule
+aliases: [/docs/reference/config/security/v1beta1/jwt]
 number_of_entries: 3
 ---
 <h2 id="JWTRule">JWTRule</h2>

content/en/docs/reference/config/security/request_authentication/index.html

@@ -6,8 +6,8 @@ description: Request authentication configuration for workloads.
 location: https://istio.io/docs/reference/config/security/request_authentication.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-schema: istio.security.v1.RequestAuthentication
-aliases: [/docs/reference/config/security/v1/request_authentication]
+schema: istio.security.v1beta1.RequestAuthentication
+aliases: [/docs/reference/config/security/v1beta1/request_authentication]
 number_of_entries: 1
 ---
 <h2 id="RequestAuthentication">RequestAuthentication</h2>
@@ -21,7 +21,7 @@ Examples:</p>
 <ul>
 <li>Require JWT for all request for workloads that have label <code>app:httpbin</code></li>
 </ul>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: httpbin
@@ -34,7 +34,7 @@ spec:
   - issuer: &quot;issuer-foo&quot;
     jwksUri: https://example.com/.well-known/jwks.json
 ---
-apiVersion: security.istio.io/v1
+apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin
@@ -53,7 +53,7 @@ spec:
 in a mesh. The following policy makes all workloads only accept requests that contain a
 valid JWT token.</li>
 </ul>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: req-authn-for-all
@@ -63,7 +63,7 @@ spec:
   - issuer: &quot;issuer-foo&quot;
     jwksUri: https://example.com/.well-known/jwks.json
 ---
-apiVersion: security.istio.io/v1
+apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: require-jwt-for-all
@@ -79,7 +79,7 @@ spec:
 declares it can accept JWTs issued by either <code>issuer-foo</code> or <code>issuer-bar</code> (the public key set is implicitly
 set from the OpenID Connect spec).</li>
 </ul>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: httpbin
@@ -92,7 +92,7 @@ spec:
   - issuer: &quot;issuer-foo&quot;
   - issuer: &quot;issuer-bar&quot;
 ---
-apiVersion: security.istio.io/v1
+apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin
@@ -120,7 +120,7 @@ spec:
 to require JWT on all paths, except /healthz, the same <code>RequestAuthentication</code> can be used, but the
 authorization policy could be:</li>
 </ul>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin
@@ -150,7 +150,7 @@ currently does not support the <code>.</code> character. Examples: <code>request
 <li>AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.</li>
 <li>VirtualService to route the request based on the &ldquo;sub&rdquo; claim.</li>
 </ul>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: jwt-on-ingress
@@ -163,7 +163,7 @@ spec:
   - issuer: &quot;example.com&quot;
     jwksUri: https://example.com/.well-known/jwks.json
 ---
-apiVersion: security.istio.io/v1
+apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: require-jwt

content/zh/docs/reference/config/security/authorization-policy/index.html

@@ -6,7 +6,7 @@ description: Configuration for access control on workloads.
 location: https://istio.io/docs/reference/config/security/authorization-policy.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-schema: istio.security.v1.AuthorizationPolicy
+schema: istio.security.v1beta1.AuthorizationPolicy
 weight: 20
 aliases: [/zh/docs/reference/config/authorization/authorization-policy]
 number_of_entries: 9
@@ -44,7 +44,7 @@ but it is useful to be explicit in the policy.</p>
 </ul>
 <p>when the request has a valid JWT token issued by &ldquo;<a href="https://accounts.google.com">https://accounts.google.com</a>&rdquo;.</p>
 <p>Any other requests will be denied.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin
@@ -71,7 +71,7 @@ spec:
 <p>The following is another example that sets <code>action</code> to &ldquo;DENY&rdquo; to create a deny policy.
 It denies requests from the &ldquo;dev&rdquo; namespace to the &ldquo;POST&rdquo; method on all workloads
 in the &ldquo;foo&rdquo; namespace.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin
@@ -86,9 +86,32 @@ spec:
     - operation:
         methods: [&quot;POST&quot;]
 </code></pre>
-<p>The following authorization policy sets the <code>action</code> to &ldquo;AUDIT&rdquo;. It will audit any GET requests to the path with the
-prefix &ldquo;/user/profile&rdquo;.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<p>The following is another example that sets <code>action</code> to <code>DENY</code> to create a deny policy.
+It denies all the requests with &ldquo;POST&rdquo; method on port &ldquo;8080&rdquo; on all workloads
+in the <code>foo</code> namespace.</p>
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
+kind: AuthorizaionPolicy
+metadata:
+  name: httpbin
+  namespace: foo
+spec:
+  action: DENY
+  rules:
+  - to:
+    - operation:
+        methods: [&quot;POST&quot;]
+        ports: [&quot;8080&quot;]
+
+When this rule is applied to TCP traffic, the `method` field (as will all HTTP based attributes) cannot be processed. 
+For a `DENY` rule, missing attributes are treated as matches. This means all TCP traffic on port 8080 would be denied in the example above.
+If we were to remove the `ports` match, all TCP traffic would be denied. As a result, it is recommended to always scope `DENY` policies to a specific port, 
+especially when using HTTP attributes [Authorization Policy for TCP Ports] (https://istio.io/latest/docs/tasks/security/authorization/authz-tcp/).
+
+The following authorization policy sets the `action` to &quot;AUDIT&quot;. It will audit any GET requests to the path with the
+prefix &quot;/user/profile&quot;.
+
+```yaml
+apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   namespace: ns1
@@ -114,7 +137,7 @@ namespace, the policy applies to all namespaces in a mesh.</li>
 <p>For example,</p>
 <p>The following authorization policy applies to all workloads in namespace foo. It allows nothing and effectively denies
 all requests to workloads in namespace foo.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
  name: allow-nothing
@@ -123,7 +146,7 @@ spec:
   {}
 </code></pre>
 <p>The following authorization policy allows all requests to workloads in namespace foo.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
  name: allow-all
@@ -134,7 +157,7 @@ spec:
 </code></pre>
 <p>The following authorization policy applies to workloads containing label &ldquo;app: httpbin&rdquo; in namespace bar. It allows
 nothing and effectively denies all requests to the selected workloads.</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: allow-nothing
@@ -146,7 +169,7 @@ spec:
 </code></pre>
 <p>The following authorization policy applies to workloads containing label &ldquo;version: v1&rdquo; in all namespaces in the mesh.
 (Assuming the root namespace is configured to &ldquo;istio-system&rdquo;).</p>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
  name: allow-nothing

content/zh/docs/reference/config/security/jwt/index.html

@@ -6,8 +6,8 @@ description: Configuration to validate JWT.
 location: https://istio.io/docs/reference/config/security/jwt.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-schema: istio.security.v1.JWTRule
-aliases: [/zh/docs/reference/config/security/v1/jwt]
+schema: istio.security.v1beta1.JWTRule
+aliases: [/zh/docs/reference/config/security/v1beta1/jwt]
 number_of_entries: 3
 ---
 <h2 id="JWTRule">JWTRule</h2>

content/zh/docs/reference/config/security/request_authentication/index.html

@@ -6,8 +6,8 @@ description: Request authentication configuration for workloads.
 location: https://istio.io/docs/reference/config/security/request_authentication.html
 layout: protoc-gen-docs
 generator: protoc-gen-docs
-schema: istio.security.v1.RequestAuthentication
-aliases: [/zh/docs/reference/config/security/v1/request_authentication]
+schema: istio.security.v1beta1.RequestAuthentication
+aliases: [/zh/docs/reference/config/security/v1beta1/request_authentication]
 number_of_entries: 1
 ---
 <h2 id="RequestAuthentication">RequestAuthentication</h2>
@@ -21,7 +21,7 @@ Examples:</p>
 <ul>
 <li>Require JWT for all request for workloads that have label <code>app:httpbin</code></li>
 </ul>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: httpbin
@@ -34,7 +34,7 @@ spec:
   - issuer: &quot;issuer-foo&quot;
     jwksUri: https://example.com/.well-known/jwks.json
 ---
-apiVersion: security.istio.io/v1
+apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin
@@ -53,7 +53,7 @@ spec:
 in a mesh. The following policy makes all workloads only accept requests that contain a
 valid JWT token.</li>
 </ul>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: req-authn-for-all
@@ -63,7 +63,7 @@ spec:
   - issuer: &quot;issuer-foo&quot;
     jwksUri: https://example.com/.well-known/jwks.json
 ---
-apiVersion: security.istio.io/v1
+apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: require-jwt-for-all
@@ -79,7 +79,7 @@ spec:
 declares it can accept JWTs issued by either <code>issuer-foo</code> or <code>issuer-bar</code> (the public key set is implicitly
 set from the OpenID Connect spec).</li>
 </ul>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: httpbin
@@ -92,7 +92,7 @@ spec:
   - issuer: &quot;issuer-foo&quot;
   - issuer: &quot;issuer-bar&quot;
 ---
-apiVersion: security.istio.io/v1
+apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin
@@ -120,7 +120,7 @@ spec:
 to require JWT on all paths, except /healthz, the same <code>RequestAuthentication</code> can be used, but the
 authorization policy could be:</li>
 </ul>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: httpbin
@@ -150,7 +150,7 @@ currently does not support the <code>.</code> character. Examples: <code>request
 <li>AuthorizationPolicy to check for valid principals in the request. This makes the JWT required for the request.</li>
 <li>VirtualService to route the request based on the &ldquo;sub&rdquo; claim.</li>
 </ul>
-<pre><code class="language-yaml">apiVersion: security.istio.io/v1
+<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
 kind: RequestAuthentication
 metadata:
   name: jwt-on-ingress
@@ -163,7 +163,7 @@ spec:
   - issuer: &quot;example.com&quot;
     jwksUri: https://example.com/.well-known/jwks.json
 ---
-apiVersion: security.istio.io/v1
+apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
   name: require-jwt