mirror of https://github.com/istio/istio.io.git
Update reference docs. (#3692)
This commit is contained in:
Martin Taillefer
GitHub
parent
3727332ea5
commit
ad1949f84c
|
|
@ -6,7 +6,7 @@ description: Configuration for Role Based Access Control.
|
|||
location: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html
|
||||
layout: protoc-gen-docs
|
||||
generator: protoc-gen-docs
|
||||
number_of_entries: 9
|
||||
number_of_entries: 8
|
||||
---
|
||||
<p>Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding
|
||||
objects.</p>
|
||||
|
|
@ -39,7 +39,7 @@ spec:
|
|||
methods: ["GET", "HEAD"]
|
||||
constraints:
|
||||
- key: "destination.labels[version]"
|
||||
value: ["v1", "v2"]
|
||||
values: ["v1", "v2"]
|
||||
</code></pre>
|
||||
|
||||
<p>A ServiceRoleBinding specification includes two parts:</p>
|
||||
|
|
@ -166,66 +166,6 @@ Exact match, prefix match, and suffix match are supported.
|
|||
For example, the value “v1alpha2” matches “v1alpha2” (exact match),
|
||||
or “v1<em>” (prefix match), or “</em>alpha2” (suffix match).</p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
</table>
|
||||
</section>
|
||||
<h2 id="RbacConfig">RbacConfig</h2>
|
||||
<section>
|
||||
<p>RbacConfig defines the global config to control Istio RBAC behavior.
|
||||
This Custom Resource is a singleton where only one Custom Resource should be created globally in
|
||||
the mesh and the namespace should be the same to other Istio components, which usually is <code>istio-system</code>.
|
||||
Note: This is enforced in both <code>istioctl</code> and server side, new Custom Resource will be rejected if found any
|
||||
existing one, the user should either delete the existing one or change the existing one directly.</p>
|
||||
|
||||
<p>Below is an example of an <code>RbacConfig</code> resource called <code>istio-rbac-config</code> which enables Istio RBAC for all
|
||||
services in the default namespace.</p>
|
||||
|
||||
<pre><code class="language-yaml">apiVersion: "rbac.istio.io/v1alpha1"
|
||||
kind: RbacConfig
|
||||
metadata:
|
||||
name: default
|
||||
namespace: istio-system
|
||||
spec:
|
||||
mode: ON_WITH_INCLUSION
|
||||
inclusion:
|
||||
namespaces: [ "default" ]
|
||||
</code></pre>
|
||||
|
||||
<table class="message-fields">
|
||||
<thead>
|
||||
<tr>
|
||||
<th>Field</th>
|
||||
<th>Type</th>
|
||||
<th>Description</th>
|
||||
</tr>
|
||||
</thead>
|
||||
<tbody>
|
||||
<tr id="RbacConfig-mode">
|
||||
<td><code>mode</code></td>
|
||||
<td><code><a href="#RbacConfig-Mode">RbacConfig.Mode</a></code></td>
|
||||
<td>
|
||||
<p>Istio RBAC mode.</p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="RbacConfig-inclusion">
|
||||
<td><code>inclusion</code></td>
|
||||
<td><code><a href="#RbacConfig-Target">RbacConfig.Target</a></code></td>
|
||||
<td>
|
||||
<p>A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have
|
||||
effect only when mode is ON<em>WITH</em>INCLUSION and will be ignored for any other modes.</p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
<tr id="RbacConfig-exclusion">
|
||||
<td><code>exclusion</code></td>
|
||||
<td><code><a href="#RbacConfig-Target">RbacConfig.Target</a></code></td>
|
||||
<td>
|
||||
<p>A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have
|
||||
effect only when mode is ON<em>WITH</em>EXCLUSION and will be ignored for any other modes.</p>
|
||||
|
||||
</td>
|
||||
</tr>
|
||||
</tbody>
|
||||
|
|
|
|||
|
|
@ -355,7 +355,7 @@ spec:
|
|||
<pre><code class="language-yaml">apiVersion: authentication.istio.io/v1alpha1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: productpage_mTLS_disable
|
||||
name: productpage-mTLS-disable
|
||||
namespace: frod
|
||||
spec:
|
||||
targets:
|
||||
|
|
@ -368,7 +368,7 @@ for productpage:9000 except the path ‘/health_check’ . Principal is
|
|||
<pre><code class="language-yaml">apiVersion: authentication.istio.io/v1alpha1
|
||||
kind: Policy
|
||||
metadata:
|
||||
name: productpage_mTLS_with_JWT
|
||||
name: productpage-mTLS-with-JWT
|
||||
namespace: frod
|
||||
spec:
|
||||
target:
|
||||
|
|
|
|||
|
|
@ -41,7 +41,7 @@ spec:
|
|||
httpsRedirect: true # sends 301 redirect for http requests
|
||||
- port:
|
||||
number: 443
|
||||
name: https
|
||||
name: https-443
|
||||
protocol: HTTPS
|
||||
hosts:
|
||||
- uk.bookinfo.com
|
||||
|
|
@ -52,7 +52,7 @@ spec:
|
|||
privateKey: /etc/certs/privatekey.pem
|
||||
- port:
|
||||
number: 9443
|
||||
name: https
|
||||
name: https-9443
|
||||
protocol: HTTPS
|
||||
hosts:
|
||||
- "bookinfo-namespace/*.bookinfo.com"
|
||||
|
|
@ -105,19 +105,19 @@ spec:
|
|||
- match:
|
||||
- headers:
|
||||
cookie:
|
||||
user: dev-123
|
||||
exact: "user=dev-123"
|
||||
route:
|
||||
- destination:
|
||||
port:
|
||||
number: 7777
|
||||
host: reviews.qa.svc.cluster.local
|
||||
- match:
|
||||
uri:
|
||||
- uri:
|
||||
prefix: /reviews/
|
||||
route:
|
||||
- destination:
|
||||
port:
|
||||
number: 9080 # can be omitted if its the only port for reviews
|
||||
number: 9080 # can be omitted if it's the only port for reviews
|
||||
host: reviews.prod.svc.cluster.local
|
||||
weight: 80
|
||||
- destination:
|
||||
|
|
|
|||
|
|
@ -125,7 +125,7 @@ spec:
|
|||
allowCredentials: false
|
||||
allowHeaders:
|
||||
- X-Foo-Bar
|
||||
maxAge: "1d"
|
||||
maxAge: "24h"
|
||||
</code></pre>
|
||||
|
||||
<table class="message-fields">
|
||||
|
|
|
|||
Loading…
Reference in New Issue