istio
/
istio.io
mirror of https://github.com/istio/istio.io.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
istio.io/content/en/docs/reference/config/security/peer_authentication/index.html

212 lines
4.7 KiB
HTML
Raw Blame History

---
WARNING: THIS IS AN AUTO-GENERATED FILE, DO NOT EDIT. PLEASE MODIFY THE ORIGINAL SOURCE IN THE 'https://github.com/istio/api' REPO
source_repo: https://github.com/istio/api
title: PeerAuthentication
description: Peer authentication configuration for workloads.
location: https://istio.io/docs/reference/config/security/peer_authentication.html
layout: protoc-gen-docs
generator: protoc-gen-docs
schema: istio.security.v1beta1.PeerAuthentication
aliases: [/docs/reference/config/security/v1beta1/peer_authentication]
number_of_entries: 3
---
<h2 id="PeerAuthentication">PeerAuthentication</h2>
<section>
<p>PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.</p>
<p>Examples:</p>
<p>Policy to allow mTLS traffic for all workloads under namespace <code>foo</code>:</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: STRICT
</code></pre>
<p>For mesh level, put the policy in root-namespace according to your Istio installation.</p>
<p>Policies to allow both mTLS &amp; plaintext traffic for all workloads under namespace <code>foo</code>, but
require mTLS for workload <code>finance</code>.</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
mtls:
mode: PERMISSIVE
---
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: STRICT
</code></pre>
<p>Policy to allow mTLS strict for all workloads, but leave port 8080 to
plaintext:</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: STRICT
portLevelMtls:
8080:
mode: DISABLE
</code></pre>
<p>Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite
settings for port 8080</p>
<pre><code class="language-yaml">apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: default
namespace: foo
spec:
selector:
matchLabels:
app: finance
mtls:
mode: UNSET
portLevelMtls:
8080:
mode: DISABLE
</code></pre>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PeerAuthentication-selector">
<td><code>selector</code></td>
<td><code><a href="/docs/reference/config/networking/sidecar/#WorkloadSelector#WorkloadSelector">WorkloadSelector</a></code></td>
<td>
<p>The selector determines the workloads to apply the ChannelAuthentication on.
If not set, the policy will be applied to all workloads in the same namespace as the policy.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PeerAuthentication-mtls">
<td><code>mtls</code></td>
<td><code><a href="#PeerAuthentication-MutualTLS">MutualTLS</a></code></td>
<td>
<p>Mutual TLS settings for workload. If not defined, inherit from parent.</p>
</td>
<td>
No
</td>
</tr>
<tr id="PeerAuthentication-port_level_mtls">
<td><code>portLevelMtls</code></td>
<td><code>map&lt;uint32,&nbsp;<a href="#PeerAuthentication-MutualTLS">MutualTLS</a>&gt;</code></td>
<td>
<p>Port specific mutual TLS settings.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PeerAuthentication-MutualTLS">PeerAuthentication.MutualTLS</h2>
<section>
<p>Mutual TLS settings.</p>
<table class="message-fields">
<thead>
<tr>
<th>Field</th>
<th>Type</th>
<th>Description</th>
<th>Required</th>
</tr>
</thead>
<tbody>
<tr id="PeerAuthentication-MutualTLS-mode">
<td><code>mode</code></td>
<td><code><a href="#PeerAuthentication-MutualTLS-Mode">Mode</a></code></td>
<td>
<p>Defines the mTLS mode used for peer authentication.</p>
</td>
<td>
No
</td>
</tr>
</tbody>
</table>
</section>
<h2 id="PeerAuthentication-MutualTLS-Mode">PeerAuthentication.MutualTLS.Mode</h2>
<section>
<table class="enum-values">
<thead>
<tr>
<th>Name</th>
<th>Description</th>
</tr>
</thead>
<tbody>
<tr id="PeerAuthentication-MutualTLS-Mode-UNSET">
<td><code>UNSET</code></td>
<td>
<p>Inherit from parent, if has one. Otherwise treated as PERMISSIVE.</p>
</td>
</tr>
<tr id="PeerAuthentication-MutualTLS-Mode-DISABLE">
<td><code>DISABLE</code></td>
<td>
<p>Connection is not tunneled.</p>
</td>
</tr>
<tr id="PeerAuthentication-MutualTLS-Mode-PERMISSIVE">
<td><code>PERMISSIVE</code></td>
<td>
<p>Connection can be either plaintext or mTLS tunnel.</p>
</td>
</tr>
<tr id="PeerAuthentication-MutualTLS-Mode-STRICT">
<td><code>STRICT</code></td>
<td>
<p>Connection is an mTLS tunnel (TLS with client cert must be presented).</p>
</td>
</tr>
</tbody>
</table>
</section>
Reference in New Issue View Git Blame Copy Permalink