Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
var ( SchemeBuilder = runtime.NewSchemeBuilder(addKnownTypes) AddToScheme = SchemeBuilder.AddToScheme )
var SchemeGroupVersion = schema.GroupVersion{Group: authentication.GroupName, Version: "v1alpha1"}
SchemeGroupVersion is group version used to register these objects
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type Jwt ¶
type Jwt struct {
// Identifies the issuer that issued the JWT. See
// [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
// Usually a URL or an email address.
//
// Example: https://securetoken.google.com
// Example: 1234567-compute@developer.gserviceaccount.com
Issuer string `json:"issuer,omitempty"`
// The list of JWT
// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
// that are allowed to access. A JWT containing any of these
// audiences will be accepted.
//
// The service name will be accepted if audiences is empty.
//
// Example:
//
// “`yaml
// audiences:
// - bookstore_android.apps.googleusercontent.com
// bookstore_web.apps.googleusercontent.com
// “`
Audiences []string `json:"audiences,omitempty"`
// URL of the provider's public key set to validate signature of the
// JWT. See [OpenID
// Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
//
// Optional if the key set document can either (a) be retrieved from
// [OpenID
// Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of
// the issuer or (b) inferred from the email domain of the issuer (e.g. a
// Google service account).
//
// Example: https://www.googleapis.com/oauth2/v1/certs
JwksUri string `json:"jwksUri,omitempty"`
// JWT is sent in a request header. `header` represents the
// header name.
//
// For example, if `header=x-goog-iap-jwt-assertion`, the header
// format will be x-goog-iap-jwt-assertion: <JWT>.
JwtHeaders []string `json:"jwtHeaders,omitempty"`
// JWT is sent in a query parameter. `query` represents the
// query parameter name.
//
// For example, `query=jwt_token`.
JwtParams []string `json:"jwtParams,omitempty"`
}
JSON Web Token (JWT) token format for authentication as defined by https://tools.ietf.org/html/rfc7519. See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.
Example,
```yaml issuer: https://example.com audiences:
- bookstore_android.apps.googleusercontent.com bookstore_web.apps.googleusercontent.com
jwksUri: https://example.com/.well-known/jwks.json ```
func (*Jwt) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Jwt.
func (*Jwt) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type OriginAuthenticationMethod ¶
type OriginAuthenticationMethod struct {
// Jwt params for the method.
Jwt *Jwt `json:"jwt,omitempty"`
}
OriginAuthenticationMethod defines authentication method/params for origin authentication. Origin could be end-user, device, delegate service etc. Currently, only JWT is supported for origin authentication.
func (*OriginAuthenticationMethod) DeepCopy ¶
func (in *OriginAuthenticationMethod) DeepCopy() *OriginAuthenticationMethod
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginAuthenticationMethod.
func (*OriginAuthenticationMethod) DeepCopyInto ¶
func (in *OriginAuthenticationMethod) DeepCopyInto(out *OriginAuthenticationMethod)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PeerAuthenticationMethod ¶
type PeerAuthenticationMethod struct {
Mtls string `json:"mtls"`
}
func (*PeerAuthenticationMethod) DeepCopy ¶
func (in *PeerAuthenticationMethod) DeepCopy() *PeerAuthenticationMethod
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationMethod.
func (*PeerAuthenticationMethod) DeepCopyInto ¶
func (in *PeerAuthenticationMethod) DeepCopyInto(out *PeerAuthenticationMethod)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Policy ¶
type Policy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec PolicySpec `json:"spec"`
}
func (*Policy) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
func (*Policy) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Policy) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PolicyList ¶
type PolicyList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
Items []Policy `json:"items"`
}
func (*PolicyList) DeepCopy ¶
func (in *PolicyList) DeepCopy() *PolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyList.
func (*PolicyList) DeepCopyInto ¶
func (in *PolicyList) DeepCopyInto(out *PolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicyList) DeepCopyObject ¶
func (in *PolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type PolicySpec ¶
type PolicySpec struct {
// List rules to select destinations that the policy should be applied on.
// If empty, policy will be used on all destinations in the same namespace.
Targets []*TargetSelector `json:"targets,omitempty"`
// List of authentication methods that can be used for peer authentication.
// They will be evaluated in order; the first validate one will be used to
// set peer identity (source.user) and other peer attributes. If none of
// these methods pass, and peer_is_optional flag is false (see below),
// request will be rejected with authentication failed error (401).
// Leave the list empty if peer authentication is not required
Peers []*PeerAuthenticationMethod `json:"peers,omitempty"`
// Set this flag to true to accept request (for peer authentication perspective),
// even when none of the peer authentication methods defined above satisfied.
// Typically, this is used to delay the rejection decision to next layer (e.g
// authorization).
// This flag is ignored if no authentication defined for peer (peers field is empty).
PeerIsOptional bool `json:"peerIsOptional,omitempty"`
// List of authentication methods that can be used for origin authentication.
// Similar to peers, these will be evaluated in order; the first validate one
// will be used to set origin identity and attributes (i.e request.auth.user,
// request.auth.issuer etc). If none of these methods pass, and origin_is_optional
// is false (see below), request will be rejected with authentication failed
// error (401).
// Leave the list empty if origin authentication is not required.
Origins []*OriginAuthenticationMethod `json:"origins,omitempty"`
// Set this flag to true to accept request (for origin authentication perspective),
// even when none of the origin authentication methods defined above satisfied.
// Typically, this is used to delay the rejection decision to next layer (e.g
// authorization).
// This flag is ignored if no authentication defined for origin (origins field is empty).
OriginIsOptional bool `json:"originIsOptional,omitempty"`
// Define whether peer or origin identity should be use for principal. Default
// value is USE_PEER.
// If peer (or orgin) identity is not available, either because of peer/origin
// authentication is not defined, or failed, principal will be left unset.
// In other words, binding rule does not affect the decision to accept or
// reject request.
PrincipalBinding string `json:"principalBinding,omitempty"`
}
func (*PolicySpec) DeepCopy ¶
func (in *PolicySpec) DeepCopy() *PolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.
func (*PolicySpec) DeepCopyInto ¶
func (in *PolicySpec) DeepCopyInto(out *PolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PortSelector ¶
type PortSelector struct {
Number int32 `json:"number,omitempty"`
}
func (*PortSelector) DeepCopy ¶
func (in *PortSelector) DeepCopy() *PortSelector
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector.
func (*PortSelector) DeepCopyInto ¶
func (in *PortSelector) DeepCopyInto(out *PortSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type TargetSelector ¶
type TargetSelector struct {
// REQUIRED. The name must be a short name from the service registry. The
// fully qualified domain name will be resolved in a platform specific manner.
Name string `json:"name,omitempty"`
// Specifies the ports on the destination. Leave empty to match all ports
// that are exposed.
Ports []*PortSelector `json:"ports,omitempty"`
}
func (*TargetSelector) DeepCopy ¶
func (in *TargetSelector) DeepCopy() *TargetSelector
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector.
func (*TargetSelector) DeepCopyInto ¶
func (in *TargetSelector) DeepCopyInto(out *TargetSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files