authz

package

v0.0.0-...-062eff5 Latest Latest Go to latest Published: Jun 12, 2018 License: Apache-2.0 Imports: 18 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/signalfx/istio

Links

Open Source Insights

Documentation ¶

Overview ¶

Package authz converts Istio RBAC (role-based-access-control) policies (ServiceRole and ServiceRoleBinding) to corresponding filter config that is used by the envoy RBAC filter to enforce access control to the service co-located with envoy. Currently the config is only generated for sidecar node on inbound HTTP listener. The generation is controlled by RbacConfig (a singleton custom resource defined in istio-system namespace). User could disable this by either deleting the RbacConfig or set the RbacConfig.mode to OFF. Note: This is still working in progress and by default no RbacConfig is created in the deployment of Istio which means this plugin doesn't generate any RBAC config by default.

Constants ¶

View Source

const (
	// RbacFilterName is the name of the RBAC filter in envoy.
	RbacFilterName = "envoy.filters.http.rbac"

	// RbacConfigName is the name of the RbacConfig custom resource that controls the RBAC behavior.
	RbacConfigName = "rbac-config"
)

Variables ¶

This section is empty.

Functions ¶

func NewPlugin ¶

func NewPlugin() plugin.Plugin

NewPlugin returns an instance of the authz plugin

Types ¶

type Plugin ¶

type Plugin struct{}

Plugin implements Istio RBAC authz

func (Plugin) OnInboundCluster ¶

func (Plugin) OnInboundCluster(env model.Environment, node model.Proxy, service *model.Service,
	servicePort *model.Port, cluster *xdsapi.Cluster)

OnInboundCluster implements the Plugin interface method.

func (Plugin) OnInboundListener ¶

func (Plugin) OnInboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error

OnInboundListener is called whenever a new listener is added to the LDS output for a given service Can be used to add additional filters (e.g., mixer filter) or add more stuff to the HTTP connection manager on the inbound path

func (Plugin) OnInboundRouteConfiguration ¶

func (Plugin) OnInboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)

OnInboundRouteConfiguration implements the Plugin interface method.

func (Plugin) OnOutboundCluster ¶

func (Plugin) OnOutboundCluster(env model.Environment, node model.Proxy, service *model.Service,
	servicePort *model.Port, cluster *xdsapi.Cluster)

OnOutboundCluster implements the Plugin interface method.

func (Plugin) OnOutboundListener ¶

func (Plugin) OnOutboundListener(in *plugin.InputParams, mutable *plugin.MutableObjects) error

OnOutboundListener is called whenever a new outbound listener is added to the LDS output for a given service Can be used to add additional filters on the outbound path

func (Plugin) OnOutboundRouteConfiguration ¶

func (Plugin) OnOutboundRouteConfiguration(in *plugin.InputParams, route *xdsapi.RouteConfiguration)

OnOutboundRouteConfiguration implements the Plugin interface method.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL