v1alpha1

package
v1.21.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 4, 2024 License: Apache-2.0 Imports: 8 Imported by: 63

Documentation

Overview

Code generated by protoc-gen-deepcopy. DO NOT EDIT.

Code generated by protoc-gen-jsonshim. DO NOT EDIT.

Index

Constants

This section is empty.

Variables

View Source 
var (
	PrincipalBinding_name = map[int32]string{
		0: "USE_PEER",
		1: "USE_ORIGIN",
	}
	PrincipalBinding_value = map[string]int32{
		"USE_PEER":   0,
		"USE_ORIGIN": 1,
	}
)

Enum value maps for PrincipalBinding.

View Source 
var (
	MutualTls_Mode_name = map[int32]string{
		0: "STRICT",
		1: "PERMISSIVE",
	}
	MutualTls_Mode_value = map[string]int32{
		"STRICT":     0,
		"PERMISSIVE": 1,
	}
)

Enum value maps for MutualTls_Mode.

View Source 
var (
	PolicyMarshaler   = &jsonpb.Marshaler{}
	PolicyUnmarshaler = &jsonpb.Unmarshaler{AllowUnknownFields: true}
)
View Source 
var File_authentication_v1alpha1_policy_proto protoreflect.FileDescriptor

Functions

This section is empty.

Types

type Jwt 

type Jwt struct {

	// Identifies the issuer that issued the JWT. See
	// [issuer](https://tools.ietf.org/html/rfc7519#section-4.1.1)
	// Usually a URL or an email address.
	//
	// Example: https://securetoken.google.com
	// Example: 1234567-compute@developer.gserviceaccount.com
	Issuer string `protobuf:"bytes,1,opt,name=issuer,proto3" json:"issuer,omitempty"`
	// The list of JWT
	// [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3).
	// that are allowed to access. A JWT containing any of these
	// audiences will be accepted.
	//
	// The service name will be accepted if audiences is empty.
	//
	// Example:
	//
	// “`yaml
	// audiences:
	//   - bookstore_android.apps.googleusercontent.com
	//     bookstore_web.apps.googleusercontent.com
	//
	// “`
	Audiences []string `protobuf:"bytes,2,rep,name=audiences,proto3" json:"audiences,omitempty"`
	// URL of the provider's public key set to validate signature of the
	// JWT. See [OpenID Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata).
	//
	// Optional if the key set document can either (a) be retrieved from
	// [OpenID
	// Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html) of
	// the issuer or (b) inferred from the email domain of the issuer (e.g. a
	// Google service account).
	//
	// Example: `https://www.googleapis.com/oauth2/v1/certs`
	//
	// Note: Only one of jwks_uri and jwks should be used.
	JwksUri string `protobuf:"bytes,3,opt,name=jwks_uri,json=jwksUri,proto3" json:"jwks_uri,omitempty"`
	// JSON Web Key Set of public keys to validate signature of the JWT.
	// See https://auth0.com/docs/jwks.
	//
	// Note: Only one of jwks_uri and jwks should be used.
	Jwks string `protobuf:"bytes,10,opt,name=jwks,proto3" json:"jwks,omitempty"`
	// JWT is sent in a request header. `header` represents the
	// header name.
	//
	// For example, if `header=x-goog-iap-jwt-assertion`, the header
	// format will be `x-goog-iap-jwt-assertion: <JWT>`.
	JwtHeaders []string `protobuf:"bytes,6,rep,name=jwt_headers,json=jwtHeaders,proto3" json:"jwt_headers,omitempty"`
	// JWT is sent in a query parameter. `query` represents the
	// query parameter name.
	//
	// For example, `query=jwt_token`.
	JwtParams []string `protobuf:"bytes,7,rep,name=jwt_params,json=jwtParams,proto3" json:"jwt_params,omitempty"`
	// List of trigger rules to decide if this JWT should be used to validate the
	// request. The JWT validation happens if any one of the rules matched.
	// If the list is not empty and none of the rules matched, authentication will
	// skip the JWT validation.
	// Leave this empty to always trigger the JWT validation.
	TriggerRules []*Jwt_TriggerRule `protobuf:"bytes,9,rep,name=trigger_rules,json=triggerRules,proto3" json:"trigger_rules,omitempty"`
	// contains filtered or unexported fields
}

$hide_from_docs Deprecated. Please use security/v1beta1/RequestAuthentication instead. JSON Web Token (JWT) token format for authentication as defined by [RFC 7519](https://tools.ietf.org/html/rfc7519). See [OAuth 2.0](https://tools.ietf.org/html/rfc6749) and [OIDC 1.0](http://openid.net/connect) for how this is used in the whole authentication flow.

For example:

A JWT for any requests:

```yaml issuer: https://example.com audiences:

  • bookstore_android.apps.googleusercontent.com bookstore_web.apps.googleusercontent.com

jwksUri: https://example.com/.well-known/jwks.json ```

A JWT for all requests except request at path `/health_check` and path with prefix `/status/`. This is useful to expose some paths for public access but keep others JWT validated.

```yaml issuer: https://example.com jwksUri: https://example.com/.well-known/jwks.json triggerRules: - excludedPaths:

  • exact: /health_check
  • prefix: /status/

```

A JWT only for requests at path `/admin`. This is useful to only require JWT validation on a specific set of paths but keep others public accessible.

```yaml issuer: https://example.com jwksUri: https://example.com/.well-known/jwks.json triggerRules: - includedPaths:

  • prefix: /admin

```

A JWT only for requests at path of prefix `/status/` but except the path of `/status/version`. This means for any request path with prefix `/status/` except `/status/version` will require a valid JWT to proceed.

```yaml issuer: https://example.com jwksUri: https://example.com/.well-known/jwks.json triggerRules: - excludedPaths:

  • exact: /status/version includedPaths:
  • prefix: /status/

```

func (*Jwt) DeepCopy 

func (in *Jwt) DeepCopy() *Jwt

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Jwt. Required by controller-gen.

func (*Jwt) DeepCopyInterface 

func (in *Jwt) DeepCopyInterface() interface{}

DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Jwt. Required by controller-gen.

func (*Jwt) DeepCopyInto 

func (in *Jwt) DeepCopyInto(out *Jwt)

DeepCopyInto supports using Jwt within kubernetes types, where deepcopy-gen is used.

func (*Jwt) Descriptor deprecated 

func (*Jwt) Descriptor() ([]byte, []int)

Deprecated: Use Jwt.ProtoReflect.Descriptor instead.

func (*Jwt) GetAudiences 

func (x *Jwt) GetAudiences() []string

func (*Jwt) GetIssuer 

func (x *Jwt) GetIssuer() string

func (*Jwt) GetJwks 

func (x *Jwt) GetJwks() string

func (*Jwt) GetJwksUri 

func (x *Jwt) GetJwksUri() string

func (*Jwt) GetJwtHeaders 

func (x *Jwt) GetJwtHeaders() []string

func (*Jwt) GetJwtParams 

func (x *Jwt) GetJwtParams() []string

func (*Jwt) GetTriggerRules 

func (x *Jwt) GetTriggerRules() []*Jwt_TriggerRule

func (*Jwt) MarshalJSON 

func (this *Jwt) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for Jwt

func (*Jwt) ProtoMessage 

func (*Jwt) ProtoMessage()

func (*Jwt) ProtoReflect 

func (x *Jwt) ProtoReflect() protoreflect.Message

func (*Jwt) Reset 

func (x *Jwt) Reset()

func (*Jwt) String 

func (x *Jwt) String() string

func (*Jwt) UnmarshalJSON 

func (this *Jwt) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for Jwt

type Jwt_TriggerRule 

type Jwt_TriggerRule struct {

	// List of paths to be excluded from the request. The rule is satisfied if
	// request path does not match to any of the path in this list.
	ExcludedPaths []*StringMatch `protobuf:"bytes,1,rep,name=excluded_paths,json=excludedPaths,proto3" json:"excluded_paths,omitempty"`
	// List of paths that the request must include. If the list is not empty, the
	// rule is satisfied if request path matches at least one of the path in the list.
	// If the list is empty, the rule is ignored, in other words the rule is always satisfied.
	IncludedPaths []*StringMatch `protobuf:"bytes,2,rep,name=included_paths,json=includedPaths,proto3" json:"included_paths,omitempty"`
	// contains filtered or unexported fields
}

$hide_from_docs Trigger rule to match against a request. The trigger rule is satisfied if and only if both rules, excluded_paths and include_paths are satisfied.

func (*Jwt_TriggerRule) DeepCopy 

func (in *Jwt_TriggerRule) DeepCopy() *Jwt_TriggerRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Jwt_TriggerRule. Required by controller-gen.

func (*Jwt_TriggerRule) DeepCopyInterface 

func (in *Jwt_TriggerRule) DeepCopyInterface() interface{}

DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Jwt_TriggerRule. Required by controller-gen.

func (*Jwt_TriggerRule) DeepCopyInto 

func (in *Jwt_TriggerRule) DeepCopyInto(out *Jwt_TriggerRule)

DeepCopyInto supports using Jwt_TriggerRule within kubernetes types, where deepcopy-gen is used.

func (*Jwt_TriggerRule) Descriptor deprecated 

func (*Jwt_TriggerRule) Descriptor() ([]byte, []int)

Deprecated: Use Jwt_TriggerRule.ProtoReflect.Descriptor instead.

func (*Jwt_TriggerRule) GetExcludedPaths 

func (x *Jwt_TriggerRule) GetExcludedPaths() []*StringMatch

func (*Jwt_TriggerRule) GetIncludedPaths 

func (x *Jwt_TriggerRule) GetIncludedPaths() []*StringMatch

func (*Jwt_TriggerRule) MarshalJSON 

func (this *Jwt_TriggerRule) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for Jwt_TriggerRule

func (*Jwt_TriggerRule) ProtoMessage 

func (*Jwt_TriggerRule) ProtoMessage()

func (*Jwt_TriggerRule) ProtoReflect 

func (x *Jwt_TriggerRule) ProtoReflect() protoreflect.Message

func (*Jwt_TriggerRule) Reset 

func (x *Jwt_TriggerRule) Reset()

func (*Jwt_TriggerRule) String 

func (x *Jwt_TriggerRule) String() string

func (*Jwt_TriggerRule) UnmarshalJSON 

func (this *Jwt_TriggerRule) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for Jwt_TriggerRule

type MutualTls 

type MutualTls struct {

	// Deprecated. Please use mode = PERMISSIVE instead.
	// If set, will translate to `TLS_PERMISSIVE` mode.
	// Set this flag to true to allow regular TLS (i.e without client x509
	// certificate). If request carries client certificate, identity will be
	// extracted and used (set to peer identity). Otherwise, peer identity will
	// be left unset.
	// When the flag is false (default), request must have client certificate.
	//
	// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
	AllowTls bool `protobuf:"varint,1,opt,name=allow_tls,json=allowTls,proto3" json:"allow_tls,omitempty"`
	// Defines the mode of mTLS authentication.
	Mode MutualTls_Mode `protobuf:"varint,2,opt,name=mode,proto3,enum=istio.authentication.v1alpha1.MutualTls_Mode" json:"mode,omitempty"`
	// contains filtered or unexported fields
}

$hide_from_docs Deprecated. Please use security/v1beta1/PeerAuthentication instead. TLS authentication params.

func (*MutualTls) DeepCopy 

func (in *MutualTls) DeepCopy() *MutualTls

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MutualTls. Required by controller-gen.

func (*MutualTls) DeepCopyInterface 

func (in *MutualTls) DeepCopyInterface() interface{}

DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new MutualTls. Required by controller-gen.

func (*MutualTls) DeepCopyInto 

func (in *MutualTls) DeepCopyInto(out *MutualTls)

DeepCopyInto supports using MutualTls within kubernetes types, where deepcopy-gen is used.

func (*MutualTls) Descriptor deprecated 

func (*MutualTls) Descriptor() ([]byte, []int)

Deprecated: Use MutualTls.ProtoReflect.Descriptor instead.

func (*MutualTls) GetAllowTls deprecated 

func (x *MutualTls) GetAllowTls() bool

Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.

func (*MutualTls) GetMode 

func (x *MutualTls) GetMode() MutualTls_Mode

func (*MutualTls) MarshalJSON 

func (this *MutualTls) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for MutualTls

func (*MutualTls) ProtoMessage 

func (*MutualTls) ProtoMessage()

func (*MutualTls) ProtoReflect 

func (x *MutualTls) ProtoReflect() protoreflect.Message

func (*MutualTls) Reset 

func (x *MutualTls) Reset()

func (*MutualTls) String 

func (x *MutualTls) String() string

func (*MutualTls) UnmarshalJSON 

func (this *MutualTls) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for MutualTls

type MutualTls_Mode 

type MutualTls_Mode int32

$hide_from_docs Defines the acceptable connection TLS mode. 

const (
	// Client cert must be presented, connection is in TLS.
	MutualTls_STRICT MutualTls_Mode = 0
	// Connection can be either plaintext or TLS with Client cert.
	MutualTls_PERMISSIVE MutualTls_Mode = 1
)

func (MutualTls_Mode) Descriptor 

func (MutualTls_Mode) Descriptor() protoreflect.EnumDescriptor

func (MutualTls_Mode) Enum 

func (x MutualTls_Mode) Enum() *MutualTls_Mode

func (MutualTls_Mode) EnumDescriptor deprecated 

func (MutualTls_Mode) EnumDescriptor() ([]byte, []int)

Deprecated: Use MutualTls_Mode.Descriptor instead.

func (MutualTls_Mode) Number 

func (x MutualTls_Mode) Number() protoreflect.EnumNumber

func (MutualTls_Mode) String 

func (x MutualTls_Mode) String() string

func (MutualTls_Mode) Type 

func (MutualTls_Mode) Type() protoreflect.EnumType

type OriginAuthenticationMethod 

type OriginAuthenticationMethod struct {

	// Jwt params for the method.
	Jwt *Jwt `protobuf:"bytes,1,opt,name=jwt,proto3" json:"jwt,omitempty"`
	// contains filtered or unexported fields
}

$hide_from_docs Deprecated. Please use security/v1beta1/RequestAuthentication instead. OriginAuthenticationMethod defines authentication method/params for origin authentication. Origin could be end-user, device, delegate service etc. Currently, only JWT is supported for origin authentication.

func (*OriginAuthenticationMethod) DeepCopy 

func (in *OriginAuthenticationMethod) DeepCopy() *OriginAuthenticationMethod

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OriginAuthenticationMethod. Required by controller-gen.

func (*OriginAuthenticationMethod) DeepCopyInterface 

func (in *OriginAuthenticationMethod) DeepCopyInterface() interface{}

DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new OriginAuthenticationMethod. Required by controller-gen.

func (*OriginAuthenticationMethod) DeepCopyInto 

func (in *OriginAuthenticationMethod) DeepCopyInto(out *OriginAuthenticationMethod)

DeepCopyInto supports using OriginAuthenticationMethod within kubernetes types, where deepcopy-gen is used.

func (*OriginAuthenticationMethod) Descriptor deprecated 

func (*OriginAuthenticationMethod) Descriptor() ([]byte, []int)

Deprecated: Use OriginAuthenticationMethod.ProtoReflect.Descriptor instead.

func (*OriginAuthenticationMethod) GetJwt 

func (x *OriginAuthenticationMethod) GetJwt() *Jwt

func (*OriginAuthenticationMethod) MarshalJSON 

func (this *OriginAuthenticationMethod) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for OriginAuthenticationMethod

func (*OriginAuthenticationMethod) ProtoMessage 

func (*OriginAuthenticationMethod) ProtoMessage()

func (*OriginAuthenticationMethod) ProtoReflect 

func (x *OriginAuthenticationMethod) ProtoReflect() protoreflect.Message

func (*OriginAuthenticationMethod) Reset 

func (x *OriginAuthenticationMethod) Reset()

func (*OriginAuthenticationMethod) String 

func (x *OriginAuthenticationMethod) String() string

func (*OriginAuthenticationMethod) UnmarshalJSON 

func (this *OriginAuthenticationMethod) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for OriginAuthenticationMethod

type PeerAuthenticationMethod 

type PeerAuthenticationMethod struct {

	// $hide_from_docs
	//
	// Types that are assignable to Params:
	//
	//	*PeerAuthenticationMethod_Mtls
	//	*PeerAuthenticationMethod_Jwt
	Params isPeerAuthenticationMethod_Params `protobuf_oneof:"params"`
	// contains filtered or unexported fields
}

$hide_from_docs Deprecated. Please use security/v1beta1/PeerAuthentication instead. PeerAuthenticationMethod defines one particular type of authentication. Only mTLS is supported at the moment. The type can be progammatically determine by checking the type of the "params" field.

func (*PeerAuthenticationMethod) DeepCopy 

func (in *PeerAuthenticationMethod) DeepCopy() *PeerAuthenticationMethod

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationMethod. Required by controller-gen.

func (*PeerAuthenticationMethod) DeepCopyInterface 

func (in *PeerAuthenticationMethod) DeepCopyInterface() interface{}

DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PeerAuthenticationMethod. Required by controller-gen.

func (*PeerAuthenticationMethod) DeepCopyInto 

func (in *PeerAuthenticationMethod) DeepCopyInto(out *PeerAuthenticationMethod)

DeepCopyInto supports using PeerAuthenticationMethod within kubernetes types, where deepcopy-gen is used.

func (*PeerAuthenticationMethod) Descriptor deprecated 

func (*PeerAuthenticationMethod) Descriptor() ([]byte, []int)

Deprecated: Use PeerAuthenticationMethod.ProtoReflect.Descriptor instead.

func (*PeerAuthenticationMethod) GetJwt deprecated 

func (x *PeerAuthenticationMethod) GetJwt() *Jwt

Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.

func (*PeerAuthenticationMethod) GetMtls 

func (x *PeerAuthenticationMethod) GetMtls() *MutualTls

func (*PeerAuthenticationMethod) GetParams 

func (m *PeerAuthenticationMethod) GetParams() isPeerAuthenticationMethod_Params

func (*PeerAuthenticationMethod) MarshalJSON 

func (this *PeerAuthenticationMethod) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for PeerAuthenticationMethod

func (*PeerAuthenticationMethod) ProtoMessage 

func (*PeerAuthenticationMethod) ProtoMessage()

func (*PeerAuthenticationMethod) ProtoReflect 

func (x *PeerAuthenticationMethod) ProtoReflect() protoreflect.Message

func (*PeerAuthenticationMethod) Reset 

func (x *PeerAuthenticationMethod) Reset()

func (*PeerAuthenticationMethod) String 

func (x *PeerAuthenticationMethod) String() string

func (*PeerAuthenticationMethod) UnmarshalJSON 

func (this *PeerAuthenticationMethod) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for PeerAuthenticationMethod

type PeerAuthenticationMethod_Jwt 

type PeerAuthenticationMethod_Jwt struct {
	// $hide_from_docs
	// Deprecated.
	// Set if JWT is used. This option was never available.
	//
	// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
	Jwt *Jwt `protobuf:"bytes,2,opt,name=jwt,proto3,oneof"`
}

type PeerAuthenticationMethod_Mtls 

type PeerAuthenticationMethod_Mtls struct {
	// Set if mTLS is used.
	Mtls *MutualTls `protobuf:"bytes,1,opt,name=mtls,proto3,oneof"`
}

type Policy 

type Policy struct {

	// Deprecated. Only mesh-level and namespace-level policies are supported.
	// List rules to select workloads that the policy should be applied on.
	// If empty, policy will be used on all workloads in the same namespace.
	//
	// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
	Targets []*TargetSelector `protobuf:"bytes,1,rep,name=targets,proto3" json:"targets,omitempty"`
	// $hide_from_docs
	// Deprecated. Please use security/v1beta1/PeerAuthentication instead.
	// List of authentication methods that can be used for peer authentication.
	// They will be evaluated in order; the first validate one will be used to
	// set peer identity (source.user) and other peer attributes. If none of
	// these methods pass, request will be rejected with authentication failed error (401).
	// Leave the list empty if peer authentication is not required
	Peers []*PeerAuthenticationMethod `protobuf:"bytes,2,rep,name=peers,proto3" json:"peers,omitempty"`
	// Deprecated. Should set mTLS to PERMISSIVE instead.
	// Set this flag to true to accept request (for peer authentication perspective),
	// even when none of the peer authentication methods defined above satisfied.
	// Typically, this is used to delay the rejection decision to next layer (e.g
	// authorization).
	// This flag is ignored if no authentication defined for peer (peers field is empty).
	//
	// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
	PeerIsOptional bool `protobuf:"varint,3,opt,name=peer_is_optional,json=peerIsOptional,proto3" json:"peer_is_optional,omitempty"`
	// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
	// List of authentication methods that can be used for origin authentication.
	// Similar to peers, these will be evaluated in order; the first validate one
	// will be used to set origin identity and attributes (i.e request.auth.user,
	// request.auth.issuer etc). If none of these methods pass, request will be
	// rejected with authentication failed error (401).
	// A method may be skipped, depends on its trigger rule. If all of these methods
	// are skipped, origin authentication will be ignored, as if it is not defined.
	// Leave the list empty if origin authentication is not required.
	//
	// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
	Origins []*OriginAuthenticationMethod `protobuf:"bytes,4,rep,name=origins,proto3" json:"origins,omitempty"`
	// Deprecated. Please use security/v1beta1/RequestAuthentication instead.
	// Set this flag to true to accept request (for origin authentication perspective),
	// even when none of the origin authentication methods defined above satisfied.
	// Typically, this is used to delay the rejection decision to next layer (e.g
	// authorization).
	// This flag is ignored if no authentication defined for origin (origins field is empty).
	//
	// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
	OriginIsOptional bool `protobuf:"varint,5,opt,name=origin_is_optional,json=originIsOptional,proto3" json:"origin_is_optional,omitempty"`
	// Deprecated. Source principal is always from peer, and request principal is always from
	// RequestAuthentication.
	// Define whether peer or origin identity should be use for principal. Default
	// value is USE_PEER.
	// If peer (or origin) identity is not available, either because of peer/origin
	// authentication is not defined, or failed, principal will be left unset.
	// In other words, binding rule does not affect the decision to accept or
	// reject request.
	//
	// Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.
	PrincipalBinding PrincipalBinding `` /* 162-byte string literal not displayed */
	// contains filtered or unexported fields
}

$hide_from_docs Policy defines what authentication methods can be accepted on workload(s), and if authenticated, which method/certificate will set the request principal (i.e request.auth.principal attribute).

Authentication policy is composed of 2-part authentication: - peer: verify caller service credentials. This part will set source.user (peer identity). - origin: verify the origin credentials. This part will set request.auth.user (origin identity), as well as other attributes like request.auth.presenter, request.auth.audiences and raw claims. Note that the identity could be end-user, service account, device etc.

Last but not least, the principal binding rule defines which identity (peer or origin) should be used as principal. By default, it uses peer.

Examples:

Policy to enable mTLS for all services in namespace frod. The policy name must be `default`, and it contains no rule for `targets`.

```yaml apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: 

name: default
namespace: frod

spec: 

peers:
- mtls:

``` Policy to disable mTLS for "productpage" service

```yaml apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: 

name: productpage-mTLS-disable
namespace: frod

spec: 

targets:
- name: productpage

``` Policy to require mTLS for peer authentication, and JWT for origin authentication for productpage:9000 except the path '/health_check' . Principal is set from origin identity.

```yaml apiVersion: authentication.istio.io/v1alpha1 kind: Policy metadata: 

name: productpage-mTLS-with-JWT
namespace: frod

spec: 

targets:
- name: productpage
  ports:
  - number: 9000
peers:
- mtls:
origins:
- jwt:
    issuer: "https://securetoken.google.com"
    audiences:
    - "productpage"
    jwksUri: "https://www.googleapis.com/oauth2/v1/certs"
    jwtHeaders:
    - "x-goog-iap-jwt-assertion"
    triggerRules:
    - excludedPaths:
      - exact: /health_check
principalBinding: USE_ORIGIN

```

func (*Policy) DeepCopy 

func (in *Policy) DeepCopy() *Policy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. Required by controller-gen.

func (*Policy) DeepCopyInterface 

func (in *Policy) DeepCopyInterface() interface{}

DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new Policy. Required by controller-gen.

func (*Policy) DeepCopyInto 

func (in *Policy) DeepCopyInto(out *Policy)

DeepCopyInto supports using Policy within kubernetes types, where deepcopy-gen is used.

func (*Policy) Descriptor deprecated 

func (*Policy) Descriptor() ([]byte, []int)

Deprecated: Use Policy.ProtoReflect.Descriptor instead.

func (*Policy) GetOriginIsOptional deprecated 

func (x *Policy) GetOriginIsOptional() bool

Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.

func (*Policy) GetOrigins deprecated 

func (x *Policy) GetOrigins() []*OriginAuthenticationMethod

Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.

func (*Policy) GetPeerIsOptional deprecated 

func (x *Policy) GetPeerIsOptional() bool

Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.

func (*Policy) GetPeers 

func (x *Policy) GetPeers() []*PeerAuthenticationMethod

func (*Policy) GetPrincipalBinding deprecated 

func (x *Policy) GetPrincipalBinding() PrincipalBinding

Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.

func (*Policy) GetTargets deprecated 

func (x *Policy) GetTargets() []*TargetSelector

Deprecated: Marked as deprecated in authentication/v1alpha1/policy.proto.

func (*Policy) MarshalJSON 

func (this *Policy) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for Policy

func (*Policy) ProtoMessage 

func (*Policy) ProtoMessage()

func (*Policy) ProtoReflect 

func (x *Policy) ProtoReflect() protoreflect.Message

func (*Policy) Reset 

func (x *Policy) Reset()

func (*Policy) String 

func (x *Policy) String() string

func (*Policy) UnmarshalJSON 

func (this *Policy) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for Policy

type PortSelector 

type PortSelector struct {

	// Types that are assignable to Port:
	//
	//	*PortSelector_Number
	//	*PortSelector_Name
	Port isPortSelector_Port `protobuf_oneof:"port"`
	// contains filtered or unexported fields
}

$hide_from_docs Deprecated. Only support mesh and namespace level policy in the future. PortSelector specifies the name or number of a port to be used for matching targets for authentication policy. This is copied from networking API to avoid dependency.

func (*PortSelector) DeepCopy 

func (in *PortSelector) DeepCopy() *PortSelector

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector. Required by controller-gen.

func (*PortSelector) DeepCopyInterface 

func (in *PortSelector) DeepCopyInterface() interface{}

DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new PortSelector. Required by controller-gen.

func (*PortSelector) DeepCopyInto 

func (in *PortSelector) DeepCopyInto(out *PortSelector)

DeepCopyInto supports using PortSelector within kubernetes types, where deepcopy-gen is used.

func (*PortSelector) Descriptor deprecated 

func (*PortSelector) Descriptor() ([]byte, []int)

Deprecated: Use PortSelector.ProtoReflect.Descriptor instead.

func (*PortSelector) GetName 

func (x *PortSelector) GetName() string

func (*PortSelector) GetNumber 

func (x *PortSelector) GetNumber() uint32

func (*PortSelector) GetPort 

func (m *PortSelector) GetPort() isPortSelector_Port

func (*PortSelector) MarshalJSON 

func (this *PortSelector) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for PortSelector

func (*PortSelector) ProtoMessage 

func (*PortSelector) ProtoMessage()

func (*PortSelector) ProtoReflect 

func (x *PortSelector) ProtoReflect() protoreflect.Message

func (*PortSelector) Reset 

func (x *PortSelector) Reset()

func (*PortSelector) String 

func (x *PortSelector) String() string

func (*PortSelector) UnmarshalJSON 

func (this *PortSelector) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for PortSelector

type PortSelector_Name 

type PortSelector_Name struct {
	// Port name
	Name string `protobuf:"bytes,2,opt,name=name,proto3,oneof"`
}

type PortSelector_Number 

type PortSelector_Number struct {
	// Valid port number
	Number uint32 `protobuf:"varint,1,opt,name=number,proto3,oneof"`
}

type PrincipalBinding 

type PrincipalBinding int32

$hide_from_docs Deprecated. When using security/v1beta1/RequestAuthentication, the request principal always comes from request authentication (i.e JWT). Associates authentication with request principal. 

const (
	// Principal will be set to the identity from peer authentication.
	PrincipalBinding_USE_PEER PrincipalBinding = 0
	// Principal will be set to the identity from origin authentication.
	PrincipalBinding_USE_ORIGIN PrincipalBinding = 1
)

func (PrincipalBinding) Descriptor 

func (PrincipalBinding) Descriptor() protoreflect.EnumDescriptor

func (PrincipalBinding) Enum 

func (x PrincipalBinding) Enum() *PrincipalBinding

func (PrincipalBinding) EnumDescriptor deprecated 

func (PrincipalBinding) EnumDescriptor() ([]byte, []int)

Deprecated: Use PrincipalBinding.Descriptor instead.

func (PrincipalBinding) Number 

func (x PrincipalBinding) Number() protoreflect.EnumNumber

func (PrincipalBinding) String 

func (x PrincipalBinding) String() string

func (PrincipalBinding) Type 

func (PrincipalBinding) Type() protoreflect.EnumType

type StringMatch 

type StringMatch struct {

	// Types that are assignable to MatchType:
	//
	//	*StringMatch_Exact
	//	*StringMatch_Prefix
	//	*StringMatch_Suffix
	//	*StringMatch_Regex
	MatchType isStringMatch_MatchType `protobuf_oneof:"match_type"`
	// contains filtered or unexported fields
}

$hide_from_docs Describes how to match a given string. Match is case-sensitive.

func (*StringMatch) DeepCopy 

func (in *StringMatch) DeepCopy() *StringMatch

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new StringMatch. Required by controller-gen.

func (*StringMatch) DeepCopyInterface 

func (in *StringMatch) DeepCopyInterface() interface{}

DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new StringMatch. Required by controller-gen.

func (*StringMatch) DeepCopyInto 

func (in *StringMatch) DeepCopyInto(out *StringMatch)

DeepCopyInto supports using StringMatch within kubernetes types, where deepcopy-gen is used.

func (*StringMatch) Descriptor deprecated 

func (*StringMatch) Descriptor() ([]byte, []int)

Deprecated: Use StringMatch.ProtoReflect.Descriptor instead.

func (*StringMatch) GetExact 

func (x *StringMatch) GetExact() string

func (*StringMatch) GetMatchType 

func (m *StringMatch) GetMatchType() isStringMatch_MatchType

func (*StringMatch) GetPrefix 

func (x *StringMatch) GetPrefix() string

func (*StringMatch) GetRegex 

func (x *StringMatch) GetRegex() string

func (*StringMatch) GetSuffix 

func (x *StringMatch) GetSuffix() string

func (*StringMatch) MarshalJSON 

func (this *StringMatch) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for StringMatch

func (*StringMatch) ProtoMessage 

func (*StringMatch) ProtoMessage()

func (*StringMatch) ProtoReflect 

func (x *StringMatch) ProtoReflect() protoreflect.Message

func (*StringMatch) Reset 

func (x *StringMatch) Reset()

func (*StringMatch) String 

func (x *StringMatch) String() string

func (*StringMatch) UnmarshalJSON 

func (this *StringMatch) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for StringMatch

type StringMatch_Exact 

type StringMatch_Exact struct {
	// exact string match.
	Exact string `protobuf:"bytes,1,opt,name=exact,proto3,oneof"`
}

type StringMatch_Prefix 

type StringMatch_Prefix struct {
	// prefix-based match.
	Prefix string `protobuf:"bytes,2,opt,name=prefix,proto3,oneof"`
}

type StringMatch_Regex 

type StringMatch_Regex struct {
	// RE2 style regex-based match (https://github.com/google/re2/wiki/Syntax).
	Regex string `protobuf:"bytes,4,opt,name=regex,proto3,oneof"`
}

type StringMatch_Suffix 

type StringMatch_Suffix struct {
	// suffix-based match.
	Suffix string `protobuf:"bytes,3,opt,name=suffix,proto3,oneof"`
}

type TargetSelector 

type TargetSelector struct {

	// The name must be a short name from the service registry. The
	// fully qualified domain name will be resolved in a platform specific manner.
	Name string `protobuf:"bytes,1,opt,name=name,proto3" json:"name,omitempty"`
	// Specifies the ports. Note that this is the port(s) exposed by the service, not workload instance ports.
	// For example, if a service is defined as below, then `8000` should be used, not `9000`.
	// “`yaml
	// kind: Service
	// metadata:
	//
	//	...
	//
	// spec:
	//
	//	ports:
	//	- name: http
	//	  port: 8000
	//	  targetPort: 9000
	//	selector:
	//	  app: backend
	//
	// “`
	// Leave empty to match all ports that are exposed.
	Ports []*PortSelector `protobuf:"bytes,2,rep,name=ports,proto3" json:"ports,omitempty"`
	// contains filtered or unexported fields
}

$hide_from_docs Deprecated. Only support mesh and namespace level policy in the future. TargetSelector defines a matching rule to a workload. A workload is selected if it is associated with the service name and service port(s) specified in the selector rule.

func (*TargetSelector) DeepCopy 

func (in *TargetSelector) DeepCopy() *TargetSelector

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector. Required by controller-gen.

func (*TargetSelector) DeepCopyInterface 

func (in *TargetSelector) DeepCopyInterface() interface{}

DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new TargetSelector. Required by controller-gen.

func (*TargetSelector) DeepCopyInto 

func (in *TargetSelector) DeepCopyInto(out *TargetSelector)

DeepCopyInto supports using TargetSelector within kubernetes types, where deepcopy-gen is used.

func (*TargetSelector) Descriptor deprecated 

func (*TargetSelector) Descriptor() ([]byte, []int)

Deprecated: Use TargetSelector.ProtoReflect.Descriptor instead.

func (*TargetSelector) GetName 

func (x *TargetSelector) GetName() string

func (*TargetSelector) GetPorts 

func (x *TargetSelector) GetPorts() []*PortSelector

func (*TargetSelector) MarshalJSON 

func (this *TargetSelector) MarshalJSON() ([]byte, error)

MarshalJSON is a custom marshaler for TargetSelector

func (*TargetSelector) ProtoMessage 

func (*TargetSelector) ProtoMessage()

func (*TargetSelector) ProtoReflect 

func (x *TargetSelector) ProtoReflect() protoreflect.Message

func (*TargetSelector) Reset 

func (x *TargetSelector) Reset()

func (*TargetSelector) String 

func (x *TargetSelector) String() string

func (*TargetSelector) UnmarshalJSON 

func (this *TargetSelector) UnmarshalJSON(b []byte) error

UnmarshalJSON is a custom unmarshaler for TargetSelector

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.