apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: (unknown) name: gcpauthzpolicies.networking.gke.io spec: conversion: strategy: None group: networking.gke.io names: categories: - gateway-api kind: GCPAuthzPolicy listKind: GCPAuthzPolicyList plural: gcpauthzpolicies singular: gcpauthzpolicy scope: Namespaced versions: - additionalPrinterColumns: - jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: description: |- GCPAuthzPolicy is the CRD for Authorization Policy. This policy enables access control on workloads. properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: description: Spec defines the implementation of this definition. properties: action: allOf: - enum: - ALLOW - DENY - CUSTOM - enum: - ALLOW - DENY - CUSTOM default: ALLOW description: The action to take if the request is matched with the rules. Default is ALLOW if not specified. type: string customProviders: description: CustomProviders defines the extension providers/iap for authorization policy. properties: cloudIAP: description: |- Delegates authorization decisions to Cloud IAP. Applicable only for GKE Gateways. Only one of CloudIAP or TargetRefs can be specified. type: boolean extensionRefs: description: |- ExtensionRefs identifies a list of Authz Extensions. Limited to 2 ExtensionRefs. items: description: |- LocalObjectReference identifies an API object within the namespace of the referrer. The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. properties: group: description: |- Group is the group of the referent. For example, "networking.gke.io". When unspecified or empty string, core API group is inferred. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: Kind is kind of the referent. For example "HTTPRoute" or "Service". maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: Name is the name of the referent. maxLength: 253 minLength: 1 type: string required: - group - kind - name type: object maxItems: 2 minItems: 1 type: array type: object x-kubernetes-validations: - message: Only one of CloudIAP or ExtensionRefs can be specified rule: '!(has(self.extensionRefs) && has(self.cloudIAP)) && (has(self.extensionRefs) || has(self.cloudIAP))' httpRules: description: A list of http rules to match the request. items: description: |- GCPAuthPolicyHTTPRule matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, one operation and all conditions matches the request. An empty rule is always matched. properties: from: description: |- From specifies the source of a request. If not set, any source is allowed. properties: notSources: description: NotSources specifies the not sources of a request. items: description: |- GCPAuthzPolicySource specifies the source identities of a request. Fields in the AuthzPolicySource are ANDed together. properties: principals: description: |- Principals includes the list of peer identities derived from the peer certificate. The peer identity is in the format of `"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>"`, for example, `"{projectid}.svc.id.goog/ns/foo/sa/productpage"`. This field requires mTLS enabled. Limited to 10 entries. items: description: StringMatchCriteria defines the match criteria for a string. properties: ignoreCase: description: IgnoreCase is true then the matching should be case insensitive. type: boolean type: description: Type is the type of the string match criteria. enum: - Exact - Prefix - Suffix - Contains type: string value: description: Value is the match. type: string required: - type - value type: object maxItems: 10 type: array resources: description: |- Resources describes the properties of a client VM resource accessing the internal application load balancers. items: description: |- Resource defines the Andromeda credentials. It is only applicable internal L7 LBs. properties: iamServiceAccount: description: |- IAMServiceAccount to match against the GCP IAM service account associated with the source VM of a request. properties: ignoreCase: description: IgnoreCase is true then the matching should be case insensitive. type: boolean type: description: Type is the type of the string match criteria. enum: - Exact - Prefix - Suffix - Contains type: string value: description: Value is the match. type: string required: - type - value type: object tagValueIdSet: description: |- TagValueIDSet is a list of resource tag value permanent IDs to match against the resource manager tag values associated with the source VM of a request. All IDs must match. items: format: int64 type: integer maxItems: 10 minItems: 1 type: array type: object maxItems: 10 type: array type: object type: array sources: description: Sources specifies the source of a request. items: description: |- GCPAuthzPolicySource specifies the source identities of a request. Fields in the AuthzPolicySource are ANDed together. properties: principals: description: |- Principals includes the list of peer identities derived from the peer certificate. The peer identity is in the format of `"<TRUST_DOMAIN>/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT>"`, for example, `"{projectid}.svc.id.goog/ns/foo/sa/productpage"`. This field requires mTLS enabled. Limited to 10 entries. items: description: StringMatchCriteria defines the match criteria for a string. properties: ignoreCase: description: IgnoreCase is true then the matching should be case insensitive. type: boolean type: description: Type is the type of the string match criteria. enum: - Exact - Prefix - Suffix - Contains type: string value: description: Value is the match. type: string required: - type - value type: object maxItems: 10 type: array resources: description: |- Resources describes the properties of a client VM resource accessing the internal application load balancers. items: description: |- Resource defines the Andromeda credentials. It is only applicable internal L7 LBs. properties: iamServiceAccount: description: |- IAMServiceAccount to match against the GCP IAM service account associated with the source VM of a request. properties: ignoreCase: description: IgnoreCase is true then the matching should be case insensitive. type: boolean type: description: Type is the type of the string match criteria. enum: - Exact - Prefix - Suffix - Contains type: string value: description: Value is the match. type: string required: - type - value type: object tagValueIdSet: description: |- TagValueIDSet is a list of resource tag value permanent IDs to match against the resource manager tag values associated with the source VM of a request. All IDs must match. items: format: int64 type: integer maxItems: 10 minItems: 1 type: array type: object maxItems: 10 type: array type: object type: array type: object to: description: |- To specifies the operations of a request. If not set, any operation is allowed. properties: notOperations: description: NotOperations specifies the not operation of a request. items: description: |- GCPAuthzPolicyOperation is the spec for the operation of the HTTP rule. Fields in the AuthzPolicyOperation are ANDed together. properties: headers: description: |- Headers defines a set of headers to match against for a given request. All headers in the set must match. Limited to 10 matches. items: description: HTTPHeaderMatch builds the header match criteria. properties: ignoreCase: description: IgnoreCase is true then the matching should be case insensitive. type: boolean name: description: Name is the name of the header. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: description: Type specifies how to match against the value of the header. enum: - Exact - Prefix - Suffix - Contains type: string value: description: Value is the value of the header. maxLength: 256 type: string required: - name - type type: object maxItems: 10 type: array hosts: description: |- Hosts is a list of HTTP Hosts to match against. Limited to 10 matches. items: description: StringMatchCriteria defines the match criteria for a string. properties: ignoreCase: description: IgnoreCase is true then the matching should be case insensitive. type: boolean type: description: Type is the type of the string match criteria. enum: - Exact - Prefix - Suffix - Contains type: string value: description: Value is the match. type: string required: - type - value type: object maxItems: 10 type: array methods: description: |- Methods is a list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS, CONNECT, TRACE). Limited to 9 matches. items: description: |- HTTPMethod describes how to select a HTTP route by matching the HTTP method as defined by [RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231#section-4) and [RFC 5789](https://datatracker.ietf.org/doc/html/rfc5789#section-2). The value is expected in upper case. Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. enum: - GET - HEAD - POST - PUT - DELETE - CONNECT - OPTIONS - TRACE - PATCH type: string maxItems: 9 type: array paths: description: |- Paths is a list paths to match against. Limited to 10 matches. items: description: StringMatchCriteria defines the match criteria for a string. properties: ignoreCase: description: IgnoreCase is true then the matching should be case insensitive. type: boolean type: description: Type is the type of the string match criteria. enum: - Exact - Prefix - Suffix - Contains type: string value: description: Value is the match. type: string required: - type - value type: object maxItems: 10 type: array type: object type: array operations: description: Operation specifies the operation of a request.// +kubebuilder:validation:MaxItems=10 items: description: |- GCPAuthzPolicyOperation is the spec for the operation of the HTTP rule. Fields in the AuthzPolicyOperation are ANDed together. properties: headers: description: |- Headers defines a set of headers to match against for a given request. All headers in the set must match. Limited to 10 matches. items: description: HTTPHeaderMatch builds the header match criteria. properties: ignoreCase: description: IgnoreCase is true then the matching should be case insensitive. type: boolean name: description: Name is the name of the header. maxLength: 256 minLength: 1 pattern: ^[A-Za-z0-9!#$%&'*+\-.^_\x60|~]+$ type: string type: description: Type specifies how to match against the value of the header. enum: - Exact - Prefix - Suffix - Contains type: string value: description: Value is the value of the header. maxLength: 256 type: string required: - name - type type: object maxItems: 10 type: array hosts: description: |- Hosts is a list of HTTP Hosts to match against. Limited to 10 matches. items: description: StringMatchCriteria defines the match criteria for a string. properties: ignoreCase: description: IgnoreCase is true then the matching should be case insensitive. type: boolean type: description: Type is the type of the string match criteria. enum: - Exact - Prefix - Suffix - Contains type: string value: description: Value is the match. type: string required: - type - value type: object maxItems: 10 type: array methods: description: |- Methods is a list of HTTP methods to match against. Each entry must be a valid HTTP method name (GET, PUT, POST, HEAD, PATCH, DELETE, OPTIONS, CONNECT, TRACE). Limited to 9 matches. items: description: |- HTTPMethod describes how to select a HTTP route by matching the HTTP method as defined by [RFC 7231](https://datatracker.ietf.org/doc/html/rfc7231#section-4) and [RFC 5789](https://datatracker.ietf.org/doc/html/rfc5789#section-2). The value is expected in upper case. Note that values may be added to this enum, implementations must ensure that unknown values will not cause a crash. Unknown values here must result in the implementation setting the Accepted Condition for the Route to `status: False`, with a Reason of `UnsupportedValue`. enum: - GET - HEAD - POST - PUT - DELETE - CONNECT - OPTIONS - TRACE - PATCH type: string maxItems: 9 type: array paths: description: |- Paths is a list paths to match against. Limited to 10 matches. items: description: StringMatchCriteria defines the match criteria for a string. properties: ignoreCase: description: IgnoreCase is true then the matching should be case insensitive. type: boolean type: description: Type is the type of the string match criteria. enum: - Exact - Prefix - Suffix - Contains type: string value: description: Value is the match. type: string required: - type - value type: object maxItems: 10 type: array type: object type: array type: object when: description: |- when specifies a list of additional conditions of a request. If not set, any condition is allowed. It is supported via CEL expression. maxLength: 512 minLength: 1 type: string type: object maxItems: 10 type: array targetRefs: description: |- TargetRefs identifies a list of API objects to apply policy to. Limited to 10 TargetRef, can not be empty. items: description: |- LocalObjectReference identifies an API object within the namespace of the referrer. The API object must be valid in the cluster; the Group and Kind must be registered in the cluster for this reference to be valid. References to objects with invalid Group and Kind are not valid, and must be rejected by the implementation, with appropriate Conditions set on the containing object. properties: group: description: |- Group is the group of the referent. For example, "networking.gke.io". When unspecified or empty string, core API group is inferred. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: Kind is kind of the referent. For example "HTTPRoute" or "Service". maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: Name is the name of the referent. maxLength: 253 minLength: 1 type: string required: - group - kind - name type: object maxItems: 10 minItems: 1 type: array type: object x-kubernetes-validations: - message: At least one http rule is required when the action is not CUSTOM rule: '(self.action == ''ALLOW'' || self.action == ''DENY'') ? size(self.httpRules) > 0 : true' - message: CustomProviders is required when the action is CUSTOM rule: '!(self.action == ''CUSTOM'' && !has(self.customProviders)) && !(self.action != ''CUSTOM'' && has(self.customProviders))' status: description: |- PolicyStatus defines the common attributes that all Policies should include within their status. properties: ancestors: description: |- Ancestors is a list of ancestor resources (usually Gateways) that are associated with the policy, and the status of the policy with respect to each ancestor. When this policy attaches to a parent, the controller that manages the parent and the ancestors MUST add an entry to this list when the controller first sees the policy and SHOULD update the entry as appropriate when the relevant ancestor is modified. Note that choosing the relevant ancestor is left to the Policy designers; an important part of Policy design is designing the right object level at which to namespace this status. Note also that implementations MUST ONLY populate ancestor status for the Ancestor resources they are responsible for. Implementations MUST use the ControllerName field to uniquely identify the entries in this list that they are responsible for. Note that to achieve this, the list of PolicyAncestorStatus structs MUST be treated as a map with a composite key, made up of the AncestorRef and ControllerName fields combined. A maximum of 16 ancestors will be represented in this list. An empty list means the Policy is not relevant for any ancestors. If this slice is full, implementations MUST NOT add further entries. Instead they MUST consider the policy unimplementable and signal that on any related resources such as the ancestor that would be referenced here. For example, if this list was full on BackendTLSPolicy, no additional Gateways would be able to reference the Service targeted by the BackendTLSPolicy. items: description: |- PolicyAncestorStatus describes the status of a route with respect to an associated Ancestor. Ancestors refer to objects that are either the Target of a policy or above it in terms of object hierarchy. For example, if a policy targets a Service, the Policy's Ancestors are, in order, the Service, the HTTPRoute, the Gateway, and the GatewayClass. Almost always, in this hierarchy, the Gateway will be the most useful object to place Policy status on, so we recommend that implementations SHOULD use Gateway as the PolicyAncestorStatus object unless the designers have a _very_ good reason otherwise. In the context of policy attachment, the Ancestor is used to distinguish which resource results in a distinct application of this policy. For example, if a policy targets a Service, it may have a distinct result per attached Gateway. Policies targeting the same resource may have different effects depending on the ancestors of those resources. For example, different Gateways targeting the same Service may have different capabilities, especially if they have different underlying implementations. For example, in BackendTLSPolicy, the Policy attaches to a Service that is used as a backend in a HTTPRoute that is itself attached to a Gateway. In this case, the relevant object for status is the Gateway, and that is the ancestor object referred to in this status. Note that a parent is also an ancestor, so for objects where the parent is the relevant object for status, this struct SHOULD still be used. This struct is intended to be used in a slice that's effectively a map, with a composite key made up of the AncestorRef and the ControllerName. properties: ancestorRef: description: |- AncestorRef corresponds with a ParentRef in the spec that this PolicyAncestorStatus struct describes the status of. properties: group: default: networking.gke.io description: |- Group is the group of the referent. When unspecified, "networking.gke.io" is inferred. To set the core API group (such as for a "Service" kind referent), Group must be explicitly set to "" (empty string). Support: Core maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: default: Gateway description: |- Kind is kind of the referent. There are two kinds of parent resources with "Core" support: * Gateway (Gateway conformance profile) * Service (Mesh conformance profile, ClusterIP Services only) Support for other resources is Implementation-Specific. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: |- Name is the name of the referent. Support: Core maxLength: 253 minLength: 1 type: string namespace: description: |- Namespace is the namespace of the referent. When unspecified, this refers to the local namespace of the Route. Note that there are specific rules for ParentRefs which cross namespace boundaries. Cross-namespace references are only valid if they are explicitly allowed by something in the namespace they are referring to. For example: Gateway has the AllowedRoutes field, and ReferenceGrant provides a generic way to enable any other kind of cross-namespace reference. <gateway:experimental:description> ParentRefs from a Route to a Service in the same namespace are "producer" routes, which apply default routing rules to inbound connections from any namespace to the Service. ParentRefs from a Route to a Service in a different namespace are "consumer" routes, and these routing rules are only applied to outbound connections originating from the same namespace as the Route, for which the intended destination of the connections are a Service targeted as a ParentRef of the Route. </gateway:experimental:description> Support: Core maxLength: 63 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string port: description: |- Port is the network port this Route targets. It can be interpreted differently based on the type of parent resource. When the parent resource is a Gateway, this targets all listeners listening on the specified port that also support this kind of Route(and select this Route). It's not recommended to set `Port` unless the networking behaviors specified in a Route must apply to a specific port as opposed to a listener(s) whose port(s) may be changed. When both Port and SectionName are specified, the name and port of the selected listener must match both specified values. <gateway:experimental:description> When the parent resource is a Service, this targets a specific port in the Service spec. When both Port (experimental) and SectionName are specified, the name and port of the selected port must match both specified values. </gateway:experimental:description> Implementations MAY choose to support other parent resources. Implementations supporting other types of parent resources MUST clearly document how/if Port is interpreted. For the purpose of status, an attachment is considered successful as long as the parent resource accepts it partially. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Extended format: int32 maximum: 65535 minimum: 1 type: integer sectionName: description: |- SectionName is the name of a section within the target resource. In the following resources, SectionName is interpreted as the following: * Gateway: Listener name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. * Service: Port name. When both Port (experimental) and SectionName are specified, the name and port of the selected listener must match both specified values. Implementations MAY choose to support attaching Routes to other resources. If that is the case, they MUST clearly document how SectionName is interpreted. When unspecified (empty string), this will reference the entire resource. For the purpose of status, an attachment is considered successful if at least one section in the parent resource accepts it. For example, Gateway listeners can restrict which Routes can attach to them by Route kind, namespace, or hostname. If 1 of 2 Gateway listeners accept attachment from the referencing Route, the Route MUST be considered successfully attached. If no Gateway listeners accept attachment from this Route, the Route MUST be considered detached from the Gateway. Support: Core maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string required: - name type: object conditions: description: Conditions describes the status of the Policy with respect to the given Ancestor. items: description: "Condition contains details for one aspect of the current state of this API Resource.\n---\nThis struct is intended for direct use as an array at the field path .status.conditions. For example,\n\n\n\ttype FooStatus struct{\n\t // Represents the observations of a foo's current state.\n\t // Known .status.conditions.type are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t \ // other fields\n\t}" properties: lastTransitionTime: description: |- lastTransitionTime is the last time the condition transitioned from one status to another. This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: description: |- message is a human readable message indicating details about the transition. This may be an empty string. maxLength: 32768 type: string observedGeneration: description: |- observedGeneration represents the .metadata.generation that the condition was set based upon. For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: description: |- reason contains a programmatic identifier indicating the reason for the condition's last transition. Producers of specific condition types may define expected values and meanings for this field, and whether the values are considered a guaranteed API. The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ type: string status: description: status of the condition, one of True, False, Unknown. enum: - "True" - "False" - Unknown type: string type: description: |- type of condition in CamelCase or in foo.example.com/CamelCase. --- Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be useful (see .node.status.conditions), the ability to deconflict is important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string required: - lastTransitionTime - message - reason - status - type type: object maxItems: 8 minItems: 1 type: array x-kubernetes-list-map-keys: - type x-kubernetes-list-type: map controllerName: description: |- ControllerName is a domain/path string that indicates the name of the controller that wrote this status. This corresponds with the controllerName field on GatewayClass. Example: "example.net/gateway-controller". The format of this field is DOMAIN "/" PATH, where DOMAIN and PATH are valid Kubernetes names (https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names). Controllers MUST populate this field when writing status. Controllers should ensure that entries to status populated with their ControllerName are cleaned up when they are no longer necessary. maxLength: 253 minLength: 1 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*\/[A-Za-z0-9\/\-._~%!$&'()*+,;=:]+$ type: string required: - ancestorRef - controllerName type: object maxItems: 16 type: array required: - ancestors type: object required: - spec type: object served: true storage: true subresources: status: {} status: acceptedNames: categories: - gateway-api kind: GCPAuthzPolicy listKind: GCPAuthzPolicyList plural: gcpauthzpolicies singular: gcpauthzpolicy conditions: - lastTransitionTime: "2024-08-01T17:33:32Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2024-08-01T17:33:32Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1