// Copyright 2019 Istio Authors // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. syntax = "proto3"; // $title: Workload Selector // $description: Definition of a workload selector. // $location: https://istio.io/docs/reference/config/type/workload-selector.html package istio.type.v1beta1; import "google/api/field_behavior.proto"; option go_package="istio.io/api/type/v1beta1"; // WorkloadSelector specifies the criteria used to determine if a policy can be applied // to a proxy. The matching criteria includes the metadata associated with a proxy, // workload instance info such as labels attached to the pod/VM, or any other info // that the proxy provides to Istio during the initial handshake. If multiple conditions are // specified, all conditions need to match in order for the workload instance to be // selected. Currently, only label based selection mechanism is supported. message WorkloadSelector { // One or more labels that indicate a specific set of pods/VMs // on which a policy should be applied. The scope of label search is restricted to // the configuration namespace in which the resource is present. // +kubebuilder:validation:XValidation:message="wildcard not allowed in label key match",rule="self.all(key, !key.contains('*'))" // +kubebuilder:validation:XValidation:message="key must not be empty",rule="self.all(key, key.size() != 0)" // +protoc-gen-crd:map-value-validation:XValidation:message="wildcard not allowed in label value match",rule="!self.contains('*')" // +protoc-gen-crd:map-value-validation:MaxLength=63 // +kubebuilder:validation:MaxProperties=4096 map<string, string> match_labels = 1; } // PortSelector is the criteria for specifying if a policy can be applied to // a listener having a specific port. message PortSelector { // Port number // +kubebuilder:validation:Minimum=1 // +kubebuilder:validation:Maximum=65535 uint32 number = 1 [(google.api.field_behavior) = REQUIRED]; } // WorkloadMode allows selection of the role of the underlying workload in // network traffic. A workload is considered as acting as a SERVER if it is // the destination of the traffic (that is, traffic direction, from the // perspective of the workload is *inbound*). If the workload is the source of // the network traffic, it is considered to be in CLIENT mode (traffic is // *outbound* from the workload). enum WorkloadMode { // Default value, which will be interpreted by its own usage. UNDEFINED = 0; // Selects for scenarios when the workload is the // source of the network traffic. In addition, // if the workload is a gateway, selects this. CLIENT = 1; // Selects for scenarios when the workload is the // destination of the network traffic. SERVER = 2; // Selects for scenarios when the workload is either the // source or destination of the network traffic. CLIENT_AND_SERVER = 3; } // PolicyTargetReference format as defined by [GEP-2648](https://gateway-api.sigs.k8s.io/geps/gep-2648/#direct-policy-design-rules). // // PolicyTargetReference specifies the targeted resource which the policy // should be applied to. It must only target a single resource at a time, but it // can be used to target larger resources such as Gateways that may apply to // multiple child resources. The PolicyTargetReference will be used instead of // a WorkloadSelector in the RequestAuthentication, AuthorizationPolicy, // Telemetry, and WasmPlugin CRDs to target a Kubernetes Gateway. // // The following is an example of an AuthorizationPolicy bound to a waypoint proxy using // a PolicyTargetReference. The example sets `action` to `DENY` to create a deny policy. // It denies all the requests with `POST` method on port `8080` directed through the // `waypoint` Gateway in the `foo` namespace. // // ```yaml // apiVersion: security.istio.io/v1 // kind: AuthorizationPolicy // metadata: // name: httpbin // namespace: foo // spec: // targetRefs: // - name: waypoint // kind: Gateway // group: gateway.networking.k8s.io // action: DENY // rules: // - to: // - operation: // methods: ["POST"] // ports: ["8080"] // ``` // +kubebuilder:validation:XValidation:message="Support kinds are core/Service, networking.istio.io/ServiceEntry, gateway.networking.k8s.io/Gateway",rule="[self.group, self.kind] in [['core','Service'], ['','Service'], ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" message PolicyTargetReference { // group is the group of the target resource. // +kubebuilder:validation:MaxLength=253 // +kubebuilder:validation:Pattern=`^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$` string group = 1; // kind is kind of the target resource. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=63 // +kubebuilder:validation:Pattern=`^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$` string kind = 2 [(google.api.field_behavior) = REQUIRED]; // name is the name of the target resource. // +kubebuilder:validation:MinLength=1 // +kubebuilder:validation:MaxLength=253 string name = 3 [(google.api.field_behavior) = REQUIRED]; // namespace is the namespace of the referent. When unspecified, the local // namespace is inferred. // +kubebuilder:validation:XValidation:message="cross namespace referencing is not currently supported",rule="self.size() == 0" string namespace = 4; }