{ "properties": { "spec": { "description": "Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html", "oneOf": [ { "not": { "anyOf": [ { "required": [ "provider" ] } ] } }, { "required": [ "provider" ] } ], "properties": { "action": { "description": "Optional.\n\nValid Options: ALLOW, DENY, AUDIT, CUSTOM", "enum": [ "ALLOW", "DENY", "AUDIT", "CUSTOM" ], "type": "string" }, "provider": { "description": "Specifies detailed configuration of the CUSTOM action.", "properties": { "name": { "description": "Specifies the name of the extension provider.", "type": "string" } }, "type": "object", "additionalProperties": false }, "rules": { "description": "Optional.", "items": { "properties": { "from": { "description": "Optional.", "items": { "properties": { "source": { "description": "Source specifies the source of a request.", "properties": { "ipBlocks": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "namespaces": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "notIpBlocks": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "notNamespaces": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "notPrincipals": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "notRemoteIpBlocks": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "notRequestPrincipals": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "principals": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "remoteIpBlocks": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "requestPrincipals": { "description": "Optional.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "to": { "description": "Optional.", "items": { "properties": { "operation": { "description": "Operation specifies the operation of a request.", "properties": { "hosts": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "methods": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "notHosts": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "notMethods": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "notPaths": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "notPorts": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "paths": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "ports": { "description": "Optional.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "when": { "description": "Optional.", "items": { "properties": { "key": { "description": "The name of an Istio attribute.", "type": "string" }, "notValues": { "description": "Optional.", "items": { "type": "string" }, "type": "array" }, "values": { "description": "Optional.", "items": { "type": "string" }, "type": "array" } }, "required": [ "key" ], "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "selector": { "description": "Optional.", "properties": { "matchLabels": { "additionalProperties": { "maxLength": 63, "type": "string", "x-kubernetes-validations": [ { "message": "wildcard not allowed in label value match", "rule": "!self.contains('*')" } ] }, "description": "One or more labels that indicate a specific set of pods/VMs on which a policy should be applied.", "maxProperties": 4096, "type": "object", "x-kubernetes-validations": [ { "message": "wildcard not allowed in label key match", "rule": "self.all(key, !key.contains('*'))" }, { "message": "key must not be empty", "rule": "self.all(key, key.size() != 0)" } ] } }, "type": "object", "additionalProperties": false }, "targetRef": { "properties": { "group": { "description": "group is the group of the target resource.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "description": "kind is kind of the target resource.", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "name is the name of the target resource.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "namespace is the namespace of the referent.", "type": "string", "x-kubernetes-validations": [ { "message": "cross namespace referencing is not currently supported", "rule": "self.size() == 0" } ] } }, "required": [ "kind", "name" ], "type": "object", "x-kubernetes-validations": [ { "message": "Support kinds are core/Service and gateway.networking.k8s.io/Gateway", "rule": "[self.group, self.kind] in [['core','Service'], ['','Service'], ['gateway.networking.k8s.io','Gateway']]" } ], "additionalProperties": false }, "targetRefs": { "description": "Optional.", "items": { "properties": { "group": { "description": "group is the group of the target resource.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "description": "kind is kind of the target resource.", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "name is the name of the target resource.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "namespace is the namespace of the referent.", "type": "string", "x-kubernetes-validations": [ { "message": "cross namespace referencing is not currently supported", "rule": "self.size() == 0" } ] } }, "required": [ "kind", "name" ], "type": "object", "x-kubernetes-validations": [ { "message": "Support kinds are core/Service and gateway.networking.k8s.io/Gateway", "rule": "[self.group, self.kind] in [['core','Service'], ['','Service'], ['gateway.networking.k8s.io','Gateway']]" } ], "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "status": { "type": "object", "x-kubernetes-preserve-unknown-fields": true } }, "type": "object" }