diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go
index f6ba9e218902..989cba6017aa 100644
--- a/api/v1alpha1/authorization_types.go
+++ b/api/v1alpha1/authorization_types.go
@@ -8,19 +8,22 @@ package v1alpha1
// Authorization defines the authorization configuration.
type Authorization struct {
// Rules contains all the authorization rules.
+ // Rules are evaluated in order, the first matching rule will be applied.
//
// +kubebuilder:validation:MinItems=1
Rules []Rule `json:"rules,omitempty"`
}
+// Rule defines the single authorization rule.
type Rule struct {
// Action defines the action to be taken if the rule matches.
Action RuleActionType `json:"action"`
+ // Policies contains the list of authorization policies.
Policies []Policy `json:"policies"`
}
-// Rule defines the single authorization rule.
+// Policy defines the authorization policy.
type Policy struct {
// Subject contains the subject configuration.
// If empty, all subjects are included.
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 05c2d611acc4..efcb7410cd29 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -3119,6 +3119,27 @@ func (in *PerRetryPolicy) DeepCopy() *PerRetryPolicy {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Policy) DeepCopyInto(out *Policy) {
+ *out = *in
+ in.Subject.DeepCopyInto(&out.Subject)
+ if in.Permissions != nil {
+ in, out := &in.Permissions, &out.Permissions
+ *out = make([]string, len(*in))
+ copy(*out, *in)
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy.
+func (in *Policy) DeepCopy() *Policy {
+ if in == nil {
+ return nil
+ }
+ out := new(Policy)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *ProcessingModeOptions) DeepCopyInto(out *ProcessingModeOptions) {
*out = *in
@@ -3831,18 +3852,13 @@ func (in *RetryOn) DeepCopy() *RetryOn {
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *Rule) DeepCopyInto(out *Rule) {
*out = *in
- if in.Subjects != nil {
- in, out := &in.Subjects, &out.Subjects
- *out = make([]Subject, len(*in))
+ if in.Policies != nil {
+ in, out := &in.Policies, &out.Policies
+ *out = make([]Policy, len(*in))
for i := range *in {
(*in)[i].DeepCopyInto(&(*out)[i])
}
}
- if in.Permissions != nil {
- in, out := &in.Permissions, &out.Permissions
- *out = make([]string, len(*in))
- copy(*out, *in)
- }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
@@ -4050,8 +4066,8 @@ func (in *Subject) DeepCopyInto(out *Subject) {
*out = *in
if in.ClientCIDR != nil {
in, out := &in.ClientCIDR, &out.ClientCIDR
- *out = new(string)
- **out = **in
+ *out = make([]string, len(*in))
+ copy(*out, *in)
}
}
diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
index 067ada339ead..d29eb5d3e2dc 100644
--- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
+++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml
@@ -53,7 +53,9 @@ spec:
description: Authorization defines the authorization configuration.
properties:
rules:
- description: Rules contains all the authorization rules.
+ description: |-
+ Rules contains all the authorization rules.
+ Rules are evaluated in order, the first matching rule will be applied.
items:
description: Rule defines the single authorization rule.
properties:
@@ -65,29 +67,37 @@ spec:
- Deny
- Log
type: string
- permissions:
- description: |-
- Permissions contains allowed HTTP methods.
- If empty, all methods are matching.
- items:
- type: string
- type: array
- subjects:
- description: |-
- Subjects contains the subject configuration.
- If empty, all subjects are included.
+ policies:
+ description: Policies contains the list of authorization
+ policies.
items:
- description: Subject contains the subject configuration.
+ description: Policy defines the authorization policy.
properties:
- clientCIDR:
+ permissions:
description: |-
- ClientCIDR contains client cidr configuration.
- Valid examples are "192.168.1.0/24" or "2001:db8::/64"
- type: string
+ Permissions contains allowed HTTP methods.
+ If empty, all methods are matching.
+ items:
+ type: string
+ type: array
+ subjects:
+ description: |-
+ Subject contains the subject configuration.
+ If empty, all subjects are included.
+ properties:
+ clientCIDR:
+ description: |-
+ ClientCIDR contains client cidr configuration.
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ items:
+ type: string
+ type: array
+ type: object
type: object
type: array
required:
- action
+ - policies
type: object
minItems: 1
type: array
diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md
index 45dd4fa0713d..105a97b80dbe 100644
--- a/site/content/en/latest/api/extension_types.md
+++ b/site/content/en/latest/api/extension_types.md
@@ -182,7 +182,7 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `rules` | _[Rule](#rule) array_ | true | Rules contains all the authorization rules. |
+| `rules` | _[Rule](#rule) array_ | true | Rules contains all the authorization rules.
Rules are evaluated in order, the first matching rule will be applied. |
#### BackOffPolicy
@@ -2248,6 +2248,21 @@ _Appears in:_
| `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries |
+#### Policy
+
+
+
+Policy defines the authorization policy.
+
+_Appears in:_
+- [Rule](#rule)
+
+| Field | Type | Required | Description |
+| --- | --- | --- | --- |
+| `subjects` | _[Subject](#subject)_ | false | Subject contains the subject configuration.
If empty, all subjects are included. |
+| `permissions` | _string array_ | false | Permissions contains allowed HTTP methods.
If empty, all methods are matching. |
+
+
#### ProcessingModeOptions
@@ -2890,9 +2905,8 @@ _Appears in:_
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `subjects` | _[Subject](#subject) array_ | false | Subjects contains the subject configuration.
If empty, all subjects are included. |
-| `permissions` | _string array_ | false | Permissions contains allowed HTTP methods.
If empty, all methods are matching. |
| `action` | _[RuleActionType](#ruleactiontype)_ | true | Action defines the action to be taken if the rule matches. |
+| `policies` | _[Policy](#policy) array_ | true | Policies contains the list of authorization policies. |
#### RuleActionType
@@ -3086,11 +3100,11 @@ _Appears in:_
Subject contains the subject configuration.
_Appears in:_
-- [Rule](#rule)
+- [Policy](#policy)
| Field | Type | Required | Description |
| --- | --- | --- | --- |
-| `clientCIDR` | _string_ | false | ClientCIDR contains client cidr configuration.
Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
+| `clientCIDR` | _string array_ | false | ClientCIDR contains client cidr configuration.
Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
#### TCPActiveHealthChecker