From b96bdc08f5ee04d7039b22b86d440cf785aae2f5 Mon Sep 17 00:00:00 2001 From: huabing zhao Date: Wed, 8 May 2024 14:23:21 -0700 Subject: [PATCH] add comments Signed-off-by: huabing zhao --- api/v1alpha1/authorization_types.go | 5 ++- api/v1alpha1/zz_generated.deepcopy.go | 36 ++++++++++----- ...ateway.envoyproxy.io_securitypolicies.yaml | 44 ++++++++++++------- site/content/en/latest/api/extension_types.md | 24 +++++++--- 4 files changed, 76 insertions(+), 33 deletions(-) diff --git a/api/v1alpha1/authorization_types.go b/api/v1alpha1/authorization_types.go index f6ba9e218902..989cba6017aa 100644 --- a/api/v1alpha1/authorization_types.go +++ b/api/v1alpha1/authorization_types.go @@ -8,19 +8,22 @@ package v1alpha1 // Authorization defines the authorization configuration. type Authorization struct { // Rules contains all the authorization rules. + // Rules are evaluated in order, the first matching rule will be applied. // // +kubebuilder:validation:MinItems=1 Rules []Rule `json:"rules,omitempty"` } +// Rule defines the single authorization rule. type Rule struct { // Action defines the action to be taken if the rule matches. Action RuleActionType `json:"action"` + // Policies contains the list of authorization policies. Policies []Policy `json:"policies"` } -// Rule defines the single authorization rule. +// Policy defines the authorization policy. type Policy struct { // Subject contains the subject configuration. // If empty, all subjects are included. diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go index 05c2d611acc4..efcb7410cd29 100644 --- a/api/v1alpha1/zz_generated.deepcopy.go +++ b/api/v1alpha1/zz_generated.deepcopy.go @@ -3119,6 +3119,27 @@ func (in *PerRetryPolicy) DeepCopy() *PerRetryPolicy { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *Policy) DeepCopyInto(out *Policy) { + *out = *in + in.Subject.DeepCopyInto(&out.Subject) + if in.Permissions != nil { + in, out := &in.Permissions, &out.Permissions + *out = make([]string, len(*in)) + copy(*out, *in) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Policy. +func (in *Policy) DeepCopy() *Policy { + if in == nil { + return nil + } + out := new(Policy) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ProcessingModeOptions) DeepCopyInto(out *ProcessingModeOptions) { *out = *in @@ -3831,18 +3852,13 @@ func (in *RetryOn) DeepCopy() *RetryOn { // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *Rule) DeepCopyInto(out *Rule) { *out = *in - if in.Subjects != nil { - in, out := &in.Subjects, &out.Subjects - *out = make([]Subject, len(*in)) + if in.Policies != nil { + in, out := &in.Policies, &out.Policies + *out = make([]Policy, len(*in)) for i := range *in { (*in)[i].DeepCopyInto(&(*out)[i]) } } - if in.Permissions != nil { - in, out := &in.Permissions, &out.Permissions - *out = make([]string, len(*in)) - copy(*out, *in) - } } // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule. @@ -4050,8 +4066,8 @@ func (in *Subject) DeepCopyInto(out *Subject) { *out = *in if in.ClientCIDR != nil { in, out := &in.ClientCIDR, &out.ClientCIDR - *out = new(string) - **out = **in + *out = make([]string, len(*in)) + copy(*out, *in) } } diff --git a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml index 067ada339ead..d29eb5d3e2dc 100644 --- a/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml +++ b/charts/gateway-helm/crds/generated/gateway.envoyproxy.io_securitypolicies.yaml @@ -53,7 +53,9 @@ spec: description: Authorization defines the authorization configuration. properties: rules: - description: Rules contains all the authorization rules. + description: |- + Rules contains all the authorization rules. + Rules are evaluated in order, the first matching rule will be applied. items: description: Rule defines the single authorization rule. properties: @@ -65,29 +67,37 @@ spec: - Deny - Log type: string - permissions: - description: |- - Permissions contains allowed HTTP methods. - If empty, all methods are matching. - items: - type: string - type: array - subjects: - description: |- - Subjects contains the subject configuration. - If empty, all subjects are included. + policies: + description: Policies contains the list of authorization + policies. items: - description: Subject contains the subject configuration. + description: Policy defines the authorization policy. properties: - clientCIDR: + permissions: description: |- - ClientCIDR contains client cidr configuration. - Valid examples are "192.168.1.0/24" or "2001:db8::/64" - type: string + Permissions contains allowed HTTP methods. + If empty, all methods are matching. + items: + type: string + type: array + subjects: + description: |- + Subject contains the subject configuration. + If empty, all subjects are included. + properties: + clientCIDR: + description: |- + ClientCIDR contains client cidr configuration. + Valid examples are "192.168.1.0/24" or "2001:db8::/64" + items: + type: string + type: array + type: object type: object type: array required: - action + - policies type: object minItems: 1 type: array diff --git a/site/content/en/latest/api/extension_types.md b/site/content/en/latest/api/extension_types.md index 45dd4fa0713d..105a97b80dbe 100644 --- a/site/content/en/latest/api/extension_types.md +++ b/site/content/en/latest/api/extension_types.md @@ -182,7 +182,7 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `rules` | _[Rule](#rule) array_ | true | Rules contains all the authorization rules. | +| `rules` | _[Rule](#rule) array_ | true | Rules contains all the authorization rules.
Rules are evaluated in order, the first matching rule will be applied. | #### BackOffPolicy @@ -2248,6 +2248,21 @@ _Appears in:_ | `backOff` | _[BackOffPolicy](#backoffpolicy)_ | false | Backoff is the backoff policy to be applied per retry attempt. gateway uses a fully jittered exponential
back-off algorithm for retries. For additional details,
see https://www.envoyproxy.io/docs/envoy/latest/configuration/http/http_filters/router_filter#config-http-filters-router-x-envoy-max-retries | +#### Policy + + + +Policy defines the authorization policy. + +_Appears in:_ +- [Rule](#rule) + +| Field | Type | Required | Description | +| --- | --- | --- | --- | +| `subjects` | _[Subject](#subject)_ | false | Subject contains the subject configuration.
If empty, all subjects are included. | +| `permissions` | _string array_ | false | Permissions contains allowed HTTP methods.
If empty, all methods are matching. | + + #### ProcessingModeOptions @@ -2890,9 +2905,8 @@ _Appears in:_ | Field | Type | Required | Description | | --- | --- | --- | --- | -| `subjects` | _[Subject](#subject) array_ | false | Subjects contains the subject configuration.
If empty, all subjects are included. | -| `permissions` | _string array_ | false | Permissions contains allowed HTTP methods.
If empty, all methods are matching. | | `action` | _[RuleActionType](#ruleactiontype)_ | true | Action defines the action to be taken if the rule matches. | +| `policies` | _[Policy](#policy) array_ | true | Policies contains the list of authorization policies. | #### RuleActionType @@ -3086,11 +3100,11 @@ _Appears in:_ Subject contains the subject configuration. _Appears in:_ -- [Rule](#rule) +- [Policy](#policy) | Field | Type | Required | Description | | --- | --- | --- | --- | -| `clientCIDR` | _string_ | false | ClientCIDR contains client cidr configuration.
Valid examples are "192.168.1.0/24" or "2001:db8::/64" | +| `clientCIDR` | _string array_ | false | ClientCIDR contains client cidr configuration.
Valid examples are "192.168.1.0/24" or "2001:db8::/64" | #### TCPActiveHealthChecker