envoyproxy · zhaohuabing · May 12, 2024 · Feb 20, 2024 · May 8, 2024 · May 9, 2024
@@ -0,0 +1,56 @@
+// Copyright Envoy Gateway Authors
+// SPDX-License-Identifier: Apache-2.0
+// The full text of the Apache license is available in the LICENSE file at
+// the root of the repo.
+
+package v1alpha1
+
+// Authorization defines the authorization configuration.
+type Authorization struct {
+	// Rules contains all the authorization rules.
+	// Rules are evaluated in order, the first matching rule will be applied,
+	// and the rest will be skipped.
+	//
+	// +kubebuilder:validation:MinItems=1
+	Rules []Rule `json:"rules,omitempty"`
+}
+
+// Rule defines the single authorization rule.
+type Rule struct {
+	// Action defines the action to be taken if the rule matches.
+	Action RuleActionType `json:"action"`
+
+	// Subject contains the subject configuration.
+	// If empty, all subjects are included.
+	//
+	// +optional
+	Subject Subject `json:"subjects,omitempty"`
+
+	// Permissions contains allowed HTTP methods.
+	// If empty, all methods are matching.
+	//
+	// +optional
+	// Permissions []string `json:"permissions,omitempty"`
+}
+
+// Subject contains the subject configuration.
+type Subject struct {
+	// ClientCIDR contains client cidr configuration.
+	// Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+	//
+	// +optional
+	ClientCIDR []string `json:"clientCIDR,omitempty"`
+}
+
+// RuleActionType specifies the types of authorization rule action.
+// +kubebuilder:validation:Enum=Allow;Deny;Log
+type RuleActionType string
+
+const (
+	// Allow is the action to allow the request.
+	Allow RuleActionType = "Allow"
+	// Deny is the action to deny the request.
+	Deny RuleActionType = "Deny"
+	// Log is the action to log the request.
+	Log RuleActionType = "Log"
+)
@@ -69,6 +69,12 @@ type SecurityPolicySpec struct {
 	//
 	// +optional
 	ExtAuth *ExtAuth `json:"extAuth,omitempty"`
+
+	// Authorization defines the authorization configuration.
+	//
+	// +optional
+	// +notImplementedHide
+	Authorization *Authorization `json:"authorization,omitempty"`
 }
 
 //+kubebuilder:object:root=true

@@ -49,6 +49,44 @@ spec:
           spec:
             description: Spec defines the desired state of SecurityPolicy.
             properties:
+              authorization:
+                description: Authorization defines the authorization configuration.
+                properties:
+                  rules:
+                    description: |-
+                      Rules contains all the authorization rules.
+                      Rules are evaluated in order, the first matching rule will be applied,
+                      and the rest will be skipped.
+                    items:
+                      description: Rule defines the single authorization rule.
+                      properties:
+                        action:
+                          description: Action defines the action to be taken if the
+                            rule matches.
+                          enum:
+                          - Allow
+                          - Deny
+                          - Log
+                          type: string
+                        subjects:
+                          description: |-
+                            Subject contains the subject configuration.
+                            If empty, all subjects are included.
+                          properties:
+                            clientCIDR:
+                              description: |-
+                                ClientCIDR contains client cidr configuration.
+                                Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+                              items:
+                                type: string
+                              type: array
+                          type: object
+                      required:
+                      - action
+                      type: object
+                    minItems: 1
+                    type: array
+                type: object
               basicAuth:
                 description: BasicAuth defines the configuration for the HTTP Basic
                   Authentication.

@@ -171,6 +171,20 @@ _Appears in:_
 | `TCP` | ActiveHealthCheckerTypeTCP defines the TCP type of health checking.<br /> | 
 
 
+#### Authorization
+
+
+
+Authorization defines the authorization configuration.
+
+_Appears in:_
+- [SecurityPolicySpec](#securitypolicyspec)
+
+| Field | Type | Required | Description |
+| ---   | ---  | ---      | ---         |
+| `rules` | _[Rule](#rule) array_ |  true  | Rules contains all the authorization rules.<br />Rules are evaluated in order, the first matching rule will be applied,<br />and the rest will be skipped. |
+
+
 #### BackOffPolicy
 
 
@@ -2865,6 +2879,37 @@ _Appears in:_
 | `httpStatusCodes` | _[HTTPStatus](#httpstatus) array_ |  false  | HttpStatusCodes specifies the http status codes to be retried.<br />The retriable-status-codes trigger must also be configured for these status codes to trigger a retry. |
 
 
+#### Rule
+
+
+
+Rule defines the single authorization rule.
+
+_Appears in:_
+- [Authorization](#authorization)
+
+| Field | Type | Required | Description |
+| ---   | ---  | ---      | ---         |
+| `action` | _[RuleActionType](#ruleactiontype)_ |  true  | Action defines the action to be taken if the rule matches. |
+| `subjects` | _[Subject](#subject)_ |  false  | Subject contains the subject configuration.<br />If empty, all subjects are included. |
+
+
+#### RuleActionType
+
+_Underlying type:_ _string_
+
+RuleActionType specifies the types of authorization rule action.
+
+_Appears in:_
+- [Rule](#rule)
+
+| Value | Description |
+| ----- | ----------- |
+| `Allow` | Allow is the action to allow the request.<br /> | 
+| `Deny` | Deny is the action to deny the request.<br /> | 
+| `Log` | Log is the action to log the request.<br /> | 
+
+
 #### SecurityPolicy
 
 
@@ -3032,6 +3077,20 @@ _Appears in:_
 | `RegularExpression` | StringMatchRegularExpression :The input string must match the regular expression<br />specified in the match value.<br />The regex string must adhere to the syntax documented in<br />https://github.com/google/re2/wiki/Syntax.<br /> | 
 
 
+#### Subject
+
+
+
+Subject contains the subject configuration.
+
+_Appears in:_
+- [Rule](#rule)
+
+| Field | Type | Required | Description |
+| ---   | ---  | ---      | ---         |
+| `clientCIDR` | _string array_ |  false  | ClientCIDR contains client cidr configuration.<br />Valid examples are "192.168.1.0/24" or "2001:db8::/64" |
+
+
 #### TCPActiveHealthChecker