This repository has been archived by the owner on Sep 30, 2021. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 3
/
authz.yml
203 lines (180 loc) · 7.69 KB
/
authz.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: serverauthorizations.polixy.linkerd.io
labels:
polixy.linkerd.io/crd: authz
spec:
group: polixy.linkerd.io
scope: Namespaced
names:
kind: ServerAuthorization
plural: serverauthorizations
singular: serverauthorization
shortNames: [srvauthz]
versions:
- name: v1alpha1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .spec.server.name
name: server
type: string
- jsonPath: .spec.client.networks[*]
name: networks
type: string
- jsonPath: .spec.client.identities[*]
name: identities
type: string
- jsonPath: .spec.client.serviceAccounts[*]
name: service accounts
type: string
schema:
openAPIV3Schema:
type: object
required: [spec]
properties:
spec:
description: >-
Authorizes clients to communicate with Linkerd-proxied servers.
type: object
required: [server, client]
properties:
server:
description: >-
Identifies servers in the same namespace for which this
authorization applies.
Only one of `name` or `selector` may be specified.
type: object
oneOf:
- required: [name]
- required: [selector]
properties:
name:
description: References a `Server` instance by name
type: string
pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
selector:
description: >-
A label query over servers on which this authorization applies.
type: object
oneOf:
- required: [matchLabels]
- required: [matchExpressions]
properties:
matchLabels:
type: object
x-kubernetes-preserve-unknown-fields: true
matchExpressions:
type: array
items:
type: object
required: [key, operator, value]
properties:
key:
type: string
operator:
type: string
enum: [In, NotIn]
values:
type: array
items:
type: string
client:
description: Describes clients authorized to access a server.
type: object
oneOf:
- required: [meshTLS]
- required: [unauthenticated]
properties:
networks:
description: >-
Limits the client IP addresses to which this
authorization applies. If unset, the server chooses a
default (typically, all IPs or the cluster's pod
network).
type: array
items:
type: object
required: [cidr]
properties:
cidr:
type: string
except:
type: array
items:
type: string
unauthenticated:
description: >-
Authorizes unauthenticated clients to access a server.
type: boolean
meshTLS:
type: object
oneOf:
- required: [unauthenticatedTLS]
- required: [identities]
- required: [serviceAccounts]
properties:
unauthenticatedTLS:
type: boolean
description: >-
Indicates that no client identity is required for
communication.
This is mostly important for the identity
controller, which must terminate TLS connections
from clients that do not yet have a certificate.
identities:
description: >-
Authorizes clients with the provided proxy identity
strings (as provided via MTLS)
The `*` prefix can be used to match all identities in
a domain. An identity string of `*` indicates that
all authentication clients are authorized.
type: array
items:
type: string
pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
serviceAccounts:
description: >-
Authorizes clients with the provided proxy identity
service accounts (as provided via MTLS)
type: array
items:
type: object
required: [name]
properties:
name:
description: The ServiceAccount's name.
type: string
pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
namespace:
description: >-
The ServiceAccount's namespace. If unset, the
authorization's namespace is usd.
type: string
pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
#selector:
# type: object
# oneOf:
# - required: [matchLabels]
# - required: [matchExpressions]
# properties:
# matchLabels:
# type: object
# x-kubernetes-preserve-unknown-fields: true
# matchExpressions:
# type: array
# items:
# type: object
# required: [key, operator, values]
# properties:
# key:
# type: string
# operator:
# type: string
# enum: [In, NotIn]
# values:
# type: array
# type: string
# items: