Skip to content
Permalink
Branch: master
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
303 lines (256 sloc) 11.8 KB
// Copyright 2018 Istio Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
// $title: RBAC
// $description: Configuration for Role Based Access Control.
// $location: https://istio.io/docs/reference/config/authorization/istio.rbac.v1alpha1.html
// Istio RBAC (Role Based Access Control) defines ServiceRole and ServiceRoleBinding
// objects.
//
// A ServiceRole specification includes a list of rules (permissions). Each rule has
// the following standard fields:
//
// * services: a list of services.
// * methods: HTTP methods. In the case of gRPC, this field is ignored because the value is always "POST".
// * paths: HTTP paths or gRPC methods. Note that gRPC methods should be
// presented in the form of "/packageName.serviceName/methodName" and are case sensitive.
//
// In addition to the standard fields, operators can also use custom keys in the `constraints` field,
// the supported keys are listed in the "constraints and properties" page.
//
// Below is an example of ServiceRole object "product-viewer", which has "read" ("GET" and "HEAD")
// access to "products.svc.cluster.local" service at versions "v1" and "v2". "path" is not specified,
// so it applies to any path in the service.
//
// ```yaml
// apiVersion: "rbac.istio.io/v1alpha1"
// kind: ServiceRole
// metadata:
// name: products-viewer
// namespace: default
// spec:
// rules:
// - services: ["products.svc.cluster.local"]
// methods: ["GET", "HEAD"]
// constraints:
// - key: "destination.labels[version]"
// value: ["v1", "v2"]
// ```
//
// A ServiceRoleBinding specification includes two parts:
//
// * The `roleRef` field that refers to a ServiceRole object in the same namespace.
// * A list of `subjects` that are assigned the roles.
//
// In addition to a simple `user` field, operators can also use custom keys in the `properties` field,
// the supported keys are listed in the "constraints and properties" page.
//
// Below is an example of ServiceRoleBinding object "test-binding-products", which binds two subjects
// to ServiceRole "product-viewer":
//
// * User "alice@yahoo.com"
// * Services in "abc" namespace.
//
// ```yaml
// apiVersion: "rbac.istio.io/v1alpha1"
// kind: ServiceRoleBinding
// metadata:
// name: test-binding-products
// namespace: default
// spec:
// subjects:
// - user: alice@yahoo.com
// - properties:
// source.namespace: "abc"
// roleRef:
// kind: ServiceRole
// name: "products-viewer"
// ```
package istio.rbac.v1alpha1;
option go_package = "github.com/solo-io/supergloo/pkg/api/external/istio/rbac/v1alpha1";
import "github.com/solo-io/solo-kit/api/v1/metadata.proto";
import "github.com/solo-io/solo-kit/api/v1/status.proto";
import "github.com/solo-io/solo-kit/api/v1/solo-kit.proto";
import "gogoproto/gogo.proto";
option (gogoproto.equal_all) = true;
// ServiceRole specification contains a list of access rules (permissions).
// This represent the "Spec" part of the ServiceRole object. The name and namespace
// of the ServiceRole is specified in "metadata" section of the ServiceRole object.
message ServiceRole {
option (core.solo.io.resource).short_name = "servicerole";
option (core.solo.io.resource).plural_name = "serviceroles";
// Status indicates the validation status of this resource.
// Status is read-only by clients, and set by supergloo during validation
core.solo.io.Status status = 100 [(gogoproto.nullable) = false, (gogoproto.moretags) = "testdiff:\"ignore\""];
// Metadata contains the object metadata for this resource
core.solo.io.Metadata metadata = 101 [(gogoproto.nullable) = false];
// Required. The set of access rules (permissions) that the role has.
repeated AccessRule rules = 1;
}
// AccessRule defines a permission to access a list of services.
message AccessRule {
// Required. A list of service names.
// Exact match, prefix match, and suffix match are supported for service names.
// For example, the service name "bookstore.mtv.cluster.local" matches
// "bookstore.mtv.cluster.local" (exact match), or "bookstore*" (prefix match),
// or "*.mtv.cluster.local" (suffix match).
// If set to ["*"], it refers to all services in the namespace.
repeated string services = 1;
// Optional. A list of HTTP paths or gRPC methods.
// gRPC methods must be presented as fully-qualified name in the form of
// "/packageName.serviceName/methodName" and are case sensitive.
// Exact match, prefix match, and suffix match are supported for paths.
// For example, the path "/books/review" matches
// "/books/review" (exact match), or "/books/*" (prefix match),
// or "*/review" (suffix match).
// If not specified, it applies to any path.
repeated string paths = 2;
// Optional. A list of HTTP methods (e.g., "GET", "POST").
// It is ignored in gRPC case because the value is always "POST".
// If set to ["*"] or not specified, it applies to any method.
repeated string methods = 3;
// Definition of a custom constraint. The supported keys are listed in the "constraint and properties" page.
message Constraint {
// Key of the constraint.
string key = 1;
// List of valid values for the constraint.
// Exact match, prefix match, and suffix match are supported for constraint values.
// For example, the value "v1alpha2" matches
// "v1alpha2" (exact match), or "v1*" (prefix match),
// or "*alpha2" (suffix match).
repeated string values = 2;
}
// Optional. Extra constraints in the ServiceRole specification.
// The above ServiceRole example shows an example of constraint "version".
repeated Constraint constraints = 4;
}
// $hide_from_docs
// RBAC ServiceRoleBinding enforcement mode, used to verify new ServiceRoleBinding
// configs work as expected before rolling to production. RBAC engine only logs results
// from configs that are in permissive mode, and discards result before returning
// to the user.
enum EnforcementMode {
// Policy in ENFORCED mode has impact on user experience.
// Policy is in ENFORCED mode by default.
ENFORCED = 0;
// Policy in PERMISSIVE mode isn't enforced and has no impact on users.
// RBAC engine run policies in PERMISSIVE mode and logs stats.
PERMISSIVE = 1;
}
// ServiceRoleBinding assigns a ServiceRole to a list of subjects.
// This represents the "Spec" part of the ServiceRoleBinding object. The name and namespace
// of the ServiceRoleBinding is specified in "metadata" section of the ServiceRoleBinding
// object.
message ServiceRoleBinding {
option (core.solo.io.resource).short_name = "servicerolebinding";
option (core.solo.io.resource).plural_name = "servicerolebindings";
// Status indicates the validation status of this resource.
// Status is read-only by clients, and set by supergloo during validation
core.solo.io.Status status = 100 [(gogoproto.nullable) = false, (gogoproto.moretags) = "testdiff:\"ignore\""];
// Metadata contains the object metadata for this resource
core.solo.io.Metadata metadata = 101 [(gogoproto.nullable) = false];
// Required. List of subjects that are assigned the ServiceRole object.
repeated Subject subjects = 1;
// Required. Reference to the ServiceRole object.
RoleRef roleRef = 2;
// $hide_from_docs
// Indicates enforcement mode of the ServiceRoleBinding.
EnforcementMode mode = 3;
}
// Subject defines an identity. The identity is either a user or identified by a set of `properties`.
// The supported keys in `properties` are listed in "constraint and properties" page.
message Subject {
// Optional. The user name/ID that the subject represents.
string user = 1;
// $hide_from_docs
// Optional. The group that the subject belongs to.
string group = 2;
// Optional. The set of properties that identify the subject.
// The above ServiceRoleBinding example shows an example of property "source.namespace".
map<string, string> properties = 3;
}
// RoleRef refers to a role object.
message RoleRef {
// Required. The type of the role being referenced.
// Currently, "ServiceRole" is the only supported value for "kind".
string kind = 1;
// Required. The name of the ServiceRole object being referenced.
// The ServiceRole object must be in the same namespace as the ServiceRoleBinding
// object.
string name = 2;
}
// RbacConfig defines the global config to control Istio RBAC behavior.
// This Custom Resource is a singleton where only one Custom Resource should be created globally in
// the mesh and the namespace should be the same to other Istio components, which usually is istio-system.
// Note: This is enforced in both istioctl and server side, new Custom Resource will be rejected if found any
// existing one, the user should either delete the existing one or change the existing one directly.
//
// Below is an example of RbacConfig object "istio-rbac-config" which enables Istio RBAC for all
// services in the default namespace.
//
// ```yaml
// apiVersion: "rbac.istio.io/v1alpha1"
// kind: RbacConfig
// metadata:
// name: default
// namespace: istio-system
// spec:
// mode: ON_WITH_INCLUSION
// inclusion:
// namespaces: [ "default" ]
// ```
message RbacConfig {
option (core.solo.io.resource).short_name = "rbacconfig";
option (core.solo.io.resource).plural_name = "rbacconfigs";
// Status indicates the validation status of this resource.
// Status is read-only by clients, and set by supergloo during validation
core.solo.io.Status status = 100 [(gogoproto.nullable) = false, (gogoproto.moretags) = "testdiff:\"ignore\""];
// Metadata contains the object metadata for this resource
core.solo.io.Metadata metadata = 101 [(gogoproto.nullable) = false];
enum Mode {
// Disable Istio RBAC completely, any other config in RbacConfig will be ignored and Istio RBAC policies
// will not be enforced.
OFF = 0;
// Enable Istio RBAC for all services and namespaces.
ON = 1;
// Enable Istio RBAC only for services and namespaces specified in the inclusion field. Any other
// services and namespaces not in the inclusion field will not be enforced by Istio RBAC policies.
ON_WITH_INCLUSION = 2;
// Enable Istio RBAC for all services and namespaces except those specified in the exclusion field. Any other
// services and namespaces not in the exclusion field will be enforced by Istio RBAC policies.
ON_WITH_EXCLUSION = 3;
}
// Istio RBAC mode.
Mode mode = 1;
// Target defines a list of services or namespaces.
message Target {
// A list of services.
repeated string services = 1;
// A list of namespaces.
repeated string namespaces = 2;
}
// A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have
// effect only when mode is ON_WITH_INCLUSION and will be ignored for any other modes.
Target inclusion = 2;
// A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have
// effect only when mode is ON_WITH_EXCLUSION and will be ignored for any other modes.
Target exclusion = 3;
// $hide_from_docs
// Indicates enforcement mode of the RbacConfig, in ENFORCED mode by default.
// It's used to verify new RbacConfig work as expected before rolling to production.
// When setting as PERMISSIVE, RBAC isn't enforced and has no impact on users.
// RBAC engine run RbacConfig in PERMISSIVE mode and logs stats.
// Invalid to set RbacConfig in PERMISSIVE and ServiceRoleBinding in ENFORCED mode.
EnforcementMode enforcement_mode = 4;
}
You can’t perform that action at this time.