package istio.security

Get desktop application:
View/edit binary Protocol Buffers messages

Used in: Authorization

ALLOW = 0
Allow the request if it matches with the rules.
DENY = 1
Deny the request if it matches with the rules.

Used in: Match

bytes address = 1
uint32 length = 2

string name = 1
string namespace = 2
Scope scope = 3
Determine the scope of this RBAC policy. If set to NAMESPACE, the 'namespace' field value will be used.
Action action = 4
The action to take if the request is matched with the rules. Default is ALLOW if not specified.
repeated Rule rules = 5
Set of RBAC policy rules each containing its clauses (To, From, When). If at least one of the rules is matched the policy action will take place. Rules are OR-ed.

Used in: Rule

repeated Match matches = 2
The logical behavior between the matches (if there are more than one) MatchBehavior match_behavior = 1; Matches are OR-ed Match is a generic form of the authz policy's expressions contained in To, From and When.

Values of specific type are OR-ed If multiple types are set, they are AND-ed

Used in: Clause

repeated StringMatch namespaces = 1
repeated StringMatch not_namespaces = 2
repeated ServiceAccountMatch service_accounts = 11
repeated ServiceAccountMatch not_service_accounts = 12
repeated StringMatch principals = 3
repeated StringMatch not_principals = 4
repeated Address source_ips = 5
repeated Address not_source_ips = 6
repeated Address destination_ips = 7
repeated Address not_destination_ips = 8
repeated uint32 destination_ports = 9
repeated uint32 not_destination_ports = 10

Used in: Authorization

repeated Clause clauses = 1
Clauses are AND-ed This is a generic form of the authz policy's to, from and when

Used in: Authorization

GLOBAL = 0
ALL means that the authorization policy will be applied to all workloads in the mesh (any namespace).
NAMESPACE = 1
NAMESPACE means that the policy will only be applied to workloads in a specific namespace.
WORKLOAD_SELECTOR = 2
WORKLOAD_SELECTOR means that the policy will only be applied to specific workloads that were selected by their labels.

Used in: Match

string namespace = 1
string serviceAccount = 2

Used in: Match

oneof match_type
- string exact = 1
  exact string match
- string prefix = 2
  prefix-based match
- string suffix = 3
  suffix-based match
- google.protobuf.Empty presence = 4

package istio.security

enum Action

ALLOW = 0

DENY = 1

message Address

bytes address = 1

uint32 length = 2

message Authorization

string name = 1

string namespace = 2

Scope scope = 3

Action action = 4

repeated Rule rules = 5

message Clause

repeated Match matches = 2

message Match

repeated StringMatch namespaces = 1

repeated StringMatch not_namespaces = 2

repeated ServiceAccountMatch service_accounts = 11

repeated ServiceAccountMatch not_service_accounts = 12

repeated StringMatch principals = 3

repeated StringMatch not_principals = 4

repeated Address source_ips = 5

repeated Address not_source_ips = 6

repeated Address destination_ips = 7

repeated Address not_destination_ips = 8

repeated uint32 destination_ports = 9

repeated uint32 not_destination_ports = 10

message Rule

repeated Clause clauses = 1

enum Scope

GLOBAL = 0

NAMESPACE = 1

WORKLOAD_SELECTOR = 2

message ServiceAccountMatch

string namespace = 1

string serviceAccount = 2

message StringMatch

oneof match_type

string exact = 1

string prefix = 2

string suffix = 3

google.protobuf.Empty presence = 4