package io.linkerd.proxy.inbound

Get desktop application:
View/edit binary Protocol Buffers messages

/ An API exposed to the linkerd2-proxy to configure the inbound proxy with per-port configuration / / Proxies are expected to watch policies for each known port. As policies change, proxies update / their behavior for newly accepted connections. / / The unary `GetPort` endpoint is exposed as a convenience for clients to query policies for / diagnostic purposes.

• rpc GetPort (PortSpec, Server)

  inbound.proto:22

  / Gets the inbound server policy for a given workload port.

• rpc WatchPort (PortSpec, stream Server)

  inbound.proto:25

  / Watches the inbound server policy for a given workload port.

Used in: Authz

• oneof permit

  • Authn.PermitUnauthenticated unauthenticated = 1

  • Authn.PermitMeshTLS meshTLS = 2

    If set, requires that the connection is transported over mesh TLS.

Used in: Authn

• oneof clients

  • PermitUnauthenticated unauthenticated = 1

    Indicates that client identities are not required.

  • PermitMeshTLS.PermitClientIdentities identities = 2

    Indicates that mutually-authenticated connections are permitted from clients with matching identities.

Used in: PermitMeshTLS

• repeated Identity identities = 1

  A list of literal identities.

• repeated IdentitySuffix suffixes = 2

  A list of identity suffixes. If this contains an empty suffix, all identities are matched.

Used in: Authn, PermitMeshTLS

(message has no fields)

Used in: GrpcRoute, HttpRoute, Server

• repeated Network networks = 1

  Limits this authorization to client addresses in the provided networks. Must have at least one network, otherwise the authorization must be ignored. An authorization matches all clients by including an explicit match on, i.e., `[0.0.0.0/0, 0::/0]``.

• optional Authn authentication = 2

  Must be set.

• map<string, string> labels = 3

  Descriptive labels to be added to metrics, etc. A control plane SHOULD return the same keys in all authorizations. That is, we do NOT want to return arbitrary pod labels in this field. `labels` should be considered deprecated. `metadata` is preferred. However, controllers should continue to set `labels` for compatibility with older proxies.

• optional meta.Metadata metadata = 4

  If set, describes an Authorization configuration. Replaces the free-from `labels` field.

Inbound-specific gRPC route configuration.

Used in: ProxyProtocol.Grpc

• optional meta.Metadata metadata = 1

• repeated http_route.HostMatch hosts = 2

  If empty, the host value is ignored.

• repeated Authz authorizations = 3

  The server MUST return at least one authorization, otherwise all requests to this route will fail with an unauthorized response.

• repeated GrpcRoute.Rule rules = 4

  Must have at least one rule.

Used in: Rule

• oneof kind

  • grpc_route.GrpcFailureInjector failure_injector = 1

  • http_route.RequestHeaderModifier request_header_modifier = 2

Used in: GrpcRoute

• repeated grpc_route.GrpcRouteMatch matches = 1

• repeated Filter filters = 2

Used in: ProxyProtocol.Detect, ProxyProtocol.Http1, ProxyProtocol.Http2

• optional meta.Metadata metadata = 1

  Describes the associated HTTPLocalRateLimitPolicy resource

• optional HttpLocalRateLimit.Limit total = 2

  Overall rate-limit, which all traffic coming to this server should abide to. If unset no overall limit is applied.

• optional HttpLocalRateLimit.Limit identity = 3

  Fairness for individual identities; each separate client, grouped by identity, will have this rate-limit.

• repeated HttpLocalRateLimit.Override overrides = 4

  Limit overrides for traffic from a specific client.

Used in: HttpLocalRateLimit, Override

• uint32 requestsPerSecond = 1

Used in: HttpLocalRateLimit

• optional Limit limit = 1

• optional Override.ClientIdentities clients = 2

Used in: Override

• repeated Identity identities = 1

  A list of literal identities.

Inbound-specific HTTP route configuration (based on the [Gateway API](https://gateway-api.sigs.k8s.io/v1alpha2/references/spec/#gateway.networking.k8s.io/v1alpha2.HTTPRoute)).

Used in: ProxyProtocol.Detect, ProxyProtocol.Http1, ProxyProtocol.Http2

• optional meta.Metadata metadata = 1

• repeated http_route.HostMatch hosts = 2

  If empty, the host value is ignored.

• repeated Authz authorizations = 3

  Extends the list of authorizations on the `Server` with authorizations specific to this route.

• repeated HttpRoute.Rule rules = 4

  Must have at least one rule.

Used in: Rule

• oneof kind

  • http_route.HttpFailureInjector failure_injector = 1

  • http_route.RequestHeaderModifier request_header_modifier = 2

  • http_route.RequestRedirect redirect = 3

Used in: HttpRoute

• repeated http_route.HttpRouteMatch matches = 1

• repeated Filter filters = 2

Used in: Authn.PermitMeshTLS.PermitClientIdentities, HttpLocalRateLimit.Override.ClientIdentities

• string name = 1

Encodes a DNS-like name suffix as sequence of parts. An empty list is equivalent to `.` (matching all names); the list `["foo", "bar"]` is equivalent to "foo.bar." (matching `*.foo.bar`), etc.

Used in: Authn.PermitMeshTLS.PermitClientIdentities

• repeated string parts = 1

Describes a network of authorized clients.

Used in: Authz

• optional net.IPNetwork net = 1

• repeated net.IPNetwork except = 2

Used as request type in: InboundServerPolicies.GetPort, InboundServerPolicies.WatchPort

• string workload = 1

  Identifies a proxy workload (e.g., pod name).

• uint32 port = 2

  An inbound port on _workload_.

Used in: Server

• oneof kind

  • ProxyProtocol.Detect detect = 1

  • ProxyProtocol.Opaque opaque = 2

  • ProxyProtocol.Tls tls = 3

  • ProxyProtocol.Http1 http1 = 4

  • ProxyProtocol.Http2 http2 = 5

  • ProxyProtocol.Grpc grpc = 6

Used in: ProxyProtocol

• optional google.protobuf.Duration timeout = 1

• repeated HttpRoute http_routes = 3

  If the protocol detected as HTTP, a list of HTTP routes that should be matched.

• optional HttpLocalRateLimit http_local_rate_limit = 4

  If the protocol detected as HTTP, applicable rate limit.

Used in: ProxyProtocol

• repeated GrpcRoute routes = 2

Used in: ProxyProtocol

• repeated HttpRoute routes = 2

• optional HttpLocalRateLimit local_rate_limit = 3

Used in: ProxyProtocol

• repeated HttpRoute routes = 2

• optional HttpLocalRateLimit local_rate_limit = 3

TODO: opaque TLS settings (versions, algorithms, SNI)

Used in: ProxyProtocol

(message has no fields)

Used in: ProxyProtocol

(message has no fields)

Used as response type in: InboundServerPolicies.GetPort, InboundServerPolicies.WatchPort

• optional ProxyProtocol protocol = 1

  If set, indicates how the proxy should proxy connections on the specified port.

• repeated net.IPAddress server_ips = 2

  Indicates the IP addresses on which the proxy may receive connections. Connections targetting other IP addresses will be dropped.

• repeated Authz authorizations = 3

  Configures a proxy to allow connections from the specified clients. If unset, no connections are permitted.

• map<string, string> labels = 4

  Descriptive labels to be added to metrics, etc. A control plane SHOULD return the same keys in all policies. That is, we do NOT want to return arbitrary pod labels in this field.