Proto: access_policy.proto

Package: security.policy.gloo.solo.io

Types:

AccessPolicyReport

FieldDescription
workspaces(repeated AccessPolicyReport.WorkspacesEntry)

selectedDestinationPorts(repeated common.gloo.solo.io.DestinationReference)

A list of destination ports selected by the policy.
allowedServiceAccounts(repeated AccessPolicyReport.IdentityReference)

A list of service accounts selected as allowed clients

AccessPolicyReport.IdentityReference

FieldDescription
identityIndex(int32)

The index of the identity in the list of identity selectors
serviceAccount(common.gloo.solo.io.ObjectReference)

The reference to the service account backing the identity

AccessPolicyReport.WorkspacesEntry

FieldDescription
key(string)

value(common.gloo.solo.io.Report)

AccessPolicySpec

AccessPolicy is used to define how a destination service is granted. Specifically it describes both how clients should be authenticated and authorized to access the service. Refer to this link for further details about cross origin resource sharing. AccessPolicies are applied at the Destination Port level.

FieldDescription
applyToDestinations(repeated common.gloo.solo.io.DestinationSelector)

Note: for security reasons, applyToWorkloads is preferred. select the destinations and their ports where the policy will be applied if applyToWorkloads is non-empty, will be ignored. if omitted and applyToWorkloads is also omitted, will apply to all ports on all destinations in the workspace.
applyToWorkloads(repeated AccessPolicySpec.NamespaceWorkloadSelector)

Note: For security reasons, this is recommended over the applyToDestinations field. select the workloads where the policy will be applied. if omitted, behavior will be determined by the applyToDestinations field. if an empty selector is provided in the list, will apply to all workloads in a namespace, cluster, and workspace available in the parent object’s workspace
config(AccessPolicySpec.Config)

The details of the access policy to apply to the selected destinations.

AccessPolicySpec.Config

FieldDescription
authn(AccessPolicySpec.Config.Authentication)

specify how clients will be authenticated to the destination.
authz(AccessPolicySpec.Config.Authorization)

specify how clients will be authorized to access the destination.
enforcementLayers(common.gloo.solo.io.EnforcementLayers)

Optional. When NetworkPolicy translation is enabled, all available layers are used to enforce AccessPolicies by default. If you want to explicitly define which layers to use to enforce this AccessPolicy, you can set them by using this field. Note that the layer that you define in this field must be available to be configured.

AccessPolicySpec.Config.Authentication

FieldDescription
tlsMode(AccessPolicySpec.Config.Authentication.TLSmode)

specify the type of TLS policy that will be enforced on clients connecting to the destination. note that if service isolation is enabled for the workspace, this field will always be treated as ‘STRICT’.

AccessPolicySpec.Config.Authorization

FieldDescription
allowedClients(repeated common.gloo.solo.io.IdentitySelector)

the set of client identities that will be permitted to access the destination. Provide a single empty selector to allow access for all client identities.
allowedPaths(repeated string)

Optional. A list of HTTP paths or gRPC methods to allow. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName” and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path /books/review matches /books/review (exact match), *books/ (suffix match), or /books* (prefix match).
If not specified, allow any path.
allowedMethods(repeated string)

Optional. A list of HTTP methods to allow (e.g., “GET”, “POST”). It is ignored in gRPC case because the value is always “POST”. If not specified, allows any method.
match(AccessPolicySpec.Config.Authorization.MatchSpec)

Optional. Additional request matching conditions.
allowedIpBlocks(repeated string)

Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported. If not set, any IP is allowed.
allowedRemoteIpBlocks(repeated string)

Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol. To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig when you install Istio or using an annotation on the ingress gateway. See the documentation here: Configuring Gateway Network Topology. Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported. This is the same as the remote.ip attribute. If not set, any IP is allowed.

AccessPolicySpec.Config.Authorization.MatchSpec

allows specification of request conditions

FieldDescription
request(AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec)

Describes an HTTP request matching condition

AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec

FieldDescription
headers(repeated AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeadersEntry)

Optional. HTTP request header matching conditions.

AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeaderValues

Describes an HTTP request header value matching condition. Note: at least one (or both) of values or notValues must be set.

FieldDescription
values(repeated string)

Optional. A list of match values for the header - request must match at least one value. Supports wildcards. For example, to cause the Authorization Policy to match a request with header values containing exact-books OR partial-matched-books, set values to exact-books and partial-*-books.
notValues(repeated string)

Optional. A list of negative match values for the header - request must not match any values. Supports wildcards. For example, cause the Authorization Policy to not match a request with header values containing ignore-books or partial-ignored-books, set notValues to ignore-books and partial-ig*-books.

AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeadersEntry

FieldDescription
key(string)

value(AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeaderValues)

AccessPolicySpec.NamespaceWorkloadSelector

NamespaceWorkloadSelector is a Selector specifically built for selecting individual namespaces and selecting Workloads within them by label. Workloads must have injected (sidecars) or be standalone proxies (gateways) to be selected by Gloo Mesh policies.

FieldDescription
selector(AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector)

Selector used to match Workload objects by their metadata.

AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector

selects zero or more Kubernetes API resources by matching on labels, namespace, cluster, and workspace.

FieldDescription
labels(repeated AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector.LabelsEntry)

labels matching those of the Workload
namespace(string)

Only select objects in the matching namespace. If the field is omitted, Gloo Mesh will select matching objects across all namespaces available in the parent object’s workspace.
cluster(string)

Only select objects in the matching cluster. If the field is omitted, Gloo Mesh will select matching objects across all clusters available in the parent object’s workspace.
workspace(string)

Only select objects in the given workspace. If the field is omitted, Gloo Mesh will select matching objects across all workspaces available in the parent object’s workspace.

AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector.LabelsEntry

FieldDescription
key(string)

value(string)

AccessPolicyStatus

reflects the status of the AccessPolicy

FieldDescription
common(common.gloo.solo.io.Status)

numSelectedDestinationPorts(uint32)

The number of destination ports selected by the policy.

AccessPolicySpec.Config.Authentication.TLSmode

The mutual TLS (mTLS) connection mode. The following enums correspond to the modes defined by Istio.

NameNumberDescription
DISABLE0Do not originate mTLS connections to the upstream workload, and instead use unencrypted plaintext.
PERMISSIVE1Permit both unencrypted plaintext and mTLS-secured connections to the upstream workload. Use this mode only when you migrate workloads to your service mesh. After the workload is onboarded to the service mesh, using the STRICT mode is recommended.
STRICT2Secure connections to the upstream workload with mTLS by presenting client certificates for authentication. This mode uses certificates generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in ClientTLSSettings should be empty.