On this page
AccessPolicy
AccessPolicy API reference.
Proto: access_policy.proto
Package: security.policy.gloo.solo.io
Types:
AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeaderValues
AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeadersEntry
AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector.LabelsEntry
AccessPolicyReport
| Field | Description |
|---|---|
workspaces | (repeated AccessPolicyReport.WorkspacesEntry) |
selectedDestinationPorts | (repeated common.gloo.solo.io.DestinationReference)A list of destination ports selected by the policy. |
allowedServiceAccounts | (repeated AccessPolicyReport.IdentityReference)A list of service accounts selected as allowed clients |
AccessPolicyReport.IdentityReference
| Field | Description |
|---|---|
identityIndex | (int32)The index of the identity in the list of identity selectors |
serviceAccount | (common.gloo.solo.io.ObjectReference)The reference to the service account backing the identity |
AccessPolicyReport.WorkspacesEntry
| Field | Description |
|---|---|
key | (string) |
value | (common.gloo.solo.io.Report) |
AccessPolicySpec
AccessPolicy is used to define how a destination service is granted. Specifically it describes both how clients should be authenticated and authorized to access the service. Refer to this link for further details about cross origin resource sharing. AccessPolicies are applied at the Destination Port level.
| Field | Description |
|---|---|
applyToDestinations | (repeated common.gloo.solo.io.DestinationSelector)Note: for security reasons, applyToWorkloads is preferred. select the destinations and their ports where the policy will be applied if applyToWorkloads is non-empty, will be ignored. if omitted and applyToWorkloads is also omitted, will apply to all ports on all destinations in the workspace. |
applyToWorkloads | (repeated AccessPolicySpec.NamespaceWorkloadSelector)Note: For security reasons, this is recommended over the applyToDestinations field. select the workloads where the policy will be applied. if omitted, behavior will be determined by the applyToDestinations field. if an empty selector is provided in the list, will apply to all workloads in a namespace, cluster, and workspace available in the parent object’s workspace |
config | (AccessPolicySpec.Config)The details of the access policy to apply to the selected destinations. |
AccessPolicySpec.Config
| Field | Description |
|---|---|
authn | (AccessPolicySpec.Config.Authentication)specify how clients will be authenticated to the destination. |
authz | (AccessPolicySpec.Config.Authorization)specify how clients will be authorized to access the destination. |
enforcementLayers | (common.gloo.solo.io.EnforcementLayers)Optional. When NetworkPolicy translation is enabled, all available layers are used to enforce AccessPolicies by default. If you want to explicitly define which layers to use to enforce this AccessPolicy, you can set them by using this field. Note that the layer that you define in this field must be available to be configured. |
AccessPolicySpec.Config.Authentication
| Field | Description |
|---|---|
tlsMode | (AccessPolicySpec.Config.Authentication.TLSmode)specify the type of TLS policy that will be enforced on clients connecting to the destination. note that if service isolation is enabled for the workspace, this field will always be treated as ‘STRICT’. |
AccessPolicySpec.Config.Authorization
| Field | Description |
|---|---|
allowedClients | (repeated common.gloo.solo.io.IdentitySelector)the set of client identities that will be permitted to access the destination. Provide a single empty selector to allow access for all client identities. |
allowedPaths | (repeated string)Optional. A list of HTTP paths or gRPC methods to allow. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName” and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path /books/review matches /books/review (exact match), *books/ (suffix match), or /books* (prefix match).If not specified, allow any path. |
allowedMethods | (repeated string)Optional. A list of HTTP methods to allow (e.g., “GET”, “POST”). It is ignored in gRPC case because the value is always “POST”. If not specified, allows any method. |
match | (AccessPolicySpec.Config.Authorization.MatchSpec)Optional. Additional request matching conditions. |
allowedIpBlocks | (repeated string)Optional. A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported. If not set, any IP is allowed. |
allowedRemoteIpBlocks | (repeated string)Optional. A list of IP blocks, populated from X-Forwarded-For header or proxy protocol. To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig when you install Istio or using an annotation on the ingress gateway. See the documentation here: Configuring Gateway Network Topology. Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported. This is the same as the remote.ip attribute. If not set, any IP is allowed. |
AccessPolicySpec.Config.Authorization.MatchSpec
allows specification of request conditions
| Field | Description |
|---|---|
request | (AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec)Describes an HTTP request matching condition |
AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec
| Field | Description |
|---|---|
headers | (repeated AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeadersEntry)Optional. HTTP request header matching conditions. |
AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeaderValues
Describes an HTTP request header value matching condition. Note: at least one (or both) of values or notValues must be set.
| Field | Description |
|---|---|
values | (repeated string)Optional. A list of match values for the header - request must match at least one value. Supports wildcards. For example, to cause the Authorization Policy to match a request with header values containing exact-books OR partial-matched-books, set values to exact-books and partial-*-books. |
notValues | (repeated string)Optional. A list of negative match values for the header - request must not match any values. Supports wildcards. For example, cause the Authorization Policy to not match a request with header values containing ignore-books or partial-ignored-books, set notValues to ignore-books and partial-ig*-books. |
AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeadersEntry
| Field | Description |
|---|---|
key | (string) |
value | (AccessPolicySpec.Config.Authorization.MatchSpec.RequestSpec.HeaderValues) |
AccessPolicySpec.NamespaceWorkloadSelector
NamespaceWorkloadSelector is a Selector specifically built for selecting individual namespaces and selecting Workloads within them by label. Workloads must have injected (sidecars) or be standalone proxies (gateways) to be selected by Gloo Mesh policies.
| Field | Description |
|---|---|
selector | (AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector)Selector used to match Workload objects by their metadata. |
AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector
selects zero or more Kubernetes API resources by matching on labels, namespace, cluster, and workspace.
| Field | Description |
|---|---|
labels | (repeated AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector.LabelsEntry)labels matching those of the Workload |
namespace | (string)Only select objects in the matching namespace. If the field is omitted, Gloo Mesh will select matching objects across all namespaces available in the parent object’s workspace. |
cluster | (string)Only select objects in the matching cluster. If the field is omitted, Gloo Mesh will select matching objects across all clusters available in the parent object’s workspace. |
workspace | (string)Only select objects in the given workspace. If the field is omitted, Gloo Mesh will select matching objects across all workspaces available in the parent object’s workspace. |
AccessPolicySpec.NamespaceWorkloadSelector.ObjectSelector.LabelsEntry
| Field | Description |
|---|---|
key | (string) |
value | (string) |
AccessPolicyStatus
reflects the status of the AccessPolicy
| Field | Description |
|---|---|
common | (common.gloo.solo.io.Status) |
numSelectedDestinationPorts | (uint32)The number of destination ports selected by the policy. |
AccessPolicySpec.Config.Authentication.TLSmode
The mutual TLS (mTLS) connection mode. The following enums correspond to the modes defined by Istio.
| Name | Number | Description |
|---|---|---|
DISABLE | 0 | Do not originate mTLS connections to the upstream workload, and instead use unencrypted plaintext. |
PERMISSIVE | 1 | Permit both unencrypted plaintext and mTLS-secured connections to the upstream workload. Use this mode only when you migrate workloads to your service mesh. After the workload is onboarded to the service mesh, using the STRICT mode is recommended. |
STRICT | 2 | Secure connections to the upstream workload with mTLS by presenting client certificates for authentication. This mode uses certificates generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in ClientTLSSettings should be empty. |