Proto: selectors.proto

Package: common.gloo.solo.io

Types:

DestinationSelector

DestinationSelector is a selector for matching routable destinations for routes. DestinationSelectors can select a variety of object types. The behavior of the route action will vary depending on the type of destination selected. Defaults to the kubernetes v1/Service. Currently supported destination types:

  • v1 Service
  • networking.gloo.solo.io/v2 VirtualDestination (route traffic to a group of backing destinations)
  • networking.gloo.solo.io/v2 ExternalService (route traffic to a static set of service endpoints external to the mesh)
FieldDescription
selector(ObjectSelector)

selector used to match destination objects by their metadata
kind(DestinationKind)

the kind of destination being selected. defaults to Kubernetes Service.
port(PortSelector)

the port on the Destination which receives traffic. All ports on the Destination will be selected if left empty.

IdentitySelector

IdentitySelector is a Selector specifically built for selecting client identities for security policies.

FieldDescription
serviceAccountSelector(ObjectSelector)

Select kubernetes service accounts as identities. When selecting a service account that will be created in the future for use in a AuthorizationPolicy, ONLY provide the name, namespace and cluster where the service account will exist in the selector. Providing labels and/or the workspace, or omitting the name, namespace or cluster for a service account that does not exist in the selector will not result in that service account being added to the resulting AuthorizationPolicy.
requestIdentityMatcher(IdentitySelector.RequestIdentityMatcher)

Select identities based on properties of the request. If multiple fields are set, they are ANDed together. More information about the individual values can be found here: https://istio.io/latest/docs/reference/config/security/authorization-policy/#Source

IdentitySelector.RequestIdentityMatcher

FieldDescription
requestPrincipals(repeated string)

Optional. A list of identities to match the request identity (“iss/sub” from the JWT). If omitted all request identity values will be accepted.
notRequestPrincipals(repeated string)

Optional. A list of identities to negative match the request identity.

MeshSelector

MeshSelector is a Selector built for selecting instances of Mesh control planes. A control plane is understood to have a single domain and provide a single root of trust for the data plane proxies it is managing. Each revision of Istiod maps

FieldDescription
istio(MeshSelector.Istio)

options for selecting istio Mesh control planes.

MeshSelector.Istio

FieldDescription
revision(string)

istio.io/revision of Istio to select. regex supported. omit to select across all revisions.
namespace(string)

match the name of the namespace where istiod is deployed. omit to select across all namespaces.
clusterSelector(repeated MeshSelector.Istio.ClusterSelectorEntry)

match the labels of the cluster where istiod is deployed. omit to select across all clusters.
selector(repeated MeshSelector.Istio.SelectorEntry)

select via the labels of the istiod deployment. omit to select across all labels.

MeshSelector.Istio.ClusterSelectorEntry

FieldDescription
key(string)

value(string)

MeshSelector.Istio.SelectorEntry

FieldDescription
key(string)

value(string)

ObjectSelector

selects zero or more Kubernetes API resources by matching on labels, name, namespace, cluster, and workspace.

FieldDescription
labels(repeated ObjectSelector.LabelsEntry)

labels matching those of the object
name(string)

Only select objects with the matching name. If the field is omitted, Gloo Mesh will select matching objects with any name available in the parent object’s workspace.
namespace(string)

Only select objects in the matching namespace. If the field is omitted, Gloo Mesh will select matching objects across all namespaces available in the parent object’s workspace.
cluster(string)

Only select objects in the matching cluster. If the field is omitted, Gloo Mesh will select matching objects across all clusters available in the parent object’s workspace.
workspace(string)

Only select objects in the given workspace. If the field is omitted, Gloo Mesh will select matching objects across all workspaces available in the parent object’s workspace.

ObjectSelector.LabelsEntry

FieldDescription
key(string)

value(string)

RouteDestinationSelector

RouteDestinationSelector is a Selector specifically built for individual destinations on individual Routes inside of RouteTables.

FieldDescription
route(RouteLabelSelector)

select routes based on their labels. these labels can be used to match route tables or individual routes within route tables. if left empty, configuration will apply to all specified destinations on all routes in the workspace.
onDestinations(repeated DestinationSelector)

for the selected routes, select destinations on which to apply this policy

RouteFilter

FieldDescription
cloudProvider(CloudProviderFilterOptions)

Optional: filter out route tables that specify CloudProvider functionality, if provided.

RouteLabelSelector

RouteLabelSelector is used to select the details of a route primarily by label. The selection may be further restricted by namespace, cluster, and workspace.

FieldDescription
labels(repeated RouteLabelSelector.LabelsEntry)

Select routes including all specified labels on the route or route table.
namespace(string)

Only select routes attached to route tables matching the namespace.
cluster(string)

Only select routes attached to route tables matching the cluster.
workspace(string)

Only select routes attached to route tables matching the workspace.

RouteLabelSelector.LabelsEntry

FieldDescription
key(string)

value(string)

RouteSelector

RouteSelector is a Selector specifically built for individual Routes inside of RouteTables.

This selector can be used to select individual routes or entire route tables using the same label selector.

FieldDescription
route(RouteLabelSelector)

select routes based on their labels. these labels can be used to match route tables or individual routes within route tables.
withDestinations(DestinationSelector)

select routes with forwardTo actions based on their destinations. this can be used to apply policy to routes regardless of their labels

WorkloadSelector

WorkloadSelector is a Selector specifically built for selecting individual workloads. Workloads must have injected (sidecars) or be standalone proxies (gateways) to be selected by Gloo Mesh policies.

This selector can be used to select pods or injected external endpoints (vms).

FieldDescription
selector(ObjectSelector)

Selector used to match Workload objects by their metadata.
kind(WorkloadSelector.WorkloadKind)

The kind of workload being selected. Defaults to Kube.
port(PortSelector)

The port to select on the selected workloads. Only applies to policies which select specific workload ports, such as the WasmDeploymentPolicy.

WorkspaceSelector

WorkspaceSelector is a selector for workspaces.

FieldDescription
name(string)

Optional: Name of the workspace to select. Use * to match name patterns in multiple workspace names.
selector(repeated WorkspaceSelector.SelectorEntry)

Optional: Select workspaces based on their labels, such as setting selector to team: backend.

WorkspaceSelector.SelectorEntry

FieldDescription
key(string)

value(string)

DestinationKind

Supported Kinds which can be selected by routes.

NameNumberDescription
SERVICE0Select a Kubernetes Service
VIRTUAL_DESTINATION1Select a Virtual Destination
EXTERNAL_SERVICE2Select an External Service

WorkloadSelector.WorkloadKind

NameNumberDescription
KUBE0Select kubernetes workloads (deployment, statefulset, daemonset, etc.).
VM1Select vms which are external, non-kube workloads.