access_policy.proto

Package : security.policy.gloo.solo.io

Top

access_policy.proto

Table of Contents

AccessPolicySpec

AccessPolicy is used to define how a destination service is granted. Specifically it describes both how clients should be authenticated and authorized to access the service. Refer to this link for further details about cross origin resource sharing. AccessPolicies are applied at the Destination level.

Field Type Label Description
applyToDestinations []common.gloo.solo.io.DestinationSelector repeated select the destinations where the policy will be applied if left empty, will apply to all destinations in the workspace.
config security.policy.gloo.solo.io.AccessPolicySpec.Config The details of the access policy to apply to the selected destinations.

AccessPolicySpec.Config

Field Type Label Description
authn security.policy.gloo.solo.io.AccessPolicySpec.Config.Authentication specify how clients will be authenticated to the destination.
authz security.policy.gloo.solo.io.AccessPolicySpec.Config.Authorization specify how clients will be authorized to access the destination.

AccessPolicySpec.Config.Authentication

Field Type Label Description
tlsMode security.policy.gloo.solo.io.AccessPolicySpec.Config.Authentication.TLSmode specify the type of TLS policy that will be enforced on clients connecting to the destination. note that if service isolation is enabled for the workspace, this field will always be treated as ‘STRICT’.

AccessPolicySpec.Config.Authorization

Field Type Label Description
allowedClients []common.gloo.solo.io.IdentitySelector repeated the set of client identities that will be permitted to access the destination. Provide a single empty selector to allow access for all client identities.
allowedPaths []string repeated Optional. A list of HTTP paths or gRPC methods to allow. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName” and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path “/books/review” matches “/books/review” (exact match), “books/” (suffix match), or “/books” (prefix match).
If not specified, allow any path.
allowedMethods []string repeated Optional. A list of HTTP methods to allow (e.g., “GET”, “POST”). It is ignored in gRPC case because the value is always “POST”. If not specified, allows any method.

AccessPolicyStatus

reflects the status of the AccessPolicy

Field Type Label Description
global common.gloo.solo.io.GenericGlobalStatus
workspaces []security.policy.gloo.solo.io.AccessPolicyStatus.WorkspacesEntry repeated The status of the resource in each workspace that it exists in.
selectedDestinationPorts []common.gloo.solo.io.DestinationReference repeated Destination ports selected by the policy

AccessPolicyStatus.WorkspacesEntry

Field Type Label Description
key string
value common.gloo.solo.io.WorkspaceStatus

AccessPolicySpec.Config.Authentication.TLSmode

TLS connection mode. Enums correspond to those defined here

Name Number Description
DISABLE 0 Do not originate a TLS connection to the upstream endpoint.
PERMISSIVE 1 Originate a TLS connection to the upstream endpoint.
STRICT 2 Secure connections to the upstream using mutual TLS by presenting client certificates for authentication. This mode uses certificates generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in ClientTLSSettings should be empty.