Package :



Table of Contents


AccessPolicy is used to define how a destination service is granted. Specifically it describes both how clients should be authenticated and authorized to access the service. Refer to this link for further details about cross origin resource sharing. AccessPolicies are applied at the Destination level.

Field Type Label Description
applyToDestinations [] repeated select the destinations where the policy will be applied if left empty, will apply to all destinations in the workspace.
config The details of the access policy to apply to the selected destinations.


Field Type Label Description
authn specify how clients will be authenticated to the destination.
authz specify how clients will be authorized to access the destination.


Field Type Label Description
tlsMode specify the type of TLS policy that will be enforced on clients connecting to the destination. note that if service isolation is enabled for the workspace, this field will always be treated as ‘STRICT’.


Field Type Label Description
allowedClients [] repeated the set of client identities that will be permitted to access the destination. Provide a single empty selector to allow access for all client identities.
allowedPaths []string repeated Optional. A list of HTTP paths or gRPC methods to allow. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName” and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path “/books/review” matches “/books/review” (exact match), “books/” (suffix match), or “/books” (prefix match).
If not specified, allow any path.
allowedMethods []string repeated Optional. A list of HTTP methods to allow (e.g., “GET”, “POST”). It is ignored in gRPC case because the value is always “POST”. If not specified, allows any method.


reflects the status of the AccessPolicy

Field Type Label Description
workspaces [] repeated The status of the resource in each workspace that it exists in.
selectedDestinationPorts [] repeated Destination ports selected by the policy


Field Type Label Description
key string


TLS connection mode. Enums correspond to those defined here

Name Number Description
DISABLE 0 Do not originate a TLS connection to the upstream endpoint.
PERMISSIVE 1 Originate a TLS connection to the upstream endpoint.
STRICT 2 Secure connections to the upstream using mutual TLS by presenting client certificates for authentication. This mode uses certificates generated automatically by Istio for mTLS authentication. When this mode is used, all other fields in ClientTLSSettings should be empty.