Table of Contents
Access control policies apply ALLOW policies to communication in a mesh. Access control policies specify the following: ALLOW those requests that: originate from from source workload, target the destination target, and match the indicated request criteria (allowed_paths, allowed_methods, allowed_ports). Enforcement of access control is determined by the VirtualMesh's GlobalAccessPolicy
|sourceSelector||networking.mesh.gloo.solo.io.IdentitySelector||repeated||Requests originating from these pods will have the rule applied. Leave empty to have all pods in the mesh apply these policies.
Note that access control policies are mapped to source pods by their service account. If other pods share the same service account, this access control rule will apply to those pods as well.
For fine-grained access control policies, ensure that your service accounts properly reflect the desired boundary for your access control policies.
|destinationSelector||networking.mesh.gloo.solo.io.TrafficTargetSelector||repeated||Requests destined for these pods will have the rule applied. Leave empty to apply to all destination pods in the mesh.|
|allowedPaths||string||repeated||Optional. A list of HTTP paths or gRPC methods to allow. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName” and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path “/books/review” matches “/books/review” (exact match), “books/” (suffix match), or “/books” (prefix match).
If not specified, allow any path.
|allowedMethods||networking.mesh.gloo.solo.io.HttpMethodValue||repeated||Optional. A list of HTTP methods to allow (e.g., “GET”, “POST”). It is ignored in gRPC case because the value is always “POST”. If not specified, allows any method.|
|allowedPorts||uint32||repeated||Optional. A list of ports which to allow. If not set any port is allowed.|
|observedGeneration||int64||The most recent generation observed in the the AccessPolicy metadata. If the observedGeneration does not match generation, the controller has not received the most recent version of this resource.|
|state||networking.mesh.gloo.solo.io.ApprovalState||The state of the overall resource. It will only show accepted if it has been successfully applied to all target meshes.|
|trafficTargets||networking.mesh.gloo.solo.io.AccessPolicyStatus.TrafficTargetsEntry||repeated||The status of the AccessPolicy for each TrafficTarget to which it has been applied. An AccessPolicy may be Accepted for some TrafficTargets and rejected for others.|
|workloads||string||repeated||The list of Workloads to which this policy has been applied.|
|errors||string||repeated||Any errors found while processing this generation of the resource.|