Selector capable of selecting specific service identities. Useful for binding policy rules. Either (namespaces, cluster, service_account_names) or service_accounts can be specified. If all fields are omitted, any source identity is permitted.
KubeServiceAccountRefs matches request identities based on the k8s service account of request.
IdentitySelector.KubeIdentityMatcher
Field
Type
Label
Description
namespaces
[]string
repeated
If specified, match k8s identity if it exists in one of the specified namespaces. When used in a networking policy, omission matches any namespace. When used in a Role, a wildcard "*" must be explicitly used to match any namespace.
clusters
[]string
repeated
If specified, match k8s identity if it exists in one of the specified clusters. When used in a networking policy, omission matches any cluster. When used in a Role, a wildcard "*" must be explicitly used to match any cluster.
Match k8s ServiceAccounts by direct reference. When used in a networking policy, omission of any field (name, namespace, or clusterName) allows matching any value for that field. When used in a Role, a wildcard "*" must be explicitly used to match any value for the given field.
TrafficTargetSelector
Select TrafficTargets using one or more platform-specific selection objects.
If specified, all labels must exist on k8s Service. When used in a networking policy, omission matches any labels. When used in a Role, a wildcard "*" must be explicitly used to match any label key and/or value.
namespaces
[]string
repeated
If specified, match k8s Services if they exist in one of the specified namespaces. When used in a networking policy, omission matches any namespace. When used in a Role, a wildcard "*" must be explicitly used to match any namespace.
clusters
[]string
repeated
If specified, match k8s Services if they exist in one of the specified clusters. When used in a networking policy, omission matches any cluster. When used in a Role, a wildcard "*" must be explicitly used to match any cluster.
Match k8s Services by direct reference. When used in a networking policy, omission of any field (name, namespace, or clusterName) allows matching any value for that field. When used in a Role, a wildcard "*" must be explicitly used to match any value for the given field.
WorkloadSelector
Select Kubernetes workloads directly using label namespace and/or cluster criteria. See comments on the fields for detailed semantics.
If specified, all labels must exist on k8s workload. When used in a networking policy, omission matches any labels. When used in a Role, a wildcard "*" must be explicitly used to match any label key and/or value.
namespaces
[]string
repeated
If specified, match k8s workloads if they exist in one of the specified namespaces. When used in a networking policy, omission matches any namespace. When used in a Role, a wildcard "*" must be explicitly used to match any namespace.
clusters
[]string
repeated
If specified, match k8s workloads if they exist in one of the specified clusters. When used in a networking policy, omission matches any cluster. When used in a Role, a wildcard "*" must be explicitly used to match any cluster.
