Selectors

Proto: selectors.proto

Package: common.gloo.solo.io

Types:

ClusterSelector

Select clusters and namespaces for a workspace

Field Description
name (string)

Optional: Name of the cluster to select. Use * to match name patterns in multiple clusters name.
selector (repeated ClusterSelector.SelectorEntry)

Optional: Include workload clusters in the workspace by using a selector. The selector matches the selector values in the KubernetesCluster resource on the management cluster. Selector is a map of {key,value} pairs. A single {key,value} in the selector map is equivalent to an element of labelRequirements, whose key field is “key”, the operator is “In”, and the values array contains only “value”. The requirements are ANDed.
namespaces (repeated ClusterSelector.NamespaceSelector)

Select the namespaces in the cluster(s) to include in the workspace. If you do not select any namespaces, the workspace is empty and results in an error.
configEnabled (bool)

Optional: Read Gloo configuration from specific clusters and namespaces that are included in a workspace. If you omit this field for any cluster in a workspace, it is set to true by default, and Gloo configuration is read for all clusters and namespaces in that workspace. If you explicitly set this field to either true or false on a specific cluster, you must also explicitly set the field for every other cluster that is listed in that workspace. For example, if you have a workspace that spans namespaces in three clusters, but you want to read Gloo configuration from the namespaces in only one of the clusters, you must explicitly set configEnabled: true for the cluster to read from, and explicitly set configEnabled: false for the other two clusters.

ClusterSelector.NamespaceSelector

Select namespaces for the selected cluster(s)

Field Description
name (string)

Name of the namespace to select. Can use * to match name patterns in multiple namespaces. Note: When this field is used in conjunction with “labels”, both conditions are ANDed together.
configEnabled (bool)

Optional: Read Gloo configuration from this namespace. If you omit this field for any other namespace in the cluster, it is set to true by default, and Gloo configuration is read for all namespaces in that cluster. If you explicitly set this field to either true or false for one namespace, you must also explicitly set the field for every other namespace that is listed in the workspace for that cluster. For example, if you have a cluster in your workspace that has three namespaces, but you want to read Gloo configuration from only one of the namespaces in the cluster, you must explicitly set configEnabled: true for the namespace to read from, and explicitly set configEnabled: false for the other two namespaces.
labels (repeated ClusterSelector.NamespaceSelector.LabelsEntry)

Optional: Select groups of namespaces via labels. Leaving this field empty will NOT select all namespaces, but rather be ignored. Note: When this field is used in conjunction with “name”, both conditions are ANDed together.

ClusterSelector.NamespaceSelector.LabelsEntry

Field Description
key (string)

value (string)

ClusterSelector.SelectorEntry

Field Description
key (string)

value (string)

DestinationSelector

DestinationSelector is a selector for matching routable destinations for routes. DestinationSelectors can select a variety of object types. The behavior of the route action will vary depending on the type of destination selected. Defaults to the kubernetes v1/Service. Currently supported destination types:

Field Description
selector (ObjectSelector)

The selector used to match destination objects by their metadata
kind (DestinationKind)

The kind of destination being selected. defaults to Kubernetes Service.
port (PortSelector)

The port on the Destination which receives traffic. All ports on the Destination will be selected if left empty.

IdentitySelector

IdentitySelector is a Selector specifically built for selecting client identities for security policies.

Field Description
serviceAccountSelector (ObjectSelector)

Select kubernetes service accounts as identities. When selecting a service account that will be created in the future for use in a AuthorizationPolicy, ONLY provide the name, namespace and cluster where the service account will exist in the selector. Providing labels and/or the workspace, or omitting the name, namespace or cluster for a service account that does not exist in the selector will not result in that service account being added to the resulting AuthorizationPolicy.
externalWorkloadSelector (ObjectSelector)

Select external workloads.
requestIdentityMatcher (IdentitySelector.RequestIdentityMatcher)

Select identities based on properties of the request. If multiple fields are set, they are ANDed together. More information about the individual values can be found here: https://istio.io/latest/docs/reference/config/security/authorization-policy/#Source

IdentitySelector.RequestIdentityMatcher

Field Description
requestPrincipals (repeated string)

Optional: A list of identities to match the request identity (“iss/sub” from the JWT). If omitted all request identity values will be accepted.
notRequestPrincipals (repeated string)

Optional: A list of identities to negative match the request identity.

ListenerSelector

ListenerSelector is a selector for a listener on a VirtualGateway.

Field Description
virtualGateway (ObjectSelector)

The virtual gateway on which to select a listener.
port (PortSelector)

The port to select on the selected listener.

MeshSelector

MeshSelector is a Selector built for selecting instances of Mesh control planes. A control plane is understood to have a single domain and provide a single root of trust for the data plane proxies it is managing. Each revision of Istiod maps

Field Description
istio (MeshSelector.Istio)

options for selecting istio Mesh control planes.

MeshSelector.Istio

Field Description
revision (string)

istio.io/revision of Istio to select. regex supported. omit to select across all revisions.
namespace (string)

match the name of the namespace where istiod is deployed. omit to select across all namespaces.
clusterSelector (repeated MeshSelector.Istio.ClusterSelectorEntry)

match the labels of the cluster where istiod is deployed. omit to select across all clusters.
selector (repeated MeshSelector.Istio.SelectorEntry)

select via the labels of the istiod deployment. omit to select across all labels.

MeshSelector.Istio.ClusterSelectorEntry

Field Description
key (string)

value (string)

MeshSelector.Istio.SelectorEntry

Field Description
key (string)

value (string)

ObjectSelector

selects zero or more Kubernetes API resources by matching on labels, name, namespace, cluster, and workspace.

Field Description
labels (repeated ObjectSelector.LabelsEntry)

labels matching those of the object
name (string)

Only select objects with the matching name. If omitted, Gloo selects matching objects with any name available in the parent object's workspace.
namespace (string)

Only select objects in the matching namespace. If omitted, Gloo selects matching objects across all namespaces available in the parent object's workspace.
cluster (string)

Only select objects in the matching cluster. If omitted, Gloo selects matching objects across all clusters available in the parent object's workspace.
workspace (string)

Only select objects in the given workspace. If omitted, Gloo selects matching objects across all workspaces available in the parent object's workspace.

ObjectSelector.LabelsEntry

Field Description
key (string)

value (string)

RouteDestinationSelector

RouteDestinationSelector is a Selector specifically built for individual destinations on individual Routes inside of RouteTables.

Field Description
route (RouteLabelSelector)

select routes based on their labels. these labels can be used to match route tables or individual routes within route tables. If empty, configuration will apply to all specified destinations on all routes in the workspace.
onDestinations (repeated DestinationSelector)

for the selected routes, select destinations on which to apply this policy

RouteFilter

Field Description
cloudProvider (CloudProviderFilterOptions)

Optional: filter out route tables that specify CloudProvider functionality, if provided.

RouteLabelSelector

RouteLabelSelector is used to select the details of a route primarily by label. The selection may be further restricted by namespace, cluster, and workspace.

Field Description
labels (repeated RouteLabelSelector.LabelsEntry)

Select routes including all specified labels on the route or route table.
namespace (string)

Only select routes attached to route tables matching the namespace.
cluster (string)

Only select routes attached to route tables matching the cluster.
workspace (string)

Only select routes attached to route tables matching the workspace.

RouteLabelSelector.LabelsEntry

Field Description
key (string)

value (string)

RouteSelector

RouteSelector is a Selector specifically built for individual Routes inside of RouteTables.

This selector can be used to select individual routes or entire route tables using the same label selector.

Field Description
route (RouteLabelSelector)

select routes based on their labels. these labels can be used to match route tables or individual routes within route tables.
withDestinations (DestinationSelector)

select routes with forwardTo actions based on their destinations. this can be used to apply policy to routes regardless of their labels

WorkloadSelector

WorkloadSelector is a Selector specifically built for selecting individual workloads. Workloads must have injected (sidecars) or be standalone proxies (gateways) to be selected by Gloo Mesh policies.

This selector can be used to select pods or injected external endpoints (vms).

Field Description
selector (ObjectSelector)

Selector used to match Workload objects by their metadata.
kind (WorkloadSelector.WorkloadKind)

The kind of workload being selected. Defaults to Kube.
port (PortSelector)

The port to select on the selected workloads. Only applies to policies which select specific workload ports, such as the WasmDeploymentPolicy.

WorkspaceSelector

WorkspaceSelector is a selector for workspaces.

Field Description
name (string)

Optional: Name of the workspace to select. Use * to match name patterns in multiple workspace names.
selector (repeated WorkspaceSelector.SelectorEntry)

Optional: Select workspaces based on their labels, such as setting selector to team: backend.

WorkspaceSelector.SelectorEntry

Field Description
key (string)

value (string)

DestinationKind

Supported Kinds which can be selected by routes.

Name Number Description
SERVICE 0 Select a Kubernetes Service
VIRTUAL_DESTINATION 1 Select a Virtual Destination
EXTERNAL_SERVICE 2 Select an External Service

WorkloadSelector.WorkloadKind

Name Number Description
KUBE 0 Select kubernetes workloads (deployment, statefulset, daemonset, etc.).
VM 1 Select vms which are external, non-kube workloads.