1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 name: serverauthorizations.policy.linkerd.io
5 labels:
6 helm.sh/chart: linkerd2-0.1.0
7 linkerd.io/control-plane-ns: linkerd
8 annotations:
9 linkerd.io/created-by: linkerd/cli stable-2.11.4
10spec:
11 group: policy.linkerd.io
12 names:
13 kind: ServerAuthorization
14 plural: serverauthorizations
15 shortNames: [saz]
16 singular: serverauthorization
17 scope: Namespaced
18 versions:
19 - name: v1alpha1
20 schema:
21 openAPIV3Schema:
22 type: object
23 properties:
24 spec:
25 type: object
26 description: >-
27 Authorizes clients to communicate with Linkerd-proxied servers.
28 properties:
29 client:
30 type: object
31 description: Describes clients authorized to access a server.
32 properties:
33 meshTLS:
34 type: object
35 properties:
36 identities:
37 type: array
38 description: >-
39 Authorizes clients with the provided proxy identity strings (as provided via MTLS)
40
41 The `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized.
42 items:
43 type: string
44 pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
45 serviceAccounts:
46 type: array
47 description: >-
48 Authorizes clients with the provided proxy identity service accounts (as provided via MTLS)
49 items:
50 type: object
51 properties:
52 name:
53 type: string
54 description: The ServiceAccount's name.
55 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
56 namespace:
57 type: string
58 description: >-
59 The ServiceAccount's namespace. If unset, the authorization's namespace is used.
60 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
61 required: [name]
62 unauthenticatedTLS:
63 type: boolean
64 description: >-
65 Indicates that no client identity is required for communication.
66
67 This is mostly important for the identity controller, which must terminate TLS connections from clients that do not yet have a certificate.
68 networks:
69 type: array
70 description: >-
71 Limits the client IP addresses to which this authorization applies. If unset, the server chooses a default (typically, all IPs or the cluster's pod network).
72 items:
73 type: object
74 properties:
75 cidr:
76 type: string
77 except:
78 type: array
79 items:
80 type: string
81 required: [cidr]
82 unauthenticated:
83 type: boolean
84 description: >-
85 Authorizes unauthenticated clients to access a server.
86 server:
87 type: object
88 description: >-
89 Identifies servers in the same namespace for which this authorization applies.
90
91 Only one of `name` or `selector` may be specified.
92 oneOf:
93 - required: [name]
94 - required: [selector]
95 properties:
96 name:
97 type: string
98 description: References a `Server` instance by name
99 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
100 selector:
101 type: object
102 description: >-
103 A label query over servers on which this authorization applies.
104 properties:
105 matchExpressions:
106 type: array
107 items:
108 type: object
109 properties:
110 key:
111 type: string
112 operator:
113 type: string
114 enum: [In, NotIn, Exists, DoesNotExist]
115 values:
116 type: array
117 items:
118 type: string
119 required: [key, operator]
120 matchLabels:
121 type: object
122 x-kubernetes-preserve-unknown-fields: true
123 required: [server, client]
124 required: [spec]
125 served: true
126 storage: false
127 - name: v1beta1
128 additionalPrinterColumns:
129 - name: Server
130 type: string
131 description: The server that this grants access to
132 jsonPath: .spec.server.name
133 schema:
134 openAPIV3Schema:
135 type: object
136 properties:
137 spec:
138 type: object
139 description: >-
140 Authorizes clients to communicate with Linkerd-proxied servers.
141 properties:
142 client:
143 type: object
144 description: Describes clients authorized to access a server.
145 properties:
146 meshTLS:
147 type: object
148 properties:
149 identities:
150 type: array
151 description: >-
152 Authorizes clients with the provided proxy identity strings (as provided via MTLS)
153
154 The `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized.
155 items:
156 type: string
157 pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
158 serviceAccounts:
159 type: array
160 description: >-
161 Authorizes clients with the provided proxy identity service accounts (as provided via MTLS)
162 items:
163 type: object
164 properties:
165 name:
166 type: string
167 description: The ServiceAccount's name.
168 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
169 namespace:
170 type: string
171 description: >-
172 The ServiceAccount's namespace. If unset, the authorization's namespace is used.
173 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
174 required: [name]
175 unauthenticatedTLS:
176 type: boolean
177 description: >-
178 Indicates that no client identity is required for communication.
179
180 This is mostly important for the identity controller, which must terminate TLS connections from clients that do not yet have a certificate.
181 networks:
182 type: array
183 description: >-
184 Limits the client IP addresses to which this authorization applies. If unset, the server chooses a default (typically, all IPs or the cluster's pod network).
185 items:
186 type: object
187 properties:
188 cidr:
189 type: string
190 except:
191 type: array
192 items:
193 type: string
194 required: [cidr]
195 unauthenticated:
196 type: boolean
197 description: >-
198 Authorizes unauthenticated clients to access a server.
199 server:
200 type: object
201 description: >-
202 Identifies servers in the same namespace for which this authorization applies.
203
204 Only one of `name` or `selector` may be specified.
205 oneOf:
206 - required: [name]
207 - required: [selector]
208 properties:
209 name:
210 type: string
211 description: References a `Server` instance by name
212 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
213 selector:
214 type: object
215 description: >-
216 A label query over servers on which this authorization applies.
217 properties:
218 matchExpressions:
219 type: array
220 items:
221 type: object
222 properties:
223 key:
224 type: string
225 operator:
226 type: string
227 enum: [In, NotIn, Exists, DoesNotExist]
228 values:
229 type: array
230 items:
231 type: string
232 required: [key, operator]
233 matchLabels:
234 type: object
235 x-kubernetes-preserve-unknown-fields: true
236 required: [server, client]
237 required: [spec]
238 served: true
239 storage: trueView as plain text