apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: serverauthorizations.policy.linkerd.io labels: helm.sh/chart: linkerd2-0.1.0 linkerd.io/control-plane-ns: linkerd annotations: linkerd.io/created-by: linkerd/cli stable-2.11.4 spec: group: policy.linkerd.io names: kind: ServerAuthorization plural: serverauthorizations shortNames: [saz] singular: serverauthorization scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: type: object properties: spec: type: object description: >- Authorizes clients to communicate with Linkerd-proxied servers. properties: client: type: object description: Describes clients authorized to access a server. properties: meshTLS: type: object properties: identities: type: array description: >- Authorizes clients with the provided proxy identity strings (as provided via MTLS) The `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized. items: type: string pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' serviceAccounts: type: array description: >- Authorizes clients with the provided proxy identity service accounts (as provided via MTLS) items: type: object properties: name: type: string description: The ServiceAccount's name. pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' namespace: type: string description: >- The ServiceAccount's namespace. If unset, the authorization's namespace is used. pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' required: [name] unauthenticatedTLS: type: boolean description: >- Indicates that no client identity is required for communication. This is mostly important for the identity controller, which must terminate TLS connections from clients that do not yet have a certificate. networks: type: array description: >- Limits the client IP addresses to which this authorization applies. If unset, the server chooses a default (typically, all IPs or the cluster's pod network). items: type: object properties: cidr: type: string except: type: array items: type: string required: [cidr] unauthenticated: type: boolean description: >- Authorizes unauthenticated clients to access a server. server: type: object description: >- Identifies servers in the same namespace for which this authorization applies. Only one of `name` or `selector` may be specified. oneOf: - required: [name] - required: [selector] properties: name: type: string description: References a `Server` instance by name pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' selector: type: object description: >- A label query over servers on which this authorization applies. properties: matchExpressions: type: array items: type: object properties: key: type: string operator: type: string enum: [In, NotIn, Exists, DoesNotExist] values: type: array items: type: string required: [key, operator] matchLabels: type: object x-kubernetes-preserve-unknown-fields: true required: [server, client] required: [spec] served: true storage: false - name: v1beta1 additionalPrinterColumns: - name: Server type: string description: The server that this grants access to jsonPath: .spec.server.name schema: openAPIV3Schema: type: object properties: spec: type: object description: >- Authorizes clients to communicate with Linkerd-proxied servers. properties: client: type: object description: Describes clients authorized to access a server. properties: meshTLS: type: object properties: identities: type: array description: >- Authorizes clients with the provided proxy identity strings (as provided via MTLS) The `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized. items: type: string pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$' serviceAccounts: type: array description: >- Authorizes clients with the provided proxy identity service accounts (as provided via MTLS) items: type: object properties: name: type: string description: The ServiceAccount's name. pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' namespace: type: string description: >- The ServiceAccount's namespace. If unset, the authorization's namespace is used. pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' required: [name] unauthenticatedTLS: type: boolean description: >- Indicates that no client identity is required for communication. This is mostly important for the identity controller, which must terminate TLS connections from clients that do not yet have a certificate. networks: type: array description: >- Limits the client IP addresses to which this authorization applies. If unset, the server chooses a default (typically, all IPs or the cluster's pod network). items: type: object properties: cidr: type: string except: type: array items: type: string required: [cidr] unauthenticated: type: boolean description: >- Authorizes unauthenticated clients to access a server. server: type: object description: >- Identifies servers in the same namespace for which this authorization applies. Only one of `name` or `selector` may be specified. oneOf: - required: [name] - required: [selector] properties: name: type: string description: References a `Server` instance by name pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$' selector: type: object description: >- A label query over servers on which this authorization applies. properties: matchExpressions: type: array items: type: object properties: key: type: string operator: type: string enum: [In, NotIn, Exists, DoesNotExist] values: type: array items: type: string required: [key, operator] matchLabels: type: object x-kubernetes-preserve-unknown-fields: true required: [server, client] required: [spec] served: true storage: true