...

Text file src/github.com/linkerd/linkerd2/charts/linkerd-crds/templates/policy/server-authorization.yaml

Documentation: github.com/linkerd/linkerd2/charts/linkerd-crds/templates/policy

     1---
     2apiVersion: apiextensions.k8s.io/v1
     3kind: CustomResourceDefinition
     4metadata:
     5  name: serverauthorizations.policy.linkerd.io
     6  annotations:
     7    {{ include "partials.annotations.created-by" . }}
     8  labels:
     9    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
    10    linkerd.io/control-plane-ns: {{.Release.Namespace}}
    11spec:
    12  group: policy.linkerd.io
    13  scope: Namespaced
    14  names:
    15    kind: ServerAuthorization
    16    plural: serverauthorizations
    17    singular: serverauthorization
    18    shortNames: [saz, serverauthz, srvauthz]
    19  versions:
    20    - name: v1alpha1
    21      served: true
    22      storage: false
    23      deprecated: true
    24      deprecationWarning: "policy.linkerd.io/v1alpha1 ServerAuthorization is deprecated; use policy.linkerd.io/v1beta1 ServerAuthorization"
    25      schema:
    26        openAPIV3Schema:
    27          type: object
    28          required: [spec]
    29          properties:
    30            spec:
    31              description: >-
    32                Authorizes clients to communicate with Linkerd-proxied servers.
    33              type: object
    34              required: [server, client]
    35              properties:
    36                server:
    37                  description: >-
    38                    Identifies servers in the same namespace for which this
    39                    authorization applies.
    40
    41                    Only one of `name` or `selector` may be specified.
    42                  type: object
    43                  oneOf:
    44                    - required: [name]
    45                    - required: [selector]
    46                  properties:
    47                    name:
    48                      description: References a `Server` instance by name
    49                      type: string
    50                      pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
    51                    selector:
    52                      description: >-
    53                        A label query over servers on which this authorization applies.
    54                      type: object
    55                      properties:
    56                        matchLabels:
    57                          type: object
    58                          x-kubernetes-preserve-unknown-fields: true
    59                        matchExpressions:
    60                          type: array
    61                          items:
    62                            type: object
    63                            required: [key, operator]
    64                            properties:
    65                              key:
    66                                type: string
    67                              operator:
    68                                type: string
    69                                enum: [In, NotIn, Exists, DoesNotExist]
    70                              values:
    71                                type: array
    72                                items:
    73                                  type: string
    74                client:
    75                  description:  Describes clients authorized to access a server.
    76                  type: object
    77                  properties:
    78                    networks:
    79                      description: >-
    80                        Limits the client IP addresses to which this
    81                        authorization applies. If unset, the server chooses a
    82                        default (typically, all IPs or the cluster's pod
    83                        network).
    84                      type: array
    85                      items:
    86                        type: object
    87                        required: [cidr]
    88                        properties:
    89                          cidr:
    90                            type: string
    91                          except:
    92                            type: array
    93                            items:
    94                              type: string
    95                    unauthenticated:
    96                      description: >-
    97                        Authorizes unauthenticated clients to access a server.
    98                      type: boolean
    99                    meshTLS:
   100                      type: object
   101                      properties:
   102                        unauthenticatedTLS:
   103                          type: boolean
   104                          description: >-
   105                            Indicates that no client identity is required for
   106                            communication.
   107
   108                            This is mostly important for the identity
   109                            controller, which must terminate TLS connections
   110                            from clients that do not yet have a certificate.
   111                        identities:
   112                          description: >-
   113                            Authorizes clients with the provided proxy identity
   114                            strings (as provided via MTLS)
   115
   116                            The `*` prefix can be used to match all identities in
   117                            a domain. An identity string of `*` indicates that
   118                            all authentication clients are authorized.
   119                          type: array
   120                          items:
   121                            type: string
   122                            pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
   123                        serviceAccounts:
   124                          description: >-
   125                            Authorizes clients with the provided proxy identity
   126                            service accounts (as provided via MTLS)
   127                          type: array
   128                          items:
   129                            type: object
   130                            required: [name]
   131                            properties:
   132                              name:
   133                                description: The ServiceAccount's name.
   134                                type: string
   135                                pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
   136                              namespace:
   137                                description: >-
   138                                  The ServiceAccount's namespace. If unset, the
   139                                  authorization's namespace is used.
   140                                type: string
   141                                pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
   142    - name: v1beta1
   143      served: true
   144      storage: true
   145      schema:
   146        openAPIV3Schema:
   147          type: object
   148          required: [spec]
   149          properties:
   150            spec:
   151              description: >-
   152                Authorizes clients to communicate with Linkerd-proxied servers.
   153              type: object
   154              required: [server, client]
   155              properties:
   156                server:
   157                  description: >-
   158                    Identifies servers in the same namespace for which this
   159                    authorization applies.
   160
   161                    Only one of `name` or `selector` may be specified.
   162                  type: object
   163                  oneOf:
   164                    - required: [name]
   165                    - required: [selector]
   166                  properties:
   167                    name:
   168                      description: References a `Server` instance by name
   169                      type: string
   170                      pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
   171                    selector:
   172                      description: >-
   173                        A label query over servers on which this authorization applies.
   174                      type: object
   175                      properties:
   176                        matchLabels:
   177                          type: object
   178                          x-kubernetes-preserve-unknown-fields: true
   179                        matchExpressions:
   180                          type: array
   181                          items:
   182                            type: object
   183                            required: [key, operator]
   184                            properties:
   185                              key:
   186                                type: string
   187                              operator:
   188                                type: string
   189                                enum: [In, NotIn, Exists, DoesNotExist]
   190                              values:
   191                                type: array
   192                                items:
   193                                  type: string
   194                client:
   195                  description:  Describes clients authorized to access a server.
   196                  type: object
   197                  properties:
   198                    networks:
   199                      description: >-
   200                        Limits the client IP addresses to which this
   201                        authorization applies. If unset, the server chooses a
   202                        default (typically, all IPs or the cluster's pod
   203                        network).
   204                      type: array
   205                      items:
   206                        type: object
   207                        required: [cidr]
   208                        properties:
   209                          cidr:
   210                            type: string
   211                          except:
   212                            type: array
   213                            items:
   214                              type: string
   215                    unauthenticated:
   216                      description: >-
   217                        Authorizes unauthenticated clients to access a server.
   218                      type: boolean
   219                    meshTLS:
   220                      type: object
   221                      properties:
   222                        unauthenticatedTLS:
   223                          type: boolean
   224                          description: >-
   225                            Indicates that no client identity is required for
   226                            communication.
   227
   228                            This is mostly important for the identity
   229                            controller, which must terminate TLS connections
   230                            from clients that do not yet have a certificate.
   231                        identities:
   232                          description: >-
   233                            Authorizes clients with the provided proxy identity
   234                            strings (as provided via MTLS)
   235
   236                            The `*` prefix can be used to match all identities in
   237                            a domain. An identity string of `*` indicates that
   238                            all authentication clients are authorized.
   239                          type: array
   240                          items:
   241                            type: string
   242                            pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
   243                        serviceAccounts:
   244                          description: >-
   245                            Authorizes clients with the provided proxy identity
   246                            service accounts (as provided via MTLS)
   247                          type: array
   248                          items:
   249                            type: object
   250                            required: [name]
   251                            properties:
   252                              name:
   253                                description: The ServiceAccount's name.
   254                                type: string
   255                                pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
   256                              namespace:
   257                                description: >-
   258                                  The ServiceAccount's namespace. If unset, the
   259                                  authorization's namespace is used.
   260                                type: string
   261                                pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
   262      additionalPrinterColumns:
   263      - name: Server
   264        type: string
   265        description: The server that this grants access to
   266        jsonPath: .spec.server.name

View as plain text