1---
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 name: serverauthorizations.policy.linkerd.io
6 annotations:
7 {{ include "partials.annotations.created-by" . }}
8 labels:
9 helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
10 linkerd.io/control-plane-ns: {{.Release.Namespace}}
11spec:
12 group: policy.linkerd.io
13 scope: Namespaced
14 names:
15 kind: ServerAuthorization
16 plural: serverauthorizations
17 singular: serverauthorization
18 shortNames: [saz, serverauthz, srvauthz]
19 versions:
20 - name: v1alpha1
21 served: true
22 storage: false
23 deprecated: true
24 deprecationWarning: "policy.linkerd.io/v1alpha1 ServerAuthorization is deprecated; use policy.linkerd.io/v1beta1 ServerAuthorization"
25 schema:
26 openAPIV3Schema:
27 type: object
28 required: [spec]
29 properties:
30 spec:
31 description: >-
32 Authorizes clients to communicate with Linkerd-proxied servers.
33 type: object
34 required: [server, client]
35 properties:
36 server:
37 description: >-
38 Identifies servers in the same namespace for which this
39 authorization applies.
40
41 Only one of `name` or `selector` may be specified.
42 type: object
43 oneOf:
44 - required: [name]
45 - required: [selector]
46 properties:
47 name:
48 description: References a `Server` instance by name
49 type: string
50 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
51 selector:
52 description: >-
53 A label query over servers on which this authorization applies.
54 type: object
55 properties:
56 matchLabels:
57 type: object
58 x-kubernetes-preserve-unknown-fields: true
59 matchExpressions:
60 type: array
61 items:
62 type: object
63 required: [key, operator]
64 properties:
65 key:
66 type: string
67 operator:
68 type: string
69 enum: [In, NotIn, Exists, DoesNotExist]
70 values:
71 type: array
72 items:
73 type: string
74 client:
75 description: Describes clients authorized to access a server.
76 type: object
77 properties:
78 networks:
79 description: >-
80 Limits the client IP addresses to which this
81 authorization applies. If unset, the server chooses a
82 default (typically, all IPs or the cluster's pod
83 network).
84 type: array
85 items:
86 type: object
87 required: [cidr]
88 properties:
89 cidr:
90 type: string
91 except:
92 type: array
93 items:
94 type: string
95 unauthenticated:
96 description: >-
97 Authorizes unauthenticated clients to access a server.
98 type: boolean
99 meshTLS:
100 type: object
101 properties:
102 unauthenticatedTLS:
103 type: boolean
104 description: >-
105 Indicates that no client identity is required for
106 communication.
107
108 This is mostly important for the identity
109 controller, which must terminate TLS connections
110 from clients that do not yet have a certificate.
111 identities:
112 description: >-
113 Authorizes clients with the provided proxy identity
114 strings (as provided via MTLS)
115
116 The `*` prefix can be used to match all identities in
117 a domain. An identity string of `*` indicates that
118 all authentication clients are authorized.
119 type: array
120 items:
121 type: string
122 pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
123 serviceAccounts:
124 description: >-
125 Authorizes clients with the provided proxy identity
126 service accounts (as provided via MTLS)
127 type: array
128 items:
129 type: object
130 required: [name]
131 properties:
132 name:
133 description: The ServiceAccount's name.
134 type: string
135 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
136 namespace:
137 description: >-
138 The ServiceAccount's namespace. If unset, the
139 authorization's namespace is used.
140 type: string
141 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
142 - name: v1beta1
143 served: true
144 storage: true
145 schema:
146 openAPIV3Schema:
147 type: object
148 required: [spec]
149 properties:
150 spec:
151 description: >-
152 Authorizes clients to communicate with Linkerd-proxied servers.
153 type: object
154 required: [server, client]
155 properties:
156 server:
157 description: >-
158 Identifies servers in the same namespace for which this
159 authorization applies.
160
161 Only one of `name` or `selector` may be specified.
162 type: object
163 oneOf:
164 - required: [name]
165 - required: [selector]
166 properties:
167 name:
168 description: References a `Server` instance by name
169 type: string
170 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
171 selector:
172 description: >-
173 A label query over servers on which this authorization applies.
174 type: object
175 properties:
176 matchLabels:
177 type: object
178 x-kubernetes-preserve-unknown-fields: true
179 matchExpressions:
180 type: array
181 items:
182 type: object
183 required: [key, operator]
184 properties:
185 key:
186 type: string
187 operator:
188 type: string
189 enum: [In, NotIn, Exists, DoesNotExist]
190 values:
191 type: array
192 items:
193 type: string
194 client:
195 description: Describes clients authorized to access a server.
196 type: object
197 properties:
198 networks:
199 description: >-
200 Limits the client IP addresses to which this
201 authorization applies. If unset, the server chooses a
202 default (typically, all IPs or the cluster's pod
203 network).
204 type: array
205 items:
206 type: object
207 required: [cidr]
208 properties:
209 cidr:
210 type: string
211 except:
212 type: array
213 items:
214 type: string
215 unauthenticated:
216 description: >-
217 Authorizes unauthenticated clients to access a server.
218 type: boolean
219 meshTLS:
220 type: object
221 properties:
222 unauthenticatedTLS:
223 type: boolean
224 description: >-
225 Indicates that no client identity is required for
226 communication.
227
228 This is mostly important for the identity
229 controller, which must terminate TLS connections
230 from clients that do not yet have a certificate.
231 identities:
232 description: >-
233 Authorizes clients with the provided proxy identity
234 strings (as provided via MTLS)
235
236 The `*` prefix can be used to match all identities in
237 a domain. An identity string of `*` indicates that
238 all authentication clients are authorized.
239 type: array
240 items:
241 type: string
242 pattern: '^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$'
243 serviceAccounts:
244 description: >-
245 Authorizes clients with the provided proxy identity
246 service accounts (as provided via MTLS)
247 type: array
248 items:
249 type: object
250 required: [name]
251 properties:
252 name:
253 description: The ServiceAccount's name.
254 type: string
255 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
256 namespace:
257 description: >-
258 The ServiceAccount's namespace. If unset, the
259 authorization's namespace is used.
260 type: string
261 pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])?$'
262 additionalPrinterColumns:
263 - name: Server
264 type: string
265 description: The server that this grants access to
266 jsonPath: .spec.server.name
View as plain text