rbac.proto

Package: istio.rbac.v1alpha1

Copyright 2018 Istio Authors

Licensed under the Apache License, Version 2.0 (the “License”); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an “AS IS” BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Types:

Enums:
- [EnforcementMode](#enforcementmode)
Source File: github.com/solo-io/supergloo/api/external/istio/rbac/v1alpha1/rbac.proto

ServiceRole

ServiceRole specification contains a list of access rules (permissions). This represent the “Spec” part of the ServiceRole object. The name and namespace of the ServiceRole is specified in “metadata” section of the ServiceRole object.

"status": .core.solo.io.Status
"metadata": .core.solo.io.Metadata
"rules": []istio.rbac.v1alpha1.AccessRule
Field Type Description Default
status .core.solo.io.Status Status indicates the validation status of this resource. Status is read-only by clients, and set by supergloo during validation
metadata .core.solo.io.Metadata Metadata contains the object metadata for this resource
rules []istio.rbac.v1alpha1.AccessRule Required. The set of access rules (permissions) that the role has.

AccessRule

AccessRule defines a permission to access a list of services.

"services": []string
"paths": []string
"methods": []string
"constraints": []istio.rbac.v1alpha1.AccessRule.Constraint
Field Type Description Default
services []string Required. A list of service names. Exact match, prefix match, and suffix match are supported for service names. For example, the service name “bookstore.mtv.cluster.local” matches “bookstore.mtv.cluster.local” (exact match), or “bookstore” (prefix match), or “.mtv.cluster.local” (suffix match). If set to [”*“], it refers to all services in the namespace.
paths []string Optional. A list of HTTP paths or gRPC methods. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName” and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path “/books/review” matches “/books/review” (exact match), or “/books/” (prefix match), or “/review” (suffix match). If not specified, it applies to any path.
methods []string Optional. A list of HTTP methods (e.g., “GET”, “POST”). It is ignored in gRPC case because the value is always “POST”. If set to [”*“] or not specified, it applies to any method.
constraints []istio.rbac.v1alpha1.AccessRule.Constraint Optional. Extra constraints in the ServiceRole specification. The above ServiceRole example shows an example of constraint “version”.

Constraint

Definition of a custom constraint. The supported keys are listed in the “constraint and properties” page.

"key": string
"values": []string
Field Type Description Default
key string Key of the constraint.
values []string List of valid values for the constraint. Exact match, prefix match, and suffix match are supported for constraint values. For example, the value “v1alpha2” matches “v1alpha2” (exact match), or “v1*” (prefix match), or “*alpha2” (suffix match).

ServiceRoleBinding

ServiceRoleBinding assigns a ServiceRole to a list of subjects. This represents the “Spec” part of the ServiceRoleBinding object. The name and namespace of the ServiceRoleBinding is specified in “metadata” section of the ServiceRoleBinding object.

"status": .core.solo.io.Status
"metadata": .core.solo.io.Metadata
"subjects": []istio.rbac.v1alpha1.Subject
"roleRef": .istio.rbac.v1alpha1.RoleRef
"mode": .istio.rbac.v1alpha1.EnforcementMode
Field Type Description Default
status .core.solo.io.Status Status indicates the validation status of this resource. Status is read-only by clients, and set by supergloo during validation
metadata .core.solo.io.Metadata Metadata contains the object metadata for this resource
subjects []istio.rbac.v1alpha1.Subject Required. List of subjects that are assigned the ServiceRole object.
roleRef .istio.rbac.v1alpha1.RoleRef Required. Reference to the ServiceRole object.
mode .istio.rbac.v1alpha1.EnforcementMode $hide_from_docs Indicates enforcement mode of the ServiceRoleBinding.

Subject

Subject defines an identity. The identity is either a user or identified by a set of properties. The supported keys in properties are listed in “constraint and properties” page.

"user": string
"group": string
"properties": map<string, string>
Field Type Description Default
user string Optional. The user name/ID that the subject represents.
group string $hide_from_docs Optional. The group that the subject belongs to.
properties map<string, string> Optional. The set of properties that identify the subject. The above ServiceRoleBinding example shows an example of property “source.namespace”.

RoleRef

RoleRef refers to a role object.

"kind": string
"name": string
Field Type Description Default
kind string Required. The type of the role being referenced. Currently, “ServiceRole” is the only supported value for “kind”.
name string Required. The name of the ServiceRole object being referenced. The ServiceRole object must be in the same namespace as the ServiceRoleBinding object.

RbacConfig

RbacConfig defines the global config to control Istio RBAC behavior. This Custom Resource is a singleton where only one Custom Resource should be created globally in the mesh and the namespace should be the same to other Istio components, which usually is istio-system. Note: This is enforced in both istioctl and server side, new Custom Resource will be rejected if found any existing one, the user should either delete the existing one or change the existing one directly.

Below is an example of RbacConfig object “istio-rbac-config” which enables Istio RBAC for all services in the default namespace.

apiVersion: "rbac.istio.io/v1alpha1"
kind: RbacConfig
metadata:
  name: default
  namespace: istio-system
spec:
  mode: ON_WITH_INCLUSION
  inclusion:
    namespaces: [ "default" ]
"status": .core.solo.io.Status
"metadata": .core.solo.io.Metadata
"mode": .istio.rbac.v1alpha1.RbacConfig.Mode
"inclusion": .istio.rbac.v1alpha1.RbacConfig.Target
"exclusion": .istio.rbac.v1alpha1.RbacConfig.Target
"enforcementMode": .istio.rbac.v1alpha1.EnforcementMode
Field Type Description Default
status .core.solo.io.Status Status indicates the validation status of this resource. Status is read-only by clients, and set by supergloo during validation
metadata .core.solo.io.Metadata Metadata contains the object metadata for this resource
mode .istio.rbac.v1alpha1.RbacConfig.Mode Istio RBAC mode.
inclusion .istio.rbac.v1alpha1.RbacConfig.Target A list of services or namespaces that should be enforced by Istio RBAC policies. Note: This field have effect only when mode is ON_WITH_INCLUSION and will be ignored for any other modes.
exclusion .istio.rbac.v1alpha1.RbacConfig.Target A list of services or namespaces that should not be enforced by Istio RBAC policies. Note: This field have effect only when mode is ON_WITH_EXCLUSION and will be ignored for any other modes.
enforcementMode .istio.rbac.v1alpha1.EnforcementMode $hide_from_docs Indicates enforcement mode of the RbacConfig, in ENFORCED mode by default. It’s used to verify new RbacConfig work as expected before rolling to production. When setting as PERMISSIVE, RBAC isn’t enforced and has no impact on users. RBAC engine run RbacConfig in PERMISSIVE mode and logs stats. Invalid to set RbacConfig in PERMISSIVE and ServiceRoleBinding in ENFORCED mode.

Target

Target defines a list of services or namespaces.

"services": []string
"namespaces": []string
Field Type Description Default
services []string A list of services.
namespaces []string A list of namespaces.

Mode

Name Description
OFF Disable Istio RBAC completely, any other config in RbacConfig will be ignored and Istio RBAC policies will not be enforced.
ON Enable Istio RBAC for all services and namespaces.
ON_WITH_INCLUSION Enable Istio RBAC only for services and namespaces specified in the inclusion field. Any other services and namespaces not in the inclusion field will not be enforced by Istio RBAC policies.
ON_WITH_EXCLUSION Enable Istio RBAC for all services and namespaces except those specified in the exclusion field. Any other services and namespaces not in the exclusion field will be enforced by Istio RBAC policies.

EnforcementMode

Description: $hide_from_docs RBAC ServiceRoleBinding enforcement mode, used to verify new ServiceRoleBinding configs work as expected before rolling to production. RBAC engine only logs results from configs that are in permissive mode, and discards result before returning to the user.

Name Description
ENFORCED Policy in ENFORCED mode has impact on user experience. Policy is in ENFORCED mode by default.
PERMISSIVE Policy in PERMISSIVE mode isn’t enforced and has no impact on users. RBAC engine run policies in PERMISSIVE mode and logs stats.