security.proto
Package: supergloo.solo.io
Types:
- SecurityRule Top-Level Resource
Source File: github.com/solo-io/supergloo/api/v1/security.proto
SecurityRule
security rules apply ALLOW policies to communication in a mesh security rules specify the following: ALLOW those requests: - originating from from source pods - sent to destination pods - matching one or more request matcher if no security rules are present, all traffic in the mesh will be set to ALLOW
"status": .core.solo.io.Status
"metadata": .core.solo.io.Metadata
"targetMesh": .core.solo.io.ResourceRef
"sourceSelector": .supergloo.solo.io.PodSelector
"destinationSelector": .supergloo.solo.io.PodSelector
"allowedPaths": []string
"allowedMethods": []string
Field | Type | Description | Default |
---|---|---|---|
status |
.core.solo.io.Status | Status indicates the validation status of this resource. Status is read-only by clients, and set by supergloo during validation | |
metadata |
.core.solo.io.Metadata | Metadata contains the object metadata for this resource | |
targetMesh |
.core.solo.io.ResourceRef | target where we apply this rule. this can be a mesh group or an individual mesh | |
sourceSelector |
.supergloo.solo.io.PodSelector | requests originating from these pods will have the rule applied leave empty to have all pods in the mesh apply these rules note that security policies are mapped to source pods by their service account. if other pods share the same service account, this security rule will apply to those pods as well. for fine-grained security policies, ensure that your service accounts properly reflect the desired boundary for your security rules | |
destinationSelector |
.supergloo.solo.io.PodSelector | requests destined for these pods will have the rule applied leave empty to apply to all destination pods in the mesh | |
allowedPaths |
[]string |
Optional. A list of HTTP paths or gRPC methods to allow. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName” and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path “/books/review” matches “/books/review” (exact match), or “/books/” (prefix match), or “/review” (suffix match). If not specified, it allows to any path. | |
allowedMethods |
[]string |
Optional. A list of HTTP methods to allow (e.g., “GET”, “POST”). It is ignored in gRPC case because the value is always “POST”. If set to [”*“] or not specified, it allows to any method. |