| # Licensed to the Apache Software Foundation (ASF) under one or more |
| # contributor license agreements. See the NOTICE file distributed with |
| # this work for additional information regarding copyright ownership. |
| # The ASF licenses this file to You under the Apache License, Version 2.0 |
| # (the "License"); you may not use this file except in compliance with |
| # the License. You may obtain a copy of the License at |
| # |
| # http://www.apache.org/licenses/LICENSE-2.0 |
| # |
| # Unless required by applicable law or agreed to in writing, software |
| # distributed under the License is distributed on an "AS IS" BASIS, |
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| # See the License for the specific language governing permissions and |
| # limitations under the License. |
| --- |
| apiVersion: apiextensions.k8s.io/v1 |
| kind: CustomResourceDefinition |
| metadata: |
| annotations: |
| controller-gen.kubebuilder.io/version: v0.10.0 |
| creationTimestamp: null |
| name: authorizationpolicies.dubbo.apache.org |
| spec: |
| group: dubbo.apache.org |
| names: |
| kind: AuthorizationPolicy |
| listKind: AuthorizationPolicyList |
| plural: authorizationpolicies |
| shortNames: |
| - azp |
| singular: authorizationpolicy |
| scope: Namespaced |
| versions: |
| - name: v1alpha1 |
| schema: |
| openAPIV3Schema: |
| properties: |
| apiVersion: |
| description: 'APIVersion defines the versioned schema of this representation |
| of an object. Servers should convert recognized schemas to the latest |
| internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' |
| type: string |
| kind: |
| description: 'Kind is a string value representing the REST resource this |
| object represents. Servers may infer this from the endpoint the clientgen |
| submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' |
| type: string |
| metadata: |
| type: object |
| spec: |
| properties: |
| action: |
| description: The action to take when a rule is matched |
| enum: |
| - ALLOW |
| - DENY |
| - ADUIT |
| type: string |
| matchType: |
| default: anyMatch |
| description: The match type of the rules. |
| enum: |
| - anyMatch |
| - allMatch |
| type: string |
| rules: |
| items: |
| properties: |
| from: |
| description: The source of the traffic to be matched. |
| properties: |
| extends: |
| description: The extended identities(from Dubbo Auth) to |
| match of the source workload. |
| items: |
| properties: |
| key: |
| description: The key of the extended identity. |
| type: string |
| value: |
| description: The value of the extended identity |
| type: string |
| type: object |
| type: array |
| ipBlocks: |
| description: The IP addresses to match of the source workload. |
| items: |
| type: string |
| type: array |
| namespaces: |
| description: The namespaces to match of the source workload. |
| items: |
| type: string |
| type: array |
| notExtends: |
| description: The extended identities(from Dubbo Auth) not |
| to match of the source workload. |
| items: |
| properties: |
| key: |
| description: The key of the extended identity. |
| type: string |
| value: |
| description: The value of the extended identity |
| type: string |
| type: object |
| type: array |
| notIpBlocks: |
| description: The IP addresses not to match of the source |
| workload. |
| items: |
| type: string |
| type: array |
| notNamespaces: |
| description: The namespaces not to match of the source workload. |
| items: |
| type: string |
| type: array |
| notPrincipals: |
| description: The identities(from spiffe) not to match of |
| the source workload |
| items: |
| type: string |
| type: array |
| principals: |
| description: The identities(from spiffe) to match of the |
| source workload. |
| items: |
| type: string |
| type: array |
| type: object |
| to: |
| description: The destination of the traffic to be matched. |
| properties: |
| extends: |
| description: The extended identities(from Dubbo Auth) to |
| match of the destination workload. |
| items: |
| properties: |
| key: |
| description: The key of the extended identity. |
| type: string |
| value: |
| description: The value of the extended identity |
| type: string |
| type: object |
| type: array |
| ipBlocks: |
| description: The IP addresses to match of the destination |
| workload. |
| items: |
| type: string |
| type: array |
| notExtends: |
| description: The extended identities(from Dubbo Auth) not |
| to match of the destination workload. |
| items: |
| properties: |
| key: |
| description: The key of the extended identity. |
| type: string |
| value: |
| description: The value of the extended identity |
| type: string |
| type: object |
| type: array |
| notIpBlocks: |
| description: The IP addresses not to match of the destination |
| workload. |
| items: |
| type: string |
| type: array |
| notPrincipals: |
| description: The identities(from spiffe) not to match of |
| the destination workload. |
| items: |
| type: string |
| type: array |
| principals: |
| description: The identities(from spiffe) to match of the |
| destination workload. |
| items: |
| type: string |
| type: array |
| type: object |
| when: |
| properties: |
| key: |
| type: string |
| notValues: |
| items: |
| properties: |
| type: |
| default: equals |
| enum: |
| - equals |
| - regex |
| - ognl |
| type: string |
| value: |
| type: string |
| type: object |
| type: array |
| values: |
| items: |
| properties: |
| type: |
| default: equals |
| enum: |
| - equals |
| - regex |
| - ognl |
| type: string |
| value: |
| type: string |
| type: object |
| type: array |
| type: object |
| type: object |
| type: array |
| samples: |
| default: 100 |
| description: The sample rate of the rule. The value is between 0 and |
| 100. |
| maximum: 100 |
| minimum: 0 |
| type: number |
| required: |
| - action |
| type: object |
| type: object |
| served: true |
| storage: true |