1// Copyright 2020 Istio Authors 2// 3// Licensed under the Apache License, Version 2.0 (the "License"); 4// you may not use this file except in compliance with the License. 5// You may obtain a copy of the License at 6// 7// http://www.apache.org/licenses/LICENSE-2.0 8// 9// Unless required by applicable law or agreed to in writing, software 10// distributed under the License is distributed on an "AS IS" BASIS, 11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12// See the License for the specific language governing permissions and 13// limitations under the License. 14syntax = "proto3"; 15 16import "type/v1beta1/selector.proto"; 17 18// $schema: istio.security.v1beta1.PeerAuthentication 19// $title: PeerAuthentication 20// $description: Peer authentication configuration for workloads. 21// $location: https://istio.io/docs/reference/config/security/peer_authentication.html 22// $aliases: [/docs/reference/config/security/v1beta1/peer_authentication] 23 24package istio.security.v1beta1; 25 26option go_package="istio.io/api/security/v1beta1"; 27 28// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar. 29// 30// Examples: 31// 32// Policy to allow mTLS traffic for all workloads under namespace `foo`: 33// ```yaml 34// apiVersion: security.istio.io/v1beta1 35// kind: PeerAuthentication 36// metadata: 37// name: default 38// namespace: foo 39// spec: 40// mtls: 41// mode: STRICT 42// ``` 43// For mesh level, put the policy in root-namespace according to your Istio installation. 44// 45// Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but 46// require mTLS for workload `finance`. 47// ```yaml 48// apiVersion: security.istio.io/v1beta1 49// kind: PeerAuthentication 50// metadata: 51// name: default 52// namespace: foo 53// spec: 54// mtls: 55// mode: PERMISSIVE 56// --- 57// apiVersion: security.istio.io/v1beta1 58// kind: PeerAuthentication 59// metadata: 60// name: default 61// namespace: foo 62// spec: 63// selector: 64// matchLabels: 65// app: finance 66// mtls: 67// mode: STRICT 68// ``` 69// Policy to allow mTLS strict for all workloads, but leave port 8080 to 70// plaintext: 71// ```yaml 72// apiVersion: security.istio.io/v1beta1 73// kind: PeerAuthentication 74// metadata: 75// name: default 76// namespace: foo 77// spec: 78// selector: 79// matchLabels: 80// app: finance 81// mtls: 82// mode: STRICT 83// portLevelMtls: 84// 8080: 85// mode: DISABLE 86// ``` 87// Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite 88// settings for port 8080 89// ```yaml 90// apiVersion: security.istio.io/v1beta1 91// kind: PeerAuthentication 92// metadata: 93// name: default 94// namespace: foo 95// spec: 96// selector: 97// matchLabels: 98// app: finance 99// mtls: 100// mode: UNSET 101// portLevelMtls: 102// 8080: 103// mode: DISABLE 104// ``` 105// 106// <!-- crd generation tags 107// +cue-gen:PeerAuthentication:groupName:security.istio.io 108// +cue-gen:PeerAuthentication:version:v1beta1 109// +cue-gen:PeerAuthentication:storageVersion 110// +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep 111// +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio 112// +cue-gen:PeerAuthentication:subresource:status 113// +cue-gen:PeerAuthentication:scope:Namespaced 114// +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa 115// +cue-gen:PeerAuthentication:preserveUnknownFields:false 116// --> 117// 118// <!-- go code generation tags 119// +kubetype-gen 120// +kubetype-gen:groupVersion=security.istio.io/v1beta1 121// +genclient 122// +k8s:deepcopy-gen=true 123// --> 124message PeerAuthentication { 125 // The selector determines the workloads to apply the ChannelAuthentication on. 126 // If not set, the policy will be applied to all workloads in the same namespace as the policy. 127 istio.type.v1beta1.WorkloadSelector selector = 1; 128 129 // Mutual TLS settings. 130 message MutualTLS { 131 enum Mode { 132 // Inherit from parent, if has one. Otherwise treated as PERMISSIVE. 133 UNSET = 0; 134 135 // Connection is not tunneled. 136 DISABLE = 1; 137 138 // Connection can be either plaintext or mTLS tunnel. 139 PERMISSIVE = 2; 140 141 // Connection is an mTLS tunnel (TLS with client cert must be presented). 142 STRICT = 3; 143 } 144 145 // Defines the mTLS mode used for peer authentication. 146 Mode mode = 1; 147 } 148 149 // Mutual TLS settings for workload. If not defined, inherit from parent. 150 MutualTLS mtls = 2; 151 152 // Port specific mutual TLS settings. 153 map<uint32, MutualTLS> port_level_mtls = 3; 154} 155