1// Copyright 2020 Istio Authors
2//
3// Licensed under the Apache License, Version 2.0 (the "License");
4// you may not use this file except in compliance with the License.
5// You may obtain a copy of the License at
6//
7//     http://www.apache.org/licenses/LICENSE-2.0
8//
9// Unless required by applicable law or agreed to in writing, software
10// distributed under the License is distributed on an "AS IS" BASIS,
11// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12// See the License for the specific language governing permissions and
13// limitations under the License.
14syntax = "proto3";
15
16import "type/v1beta1/selector.proto";
17
18// $schema: istio.security.v1beta1.PeerAuthentication
19// $title: PeerAuthentication
20// $description: Peer authentication configuration for workloads.
21// $location: https://istio.io/docs/reference/config/security/peer_authentication.html
22// $aliases: [/docs/reference/config/security/v1beta1/peer_authentication]
23
24package istio.security.v1beta1;
25
26option go_package="istio.io/api/security/v1beta1";
27
28// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
29//
30// Examples:
31//
32// Policy to allow mTLS traffic for all workloads under namespace `foo`:
33// ```yaml
34// apiVersion: security.istio.io/v1beta1
35// kind: PeerAuthentication
36// metadata:
37//   name: default
38//   namespace: foo
39// spec:
40//   mtls:
41//     mode: STRICT
42// ```
43// For mesh level, put the policy in root-namespace according to your Istio installation.
44//
45// Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but
46// require mTLS for workload `finance`.
47// ```yaml
48// apiVersion: security.istio.io/v1beta1
49// kind: PeerAuthentication
50// metadata:
51//   name: default
52//   namespace: foo
53// spec:
54//   mtls:
55//     mode: PERMISSIVE
56// ---
57// apiVersion: security.istio.io/v1beta1
58// kind: PeerAuthentication
59// metadata:
60//   name: default
61//   namespace: foo
62// spec:
63//   selector:
64//     matchLabels:
65//       app: finance
66//   mtls:
67//     mode: STRICT
68// ```
69// Policy to allow mTLS strict for all workloads, but leave port 8080 to
70// plaintext:
71// ```yaml
72// apiVersion: security.istio.io/v1beta1
73// kind: PeerAuthentication
74// metadata:
75//   name: default
76//   namespace: foo
77// spec:
78//   selector:
79//     matchLabels:
80//       app: finance
81//   mtls:
82//     mode: STRICT
83//   portLevelMtls:
84//     8080:
85//       mode: DISABLE
86// ```
87// Policy to inherite mTLS mode from namespace (or mesh) settings, and overwrite
88// settings for port 8080
89// ```yaml
90// apiVersion: security.istio.io/v1beta1
91// kind: PeerAuthentication
92// metadata:
93//   name: default
94//   namespace: foo
95// spec:
96//   selector:
97//     matchLabels:
98//       app: finance
99//   mtls:
100//     mode: UNSET
101//   portLevelMtls:
102//     8080:
103//       mode: DISABLE
104// ```
105//
106// <!-- crd generation tags
107// +cue-gen:PeerAuthentication:groupName:security.istio.io
108// +cue-gen:PeerAuthentication:version:v1beta1
109// +cue-gen:PeerAuthentication:storageVersion
110// +cue-gen:PeerAuthentication:annotations:helm.sh/resource-policy=keep
111// +cue-gen:PeerAuthentication:labels:app=istio-pilot,chart=istio,istio=security,heritage=Tiller,release=istio
112// +cue-gen:PeerAuthentication:subresource:status
113// +cue-gen:PeerAuthentication:scope:Namespaced
114// +cue-gen:PeerAuthentication:resource:categories=istio-io,security-istio-io,shortNames=pa
115// +cue-gen:PeerAuthentication:preserveUnknownFields:false
116// -->
117//
118// <!-- go code generation tags
119// +kubetype-gen
120// +kubetype-gen:groupVersion=security.istio.io/v1beta1
121// +genclient
122// +k8s:deepcopy-gen=true
123// -->
124message PeerAuthentication {
125  // The selector determines the workloads to apply the ChannelAuthentication on.
126  // If not set, the policy will be applied to all workloads in the same namespace as the policy.
127  istio.type.v1beta1.WorkloadSelector selector = 1;
128
129  // Mutual TLS settings.
130  message MutualTLS {
131    enum Mode {
132      // Inherit from parent, if has one. Otherwise treated as PERMISSIVE.
133      UNSET = 0;
134
135      // Connection is not tunneled.
136      DISABLE = 1;
137
138      // Connection can be either plaintext or mTLS tunnel.
139      PERMISSIVE = 2;
140
141      // Connection is an mTLS tunnel (TLS with client cert must be presented).
142      STRICT = 3;
143    }
144
145    // Defines the mTLS mode used for peer authentication.
146    Mode mode = 1;
147  }
148
149  // Mutual TLS settings for workload. If not defined, inherit from parent.
150  MutualTLS mtls = 2;
151
152  // Port specific mutual TLS settings.
153  map<uint32, MutualTLS> port_level_mtls = 3;
154}
155