Class AuthorizationPolicySource

Matches requests from a list of sources that perform a list of operations subject to a list of conditions. A match occurs when at least one source, one operation and all conditions matches the request. An empty rule is always matched.

Inheritance

object

AuthorizationPolicySource

Namespace: Neon.Kube.Resources.Istio

Assembly: Neon.Kube.Resources.dll

Syntax

public class AuthorizationPolicySource

Constructors

AuthorizationPolicySource()

Constructor.

Declaration

public AuthorizationPolicySource()

Properties

IpBlocks

A list of IP blocks, populated from the source address of the IP packet. Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported. This is the same as the source.ip attribute.

If not set, any IP is allowed.

Declaration

public List<string> IpBlocks { get; set; }

Property Value

Type	Description
List<string>

Namespaces

A list of namespaces derived from the peer certificate. This field requires mTLS enabled and is the same as the source.namespace attribute.

If not set, any namespace is allowed.

Declaration

public List<string> Namespaces { get; set; }

Property Value

Type	Description
List<string>

NotIpBlocks

A list of negative match of IpBlocks.

Declaration

public List<string> NotIpBlocks { get; set; }

Property Value

Type	Description
List<string>

NotNamespaces

A list of negative match of Namespaces.

Declaration

public List<string> NotNamespaces { get; set; }

Property Value

Type	Description
List<string>

NotPrincipals

A list of negative match of peer Principals.

Declaration

public List<string> NotPrincipals { get; set; }

Property Value

Type	Description
List<string>

NotRemoteIpBlocks

A list of negative match of RemoteIpBlocks.

Declaration

public List<string> NotRemoteIpBlocks { get; set; }

Property Value

Type	Description
List<string>

NotRequestPrincipals

A list of negative match of request RequestPrincipals.

Declaration

public List<string> NotRequestPrincipals { get; set; }

Property Value

Type	Description
List<string>

Principals

A list of peer identities derived from the peer certificate. The peer identity is in the format of "TRUST_DOMAIN/ns/NAMESPACE/sa/SERVICE_ACCOUNT", for example, "cluster.local/ns/default/sa/productpage". This field requires mTLS enabled and is the same as the source.principal attribute.

If not set, any principal is allowed.

Declaration

public List<string> Principals { get; set; }

Property Value

Type	Description
List<string>

RemoteIpBlocks

A list of IP blocks, populated from X-Forwarded-For header or proxy protocol. To make use of this field, you must configure the numTrustedProxies field of the gatewayTopology under the meshConfig when you install Istio or using an annotation on the ingress gateway. See the documentation here: Configuring Gateway Network Topology. Single IP (e.g. “1.2.3.4”) and CIDR (e.g. “1.2.3.0/24”) are supported. This is the same as the remote.ip attribute.

If not set, any IP is allowed.

Declaration

public List<string> RemoteIpBlocks { get; set; }

Property Value

Type	Description
List<string>

RequestPrincipals

A list of request identities derived from the JWT. The request identity is in the format of "ISS/SUB", for example, "example.com/sub-1". This field requires request authentication enabled and is the same as the request.auth.principal attribute.

If not set, any request principal is allowed.

Declaration

public List<string> RequestPrincipals { get; set; }

Property Value

Type	Description
List<string>