security.proto

Package: supergloo.solo.io

Types:
Source File: github.com/solo-io/supergloo/api/v1/security.proto

SecurityRule

security rules apply ALLOW policies to communication in a mesh security rules specify the following: ALLOW those requests: - originating from from source pods - sent to destination pods - matching one or more request matcher if no security rules are present, all traffic in the mesh will be set to ALLOW

"status": .core.solo.io.Status
"metadata": .core.solo.io.Metadata
"targetMesh": .core.solo.io.ResourceRef
"sourceSelector": .supergloo.solo.io.PodSelector
"destinationSelector": .supergloo.solo.io.PodSelector
"allowedPaths": []string
"allowedMethods": []string

Field Type Description Default
status .core.solo.io.Status Status indicates the validation status of this resource. Status is read-only by clients, and set by supergloo during validation
metadata .core.solo.io.Metadata Metadata contains the object metadata for this resource
targetMesh .core.solo.io.ResourceRef target where we apply this rule. this can be a mesh group or an individual mesh
sourceSelector .supergloo.solo.io.PodSelector requests originating from these pods will have the rule applied leave empty to have all pods in the mesh apply these rules note that security policies are mapped to source pods by their service account. if other pods share the same service account, this security rule will apply to those pods as well. for fine-grained security policies, ensure that your service accounts properly reflect the desired boundary for your security rules
destinationSelector .supergloo.solo.io.PodSelector requests destined for these pods will have the rule applied leave empty to apply to all destination pods in the mesh
allowedPaths []string Optional. A list of HTTP paths or gRPC methods to allow. gRPC methods must be presented as fully-qualified name in the form of “/packageName.serviceName/methodName” and are case sensitive. Exact match, prefix match, and suffix match are supported for paths. For example, the path “/books/review” matches “/books/review” (exact match), or “/books/” (prefix match), or “/review” (suffix match). If not specified, it allows to any path.
allowedMethods []string Optional. A list of HTTP methods to allow (e.g., “GET”, “POST”). It is ignored in gRPC case because the value is always “POST”. If set to [”*“] or not specified, it allows to any method.