Istio · Schema
Istio AuthorizationPolicy
An AuthorizationPolicy enables access control on workloads in the mesh. It supports ALLOW, DENY, AUDIT, and CUSTOM actions based on source, operation, and condition matching rules.
CNCFKubernetesMicroservicesOpen SourceService Mesh
Properties
| Name | Type | Description |
|---|---|---|
| selector | object | Workload selector to apply the policy to specific workloads. |
| targetRefs | array | Target references to apply the policy to specific resources. |
| action | string | The action to take when a rule is matched. Default is ALLOW. |
| provider | object | Specifies the external authorization provider when action is CUSTOM. |
| rules | array | A list of rules to match for the policy. |
JSON Schema
{
"$schema": "https://json-schema.org/draft/2020-12/schema",
"$id": "https://github.com/api-evangelist/istio/blob/main/json-schema/authorization-policy.json",
"title": "Istio AuthorizationPolicy",
"description": "An AuthorizationPolicy enables access control on workloads in the mesh. It supports ALLOW, DENY, AUDIT, and CUSTOM actions based on source, operation, and condition matching rules.",
"type": "object",
"properties": {
"selector": {
"type": "object",
"properties": {
"matchLabels": {
"type": "object",
"additionalProperties": {
"type": "string"
},
"description": "One or more labels that indicate a specific set of pods/VMs on which the policy should be applied."
}
},
"description": "Workload selector to apply the policy to specific workloads."
},
"targetRefs": {
"type": "array",
"items": {
"type": "object",
"properties": {
"group": {
"type": "string",
"description": "Group of the target resource."
},
"kind": {
"type": "string",
"description": "Kind of the target resource."
},
"name": {
"type": "string",
"description": "Name of the target resource."
}
}
},
"description": "Target references to apply the policy to specific resources."
},
"action": {
"type": "string",
"enum": ["ALLOW", "DENY", "AUDIT", "CUSTOM"],
"description": "The action to take when a rule is matched. Default is ALLOW."
},
"provider": {
"type": "object",
"properties": {
"name": {
"type": "string",
"description": "The name of the extension provider. Used when action is CUSTOM."
}
},
"description": "Specifies the external authorization provider when action is CUSTOM."
},
"rules": {
"type": "array",
"items": {
"$ref": "#/$defs/Rule"
},
"description": "A list of rules to match for the policy."
}
},
"$defs": {
"Rule": {
"type": "object",
"properties": {
"from": {
"type": "array",
"items": {
"type": "object",
"properties": {
"source": {
"type": "object",
"properties": {
"principals": {
"type": "array",
"items": { "type": "string" },
"description": "A list of peer identities derived from the peer certificate."
},
"notPrincipals": {
"type": "array",
"items": { "type": "string" },
"description": "A list of negative match of peer identities."
},
"requestPrincipals": {
"type": "array",
"items": { "type": "string" },
"description": "A list of request identities derived from the JWT."
},
"notRequestPrincipals": {
"type": "array",
"items": { "type": "string" },
"description": "A list of negative match of request identities."
},
"namespaces": {
"type": "array",
"items": { "type": "string" },
"description": "A list of namespaces derived from the peer certificate."
},
"notNamespaces": {
"type": "array",
"items": { "type": "string" },
"description": "A list of negative match of namespaces."
},
"ipBlocks": {
"type": "array",
"items": { "type": "string" },
"description": "A list of IP blocks in CIDR format."
},
"notIpBlocks": {
"type": "array",
"items": { "type": "string" },
"description": "A list of negative match of IP blocks."
},
"remoteIpBlocks": {
"type": "array",
"items": { "type": "string" },
"description": "A list of remote IP blocks in CIDR format."
},
"notRemoteIpBlocks": {
"type": "array",
"items": { "type": "string" },
"description": "A list of negative match of remote IP blocks."
}
}
}
}
},
"description": "Specifies the source of a request."
},
"to": {
"type": "array",
"items": {
"type": "object",
"properties": {
"operation": {
"type": "object",
"properties": {
"hosts": {
"type": "array",
"items": { "type": "string" },
"description": "A list of hosts as specified in the HTTP request."
},
"notHosts": {
"type": "array",
"items": { "type": "string" },
"description": "A list of negative match of hosts."
},
"ports": {
"type": "array",
"items": { "type": "string" },
"description": "A list of ports as specified in the connection."
},
"notPorts": {
"type": "array",
"items": { "type": "string" },
"description": "A list of negative match of ports."
},
"methods": {
"type": "array",
"items": { "type": "string" },
"description": "A list of methods as specified in the HTTP request."
},
"notMethods": {
"type": "array",
"items": { "type": "string" },
"description": "A list of negative match of methods."
},
"paths": {
"type": "array",
"items": { "type": "string" },
"description": "A list of paths as specified in the HTTP request."
},
"notPaths": {
"type": "array",
"items": { "type": "string" },
"description": "A list of negative match of paths."
}
}
}
}
},
"description": "Specifies the operation of a request."
},
"when": {
"type": "array",
"items": {
"type": "object",
"properties": {
"key": {
"type": "string",
"description": "The name of an Istio attribute."
},
"values": {
"type": "array",
"items": { "type": "string" },
"description": "A list of allowed values for the attribute."
},
"notValues": {
"type": "array",
"items": { "type": "string" },
"description": "A list of negative match of values for the attribute."
}
},
"required": ["key"]
},
"description": "Additional conditions for the rule."
}
}
}
}
}