{ "properties": { "spec": { "description": "Request authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/request_authentication.html", "properties": { "jwtRules": { "description": "Define the list of JWTs that can be validated at the selected workloads' proxy.", "items": { "type": "object", "required": [ "issuer" ], "properties": { "audiences": { "description": "The list of JWT [audiences](https://tools.ietf.org/html/rfc7519#section-4.1.3) that are allowed to access.", "type": "array", "items": { "type": "string", "minLength": 1 } }, "forwardOriginalToken": { "description": "If set to true, the original token will be kept for the upstream request.", "type": "boolean" }, "fromCookies": { "description": "List of cookie names from which JWT is expected.", "type": "array", "items": { "type": "string", "minLength": 1 } }, "fromHeaders": { "description": "List of header locations from which JWT is expected.", "type": "array", "items": { "type": "object", "required": [ "name" ], "properties": { "name": { "description": "The HTTP header name.", "type": "string", "minLength": 1 }, "prefix": { "description": "The prefix that should be stripped before decoding the token.", "type": "string" } } } }, "fromParams": { "description": "List of query parameters from which JWT is expected.", "type": "array", "items": { "type": "string", "minLength": 1 } }, "issuer": { "description": "Identifies the issuer that issued the JWT.", "type": "string", "minLength": 1 }, "jwks": { "description": "JSON Web Key Set of public keys to validate signature of the JWT.", "type": "string" }, "jwksUri": { "description": "URL of the provider's public key set to validate signature of the JWT.", "type": "string", "maxLength": 2048, "minLength": 1, "x-kubernetes-validations": [ { "rule": "url(self).getScheme() in ['http', 'https']", "message": "url must have scheme http:// or https://" } ] }, "jwks_uri": { "description": "URL of the provider's public key set to validate signature of the JWT.", "type": "string", "maxLength": 2048, "minLength": 1, "x-kubernetes-validations": [ { "rule": "url(self).getScheme() in ['http', 'https']", "message": "url must have scheme http:// or https://" } ] }, "outputClaimToHeaders": { "description": "This field specifies a list of operations to copy the claim to HTTP headers on a successfully verified token.", "type": "array", "items": { "type": "object", "required": [ "header", "claim" ], "properties": { "claim": { "description": "The name of the claim to be copied from.", "type": "string", "minLength": 1 }, "header": { "description": "The name of the header to be created.", "type": "string", "minLength": 1, "pattern": "^[-_A-Za-z0-9]+$" } } } }, "outputPayloadToHeader": { "description": "This field specifies the header name to output a successfully verified JWT payload to the backend.", "type": "string" }, "timeout": { "description": "The maximum amount of time that the resolver, determined by the PILOT_JWT_ENABLE_REMOTE_JWKS environment variable, will spend waiting for the JWKS to be fetched.", "type": "string", "x-kubernetes-validations": [ { "rule": "duration(self) >= duration('1ms')", "message": "must be a valid duration greater than 1ms" } ] } }, "x-kubernetes-validations": [ { "rule": "(has(self.jwksUri)?1:0)+(has(self.jwks_uri)?1:0)+(has(self.jwks)?1:0)<=1", "message": "only one of jwks or jwksUri can be set" } ] }, "maxItems": 4096, "type": "array" }, "selector": { "description": "Optional.", "properties": { "matchLabels": { "additionalProperties": { "type": "string", "maxLength": 63, "x-kubernetes-validations": [ { "rule": "!self.contains('*')", "message": "wildcard not allowed in label value match" } ] }, "description": "One or more labels that indicate a specific set of pods/VMs on which a policy should be applied.", "maxProperties": 4096, "type": "object", "x_kubernetes_validations": [ { "message": "wildcard not allowed in label key match", "rule": "self.all(key, !key.contains('*'))" }, { "message": "key must not be empty", "rule": "self.all(key, key.size() != 0)" } ] } }, "type": "object" }, "targetRef": { "properties": { "group": { "description": "group is the group of the target resource.", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "kind": { "description": "kind is kind of the target resource.", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$", "type": "string" }, "name": { "description": "name is the name of the target resource.", "maxLength": 253, "minLength": 1, "type": "string" }, "namespace": { "description": "namespace is the namespace of the referent.", "type": "string", "x_kubernetes_validations": [ { "message": "cross namespace referencing is not currently supported", "rule": "self.size() == 0" } ] } }, "required": [ "kind", "name" ], "type": "object", "x_kubernetes_validations": [ { "message": "Support kinds are core/Service, networking.istio.io/ServiceEntry, gateway.networking.k8s.io/Gateway", "rule": "[self.group, self.kind] in [['core','Service'], ['','Service'], ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" } ] }, "targetRefs": { "description": "Optional.", "items": { "type": "object", "required": [ "kind", "name" ], "properties": { "group": { "description": "group is the group of the target resource.", "type": "string", "maxLength": 253, "pattern": "^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$" }, "kind": { "description": "kind is kind of the target resource.", "type": "string", "maxLength": 63, "minLength": 1, "pattern": "^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$" }, "name": { "description": "name is the name of the target resource.", "type": "string", "maxLength": 253, "minLength": 1 }, "namespace": { "description": "namespace is the namespace of the referent.", "type": "string", "x-kubernetes-validations": [ { "rule": "self.size() == 0", "message": "cross namespace referencing is not currently supported" } ] } }, "x-kubernetes-validations": [ { "rule": "[self.group, self.kind] in [['core','Service'], ['','Service'], ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]", "message": "Support kinds are core/Service, networking.istio.io/ServiceEntry, gateway.networking.k8s.io/Gateway" } ] }, "maxItems": 16, "type": "array" } }, "type": "object", "x_kubernetes_validations": [ { "message": "only one of targetRefs or selector can be set", "rule": "(has(self.selector)?1:0)+(has(self.targetRef)?1:0)+(has(self.targetRefs)?1:0)<=1" } ] }, "status": { "properties": { "conditions": { "description": "Current service state of the resource.", "items": { "type": "object", "properties": { "lastProbeTime": { "description": "Last time we probed the condition.", "type": "string", "format": "date-time" }, "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "type": "string", "format": "date-time" }, "message": { "description": "Human-readable message indicating details about last transition.", "type": "string" }, "reason": { "description": "Unique, one-word, CamelCase reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status is the status of the condition.", "type": "string" }, "type": { "description": "Type is the type of the condition.", "type": "string" } } }, "type": "array" }, "observedGeneration": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Resource Generation to which the Reconciled Condition refers.", "x_kubernetes_int_or_string": true }, "validationMessages": { "description": "Includes any errors or warnings detected by Istio's analyzers.", "items": { "type": "object", "properties": { "documentationUrl": { "description": "A url pointing to the Istio documentation for this specific error type.", "type": "string" }, "level": { "description": "Represents how severe a message is.\n\nValid Options: UNKNOWN, ERROR, WARNING, INFO", "type": "string", "enum": [ "UNKNOWN", "ERROR", "WARNING", "INFO" ] }, "type": { "type": "object", "properties": { "code": { "description": "A 7 character code matching `^IST[0-9]{4}$` intended to uniquely identify the message type.", "type": "string" }, "name": { "description": "A human-readable name for the message type.", "type": "string" } } } } }, "type": "array" } }, "type": "object", "x_kubernetes_preserve_unknown_fields": true } }, "type": "object" }