From 07072cc47f113a264e694edfb944584d843ab158 Mon Sep 17 00:00:00 2001 From: davidraskin Date: Thu, 11 Jun 2020 04:09:52 +0000 Subject: [PATCH 1/9] Modified rbac proto --- kubernetes/customresourcedefinitions.gen.yaml | 1 + proto.lock | 9 ++ .../security/v1beta1/authorization_pb2.py | 34 +++---- security/v1beta1/authorization.gen.json | 3 +- security/v1beta1/authorization.pb.go | 89 ++++++++++--------- security/v1beta1/authorization.pb.html | 7 ++ security/v1beta1/authorization.proto | 3 + 7 files changed, 88 insertions(+), 58 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index c48b137d63..184fdde503 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -4049,6 +4049,7 @@ spec: enum: - ALLOW - DENY + - LOG type: string rules: description: Optional. diff --git a/proto.lock b/proto.lock index e2c448eae6..bd21b01e7a 100644 --- a/proto.lock +++ b/proto.lock @@ -35898,6 +35898,11 @@ "name": "ingress_controller_mode", "type": "IngressControllerMode" }, + { + "id": 52, + "name": "ingress_selector", + "type": "string" + }, { "id": 10, "name": "auth_policy", @@ -45593,6 +45598,10 @@ { "name": "DENY", "integer": 1 + }, + { + "name": "LOG", + "integer": 2 } ] } diff --git a/python/istio_api/security/v1beta1/authorization_pb2.py b/python/istio_api/security/v1beta1/authorization_pb2.py index 4f6f16cd68..238a7d113f 100644 --- a/python/istio_api/security/v1beta1/authorization_pb2.py +++ b/python/istio_api/security/v1beta1/authorization_pb2.py @@ -22,7 +22,7 @@ package='istio.security.v1beta1', syntax='proto3', serialized_options=_b('Z\035istio.io/api/security/v1beta1'), - serialized_pb=_b('\n$security/v1beta1/authorization.proto\x12\x16istio.security.v1beta1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1btype/v1beta1/selector.proto\"\xdd\x01\n\x13\x41uthorizationPolicy\x12\x36\n\x08selector\x18\x01 \x01(\x0b\x32$.istio.type.v1beta1.WorkloadSelector\x12+\n\x05rules\x18\x02 \x03(\x0b\x32\x1c.istio.security.v1beta1.Rule\x12\x42\n\x06\x61\x63tion\x18\x03 \x01(\x0e\x32\x32.istio.security.v1beta1.AuthorizationPolicy.Action\"\x1d\n\x06\x41\x63tion\x12\t\n\x05\x41LLOW\x10\x00\x12\x08\n\x04\x44\x45NY\x10\x01\"\x89\x02\n\x04Rule\x12/\n\x04\x66rom\x18\x01 \x03(\x0b\x32!.istio.security.v1beta1.Rule.From\x12+\n\x02to\x18\x02 \x03(\x0b\x32\x1f.istio.security.v1beta1.Rule.To\x12/\n\x04when\x18\x03 \x03(\x0b\x32!.istio.security.v1beta1.Condition\x1a\x36\n\x04\x46rom\x12.\n\x06source\x18\x01 \x01(\x0b\x32\x1e.istio.security.v1beta1.Source\x1a:\n\x02To\x12\x34\n\toperation\x18\x01 \x01(\x0b\x32!.istio.security.v1beta1.Operation\"\xc6\x01\n\x06Source\x12\x12\n\nprincipals\x18\x01 \x03(\t\x12\x16\n\x0enot_principals\x18\x05 \x03(\t\x12\x1a\n\x12request_principals\x18\x02 \x03(\t\x12\x1e\n\x16not_request_principals\x18\x06 \x03(\t\x12\x12\n\nnamespaces\x18\x03 \x03(\t\x12\x16\n\x0enot_namespaces\x18\x07 \x03(\t\x12\x11\n\tip_blocks\x18\x04 \x03(\t\x12\x15\n\rnot_ip_blocks\x18\x08 \x03(\t\"\x97\x01\n\tOperation\x12\r\n\x05hosts\x18\x01 \x03(\t\x12\x11\n\tnot_hosts\x18\x05 \x03(\t\x12\r\n\x05ports\x18\x02 \x03(\t\x12\x11\n\tnot_ports\x18\x06 \x03(\t\x12\x0f\n\x07methods\x18\x03 \x03(\t\x12\x13\n\x0bnot_methods\x18\x07 \x03(\t\x12\r\n\x05paths\x18\x04 \x03(\t\x12\x11\n\tnot_paths\x18\x08 \x03(\t\"A\n\tCondition\x12\x10\n\x03key\x18\x01 \x01(\tB\x03\xe0\x41\x02\x12\x0e\n\x06values\x18\x02 \x03(\t\x12\x12\n\nnot_values\x18\x03 \x03(\tB\x1fZ\x1distio.io/api/security/v1beta1b\x06proto3') + serialized_pb=_b('\n$security/v1beta1/authorization.proto\x12\x16istio.security.v1beta1\x1a\x1fgoogle/api/field_behavior.proto\x1a\x1btype/v1beta1/selector.proto\"\xe6\x01\n\x13\x41uthorizationPolicy\x12\x36\n\x08selector\x18\x01 \x01(\x0b\x32$.istio.type.v1beta1.WorkloadSelector\x12+\n\x05rules\x18\x02 \x03(\x0b\x32\x1c.istio.security.v1beta1.Rule\x12\x42\n\x06\x61\x63tion\x18\x03 \x01(\x0e\x32\x32.istio.security.v1beta1.AuthorizationPolicy.Action\"&\n\x06\x41\x63tion\x12\t\n\x05\x41LLOW\x10\x00\x12\x08\n\x04\x44\x45NY\x10\x01\x12\x07\n\x03LOG\x10\x02\"\x89\x02\n\x04Rule\x12/\n\x04\x66rom\x18\x01 \x03(\x0b\x32!.istio.security.v1beta1.Rule.From\x12+\n\x02to\x18\x02 \x03(\x0b\x32\x1f.istio.security.v1beta1.Rule.To\x12/\n\x04when\x18\x03 \x03(\x0b\x32!.istio.security.v1beta1.Condition\x1a\x36\n\x04\x46rom\x12.\n\x06source\x18\x01 \x01(\x0b\x32\x1e.istio.security.v1beta1.Source\x1a:\n\x02To\x12\x34\n\toperation\x18\x01 \x01(\x0b\x32!.istio.security.v1beta1.Operation\"\xc6\x01\n\x06Source\x12\x12\n\nprincipals\x18\x01 \x03(\t\x12\x16\n\x0enot_principals\x18\x05 \x03(\t\x12\x1a\n\x12request_principals\x18\x02 \x03(\t\x12\x1e\n\x16not_request_principals\x18\x06 \x03(\t\x12\x12\n\nnamespaces\x18\x03 \x03(\t\x12\x16\n\x0enot_namespaces\x18\x07 \x03(\t\x12\x11\n\tip_blocks\x18\x04 \x03(\t\x12\x15\n\rnot_ip_blocks\x18\x08 \x03(\t\"\x97\x01\n\tOperation\x12\r\n\x05hosts\x18\x01 \x03(\t\x12\x11\n\tnot_hosts\x18\x05 \x03(\t\x12\r\n\x05ports\x18\x02 \x03(\t\x12\x11\n\tnot_ports\x18\x06 \x03(\t\x12\x0f\n\x07methods\x18\x03 \x03(\t\x12\x13\n\x0bnot_methods\x18\x07 \x03(\t\x12\r\n\x05paths\x18\x04 \x03(\t\x12\x11\n\tnot_paths\x18\x08 \x03(\t\"A\n\tCondition\x12\x10\n\x03key\x18\x01 \x01(\tB\x03\xe0\x41\x02\x12\x0e\n\x06values\x18\x02 \x03(\t\x12\x12\n\nnot_values\x18\x03 \x03(\tB\x1fZ\x1distio.io/api/security/v1beta1b\x06proto3') , dependencies=[google_dot_api_dot_field__behavior__pb2.DESCRIPTOR,type_dot_v1beta1_dot_selector__pb2.DESCRIPTOR,]) @@ -42,11 +42,15 @@ name='DENY', index=1, number=1, serialized_options=None, type=None), + _descriptor.EnumValueDescriptor( + name='LOG', index=2, number=2, + serialized_options=None, + type=None), ], containing_type=None, serialized_options=None, serialized_start=319, - serialized_end=348, + serialized_end=357, ) _sym_db.RegisterEnumDescriptor(_AUTHORIZATIONPOLICY_ACTION) @@ -93,7 +97,7 @@ oneofs=[ ], serialized_start=127, - serialized_end=348, + serialized_end=357, ) @@ -123,8 +127,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=502, - serialized_end=556, + serialized_start=511, + serialized_end=565, ) _RULE_TO = _descriptor.Descriptor( @@ -153,8 +157,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=558, - serialized_end=616, + serialized_start=567, + serialized_end=625, ) _RULE = _descriptor.Descriptor( @@ -197,8 +201,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=351, - serialized_end=616, + serialized_start=360, + serialized_end=625, ) @@ -277,8 +281,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=619, - serialized_end=817, + serialized_start=628, + serialized_end=826, ) @@ -357,8 +361,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=820, - serialized_end=971, + serialized_start=829, + serialized_end=980, ) @@ -402,8 +406,8 @@ extension_ranges=[], oneofs=[ ], - serialized_start=973, - serialized_end=1038, + serialized_start=982, + serialized_end=1047, ) _AUTHORIZATIONPOLICY.fields_by_name['selector'].message_type = type_dot_v1beta1_dot_selector__pb2._WORKLOADSELECTOR diff --git a/security/v1beta1/authorization.gen.json b/security/v1beta1/authorization.gen.json index 876d340db2..6d418c1bbc 100644 --- a/security/v1beta1/authorization.gen.json +++ b/security/v1beta1/authorization.gen.json @@ -57,7 +57,8 @@ "type": "string", "enum": [ "ALLOW", - "DENY" + "DENY", + "LOG" ] }, "istio.security.v1beta1.Rule.From": { diff --git a/security/v1beta1/authorization.pb.go b/security/v1beta1/authorization.pb.go index b40674c437..64b727f2b0 100644 --- a/security/v1beta1/authorization.pb.go +++ b/security/v1beta1/authorization.pb.go @@ -160,16 +160,20 @@ const ( AuthorizationPolicy_ALLOW AuthorizationPolicy_Action = 0 // Deny a request if it matches any of the rules. AuthorizationPolicy_DENY AuthorizationPolicy_Action = 1 + // Log a request if it matches any of the rules. + AuthorizationPolicy_LOG AuthorizationPolicy_Action = 2 ) var AuthorizationPolicy_Action_name = map[int32]string{ 0: "ALLOW", 1: "DENY", + 2: "LOG", } var AuthorizationPolicy_Action_value = map[string]int32{ "ALLOW": 0, "DENY": 1, + "LOG": 2, } func (x AuthorizationPolicy_Action) String() string { @@ -832,48 +836,49 @@ func init() { } var fileDescriptor_b72f4bc212a83269 = []byte{ - // 654 bytes of a gzipped FileDescriptorProto - 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x94, 0xdd, 0x6e, 0xd3, 0x4e, - 0x10, 0xc5, 0xff, 0x76, 0x12, 0x37, 0x9e, 0xea, 0x5f, 0x95, 0xa5, 0x54, 0x51, 0x4a, 0xd3, 0x62, - 0x15, 0xa9, 0x12, 0xc2, 0x51, 0xc3, 0xc7, 0x25, 0x90, 0x42, 0x11, 0xa0, 0xd2, 0x56, 0x6e, 0x45, - 0x55, 0x6e, 0x22, 0xc7, 0xd9, 0x36, 0xab, 0x3a, 0x1e, 0x63, 0xaf, 0x8b, 0xc2, 0x33, 0xf1, 0x08, - 0x3c, 0x00, 0x97, 0xbc, 0x01, 0x55, 0x1f, 0x82, 0x6b, 0xb4, 0x5f, 0x4e, 0x80, 0x36, 0x97, 0xb3, - 0xf3, 0x3b, 0x73, 0xce, 0x8e, 0xad, 0x85, 0x8d, 0x9c, 0x46, 0x45, 0xc6, 0xf8, 0xb8, 0x7d, 0xb1, - 0xd5, 0xa7, 0x3c, 0xdc, 0x6a, 0x87, 0x05, 0x1f, 0x62, 0xc6, 0xbe, 0x84, 0x9c, 0x61, 0xe2, 0xa7, - 0x19, 0x72, 0x24, 0xcb, 0x2c, 0xe7, 0x0c, 0x7d, 0xc3, 0xfa, 0x9a, 0x6d, 0xae, 0x9d, 0x21, 0x9e, - 0xc5, 0xb4, 0x1d, 0xa6, 0xac, 0x7d, 0xca, 0x68, 0x3c, 0xe8, 0xf5, 0xe9, 0x30, 0xbc, 0x60, 0x98, - 0x29, 0x61, 0x73, 0x85, 0x8f, 0x53, 0x5a, 0x8e, 0xce, 0x69, 0x4c, 0x23, 0x6e, 0x9a, 0xde, 0x2f, - 0x0b, 0x6e, 0x77, 0xa7, 0xdd, 0x0e, 0x30, 0x66, 0xd1, 0x98, 0xbc, 0x80, 0xba, 0x21, 0x1b, 0xd6, - 0xba, 0xb5, 0x39, 0xdf, 0xd9, 0xf0, 0x55, 0x00, 0x31, 0xcd, 0x98, 0xfb, 0xc7, 0x98, 0x9d, 0xc7, - 0x18, 0x0e, 0x0e, 0x35, 0x1b, 0x94, 0x2a, 0xd2, 0x81, 0x5a, 0x56, 0xc4, 0x34, 0x6f, 0xd8, 0xeb, - 0x95, 0xcd, 0xf9, 0xce, 0x5d, 0xff, 0xfa, 0xfc, 0x7e, 0x50, 0xc4, 0x34, 0x50, 0x28, 0x79, 0x07, - 0x4e, 0x18, 0x89, 0x14, 0x8d, 0xca, 0xba, 0xb5, 0xb9, 0xd0, 0xe9, 0xdc, 0x24, 0xba, 0x26, 0xb2, - 0xdf, 0x95, 0xca, 0x40, 0x4f, 0xf0, 0x56, 0xc1, 0x51, 0x27, 0xc4, 0x85, 0x5a, 0x77, 0x77, 0x77, - 0xff, 0x78, 0xf1, 0x3f, 0x52, 0x87, 0xea, 0xab, 0x9d, 0xbd, 0x93, 0x45, 0xcb, 0xfb, 0x6a, 0x43, - 0x55, 0x58, 0x93, 0x27, 0x50, 0x3d, 0xcd, 0x70, 0xd4, 0xb0, 0x64, 0xcc, 0x7b, 0xb3, 0x62, 0xfa, - 0xaf, 0x33, 0x1c, 0x05, 0x12, 0x27, 0x6d, 0xb0, 0x39, 0xea, 0xbb, 0xad, 0xcd, 0x14, 0x1d, 0x61, - 0x60, 0x73, 0x14, 0x3e, 0x9f, 0x87, 0x54, 0xdc, 0x6c, 0xa6, 0xcf, 0x4b, 0x4c, 0x06, 0x4c, 0x5e, - 0x44, 0xe2, 0xcd, 0x67, 0x50, 0x15, 0xae, 0xe4, 0x29, 0x38, 0x39, 0x16, 0x59, 0x44, 0xf5, 0xe7, - 0x68, 0xdd, 0x34, 0xe0, 0x50, 0x52, 0x81, 0xa6, 0x9b, 0x3b, 0x60, 0x1f, 0x21, 0x79, 0x0e, 0x2e, - 0xa6, 0x34, 0x93, 0xeb, 0xd2, 0x03, 0x6e, 0x4c, 0xb0, 0x6f, 0xc0, 0x60, 0xa2, 0xf1, 0xbe, 0xd9, - 0xe0, 0xa8, 0xc9, 0xa4, 0x05, 0x90, 0x66, 0x2c, 0x89, 0x58, 0x1a, 0xc6, 0xb9, 0x5c, 0x9b, 0x1b, - 0x4c, 0x9d, 0x90, 0xfb, 0xb0, 0x90, 0x20, 0xef, 0x4d, 0x31, 0x35, 0xc9, 0xfc, 0x9f, 0x20, 0x3f, - 0x98, 0x60, 0x0f, 0x81, 0x64, 0xf4, 0x53, 0x41, 0xf3, 0x3f, 0x50, 0x5b, 0xa2, 0xb7, 0x74, 0x67, - 0x0a, 0x7f, 0x0c, 0xcb, 0x62, 0xea, 0x35, 0x12, 0x47, 0x4a, 0x96, 0x12, 0xe4, 0xc1, 0x3f, 0xaa, - 0x16, 0x40, 0x12, 0x8e, 0x68, 0x9e, 0x86, 0x11, 0xcd, 0xe5, 0xea, 0xdd, 0x60, 0xea, 0xc4, 0x64, - 0x9d, 0x62, 0xe6, 0xca, 0xac, 0x7b, 0x13, 0x6c, 0x05, 0x5c, 0x96, 0xf6, 0xfa, 0x31, 0x46, 0xe7, - 0x79, 0xa3, 0x2a, 0x89, 0x3a, 0x4b, 0xb7, 0x65, 0x4d, 0x3c, 0x10, 0x74, 0x6f, 0x02, 0xd4, 0x25, - 0x30, 0x9f, 0x20, 0x7f, 0xab, 0x19, 0xef, 0xa7, 0x05, 0x6e, 0xb9, 0x57, 0xb2, 0x04, 0xb5, 0x21, - 0xe6, 0xdc, 0x2c, 0x4f, 0x15, 0xc2, 0x44, 0xcc, 0x51, 0x1d, 0xb5, 0xb2, 0x7a, 0x82, 0xfc, 0x8d, - 0x6c, 0x2e, 0x41, 0x2d, 0xc5, 0x8c, 0x9b, 0x05, 0xa9, 0xc2, 0x48, 0x54, 0xc7, 0x29, 0x25, 0x07, - 0xb2, 0xd9, 0x80, 0xb9, 0x11, 0xe5, 0x43, 0x1c, 0x98, 0x8b, 0x9b, 0x92, 0xac, 0x81, 0x08, 0xd7, - 0x33, 0xdd, 0x39, 0xbd, 0x16, 0xe4, 0xef, 0x35, 0x20, 0xdc, 0x42, 0x3e, 0x34, 0x77, 0x55, 0x45, - 0xe9, 0x26, 0x3b, 0xf5, 0x89, 0x9b, 0xa8, 0xbd, 0x13, 0x70, 0xcb, 0x5f, 0x97, 0xdc, 0x81, 0xca, - 0x39, 0x1d, 0xcb, 0x1f, 0xcd, 0xdd, 0xae, 0x5c, 0x76, 0xed, 0x40, 0xd4, 0x64, 0x19, 0x9c, 0x8b, - 0x30, 0x2e, 0xa8, 0xb9, 0x85, 0xae, 0xc8, 0x2a, 0x08, 0xf3, 0x9e, 0xee, 0xa9, 0xb0, 0xc2, 0xea, - 0x83, 0x3c, 0xd8, 0x7e, 0xf0, 0xfd, 0xaa, 0x65, 0xfd, 0xb8, 0x6a, 0x59, 0x97, 0x57, 0x2d, 0xeb, - 0xe3, 0xaa, 0xfa, 0x6d, 0x19, 0xca, 0x17, 0xef, 0xef, 0xa7, 0xb3, 0xef, 0xc8, 0x77, 0xed, 0xd1, - 0xef, 0x00, 0x00, 0x00, 0xff, 0xff, 0x59, 0x1f, 0xf3, 0xa8, 0x55, 0x05, 0x00, 0x00, + // 662 bytes of a gzipped FileDescriptorProto + 0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0x7c, 0x94, 0xdb, 0x4e, 0xdb, 0x4a, + 0x14, 0x86, 0xb7, 0x9d, 0xc4, 0x89, 0x17, 0xda, 0x88, 0x3d, 0x9b, 0x8d, 0xa2, 0xb0, 0x09, 0xd4, + 0xa2, 0x15, 0x52, 0x55, 0x47, 0xa4, 0x87, 0xcb, 0xb6, 0xa1, 0xa5, 0x27, 0x51, 0x40, 0x06, 0x15, + 0xd1, 0x9b, 0xc8, 0x71, 0x06, 0x32, 0xc2, 0xf1, 0x72, 0xed, 0x31, 0x55, 0xfa, 0x4c, 0x7d, 0x84, + 0x3e, 0x40, 0x2f, 0xfb, 0x06, 0x45, 0xbc, 0x48, 0xab, 0x39, 0x39, 0x69, 0x0b, 0x5c, 0xae, 0x59, + 0xdf, 0xbf, 0xfe, 0x7f, 0x96, 0xad, 0x81, 0xf5, 0x9c, 0x46, 0x45, 0xc6, 0xf8, 0xa4, 0x73, 0xbe, + 0x39, 0xa0, 0x3c, 0xdc, 0xec, 0x84, 0x05, 0x1f, 0x61, 0xc6, 0x3e, 0x85, 0x9c, 0x61, 0xe2, 0xa7, + 0x19, 0x72, 0x24, 0x4b, 0x2c, 0xe7, 0x0c, 0x7d, 0xc3, 0xfa, 0x9a, 0x6d, 0xad, 0x9e, 0x22, 0x9e, + 0xc6, 0xb4, 0x13, 0xa6, 0xac, 0x73, 0xc2, 0x68, 0x3c, 0xec, 0x0f, 0xe8, 0x28, 0x3c, 0x67, 0x98, + 0x29, 0x61, 0x6b, 0x99, 0x4f, 0x52, 0x5a, 0x8e, 0xce, 0x69, 0x4c, 0x23, 0x6e, 0x9a, 0xde, 0x0f, + 0x0b, 0xfe, 0xed, 0xcd, 0xba, 0xed, 0x63, 0xcc, 0xa2, 0x09, 0x79, 0x0a, 0x0d, 0x43, 0x36, 0xad, + 0x35, 0x6b, 0x63, 0xae, 0xbb, 0xee, 0xab, 0x00, 0x62, 0x9a, 0x31, 0xf7, 0x8f, 0x30, 0x3b, 0x8b, + 0x31, 0x1c, 0x1e, 0x68, 0x36, 0x28, 0x55, 0xa4, 0x0b, 0xb5, 0xac, 0x88, 0x69, 0xde, 0xb4, 0xd7, + 0x2a, 0x1b, 0x73, 0xdd, 0xff, 0xfd, 0xab, 0xf3, 0xfb, 0x41, 0x11, 0xd3, 0x40, 0xa1, 0xe4, 0x0d, + 0x38, 0x61, 0x24, 0x52, 0x34, 0x2b, 0x6b, 0xd6, 0xc6, 0x7c, 0xb7, 0x7b, 0x9d, 0xe8, 0x8a, 0xc8, + 0x7e, 0x4f, 0x2a, 0x03, 0x3d, 0xc1, 0xbb, 0x03, 0x8e, 0x3a, 0x21, 0x2e, 0xd4, 0x7a, 0x3b, 0x3b, + 0x7b, 0x47, 0x0b, 0x7f, 0x91, 0x06, 0x54, 0x9f, 0x6f, 0xef, 0x1e, 0x2f, 0x58, 0xa4, 0x0e, 0x95, + 0x9d, 0xbd, 0x97, 0x0b, 0xb6, 0xf7, 0xd9, 0x86, 0xaa, 0xc8, 0x40, 0x1e, 0x42, 0xf5, 0x24, 0xc3, + 0x71, 0xd3, 0x92, 0x79, 0x6f, 0xdd, 0x94, 0xd7, 0x7f, 0x91, 0xe1, 0x38, 0x90, 0x38, 0xe9, 0x80, + 0xcd, 0x51, 0x5f, 0x72, 0xf5, 0x46, 0xd1, 0x21, 0x06, 0x36, 0x47, 0xe1, 0xf3, 0x71, 0x44, 0xc5, + 0x15, 0x6f, 0xf4, 0x79, 0x86, 0xc9, 0x90, 0xc9, 0x1b, 0x49, 0xbc, 0xf5, 0x18, 0xaa, 0xc2, 0x95, + 0x3c, 0x02, 0x27, 0xc7, 0x22, 0x8b, 0xa8, 0xfe, 0x2e, 0xed, 0xeb, 0x06, 0x1c, 0x48, 0x2a, 0xd0, + 0x74, 0x6b, 0x1b, 0xec, 0x43, 0x24, 0x4f, 0xc0, 0xc5, 0x94, 0x66, 0x72, 0x6f, 0x7a, 0xc0, 0xb5, + 0x09, 0xf6, 0x0c, 0x18, 0x4c, 0x35, 0xde, 0x17, 0x1b, 0x1c, 0x35, 0x99, 0xb4, 0x01, 0xd2, 0x8c, + 0x25, 0x11, 0x4b, 0xc3, 0x38, 0x97, 0x6b, 0x73, 0x83, 0x99, 0x13, 0x72, 0x1b, 0xe6, 0x13, 0xe4, + 0xfd, 0x19, 0xa6, 0x26, 0x99, 0xbf, 0x13, 0xe4, 0xfb, 0x53, 0xec, 0x1e, 0x90, 0x8c, 0x7e, 0x28, + 0x68, 0xfe, 0x0b, 0x6a, 0x4b, 0xf4, 0x1f, 0xdd, 0x99, 0xc1, 0x1f, 0xc0, 0x92, 0x98, 0x7a, 0x85, + 0xc4, 0x91, 0x92, 0xc5, 0x04, 0x79, 0xf0, 0x87, 0xaa, 0x0d, 0x90, 0x84, 0x63, 0x9a, 0xa7, 0x61, + 0x44, 0x73, 0xb9, 0x7a, 0x37, 0x98, 0x39, 0x31, 0x59, 0x67, 0x98, 0x7a, 0x99, 0x75, 0x77, 0x8a, + 0x2d, 0x83, 0xcb, 0xd2, 0xfe, 0x20, 0xc6, 0xe8, 0x2c, 0x6f, 0x56, 0x25, 0xd1, 0x60, 0xe9, 0x96, + 0xac, 0x89, 0x07, 0x82, 0xee, 0x4f, 0x81, 0x86, 0x04, 0xe6, 0x12, 0xe4, 0xaf, 0x35, 0xe3, 0x7d, + 0xb7, 0xc0, 0x2d, 0xf7, 0x4a, 0x16, 0xa1, 0x36, 0xc2, 0x9c, 0x9b, 0xe5, 0xa9, 0x42, 0x98, 0x88, + 0x39, 0xaa, 0xa3, 0x56, 0xd6, 0x48, 0x90, 0xbf, 0x92, 0xcd, 0x45, 0xa8, 0xa5, 0x98, 0x71, 0xb3, + 0x20, 0x55, 0x18, 0x89, 0xea, 0x38, 0xa5, 0x64, 0x5f, 0x36, 0x9b, 0x50, 0x1f, 0x53, 0x3e, 0xc2, + 0xa1, 0xb9, 0xb8, 0x29, 0xc9, 0x2a, 0x88, 0x70, 0x7d, 0xd3, 0xad, 0xeb, 0xb5, 0x20, 0x7f, 0xab, + 0x01, 0xe1, 0x16, 0xf2, 0x91, 0xb9, 0xab, 0x2a, 0x4a, 0x37, 0xd9, 0x69, 0x4c, 0xdd, 0x44, 0xed, + 0x1d, 0x83, 0x5b, 0xfe, 0xba, 0xe4, 0x3f, 0xa8, 0x9c, 0xd1, 0x89, 0xfc, 0xd1, 0xdc, 0xad, 0xca, + 0x45, 0xcf, 0x0e, 0x44, 0x4d, 0x96, 0xc0, 0x39, 0x0f, 0xe3, 0x82, 0x9a, 0x5b, 0xe8, 0x8a, 0xac, + 0x80, 0x30, 0xef, 0xeb, 0x9e, 0x0a, 0x2b, 0xac, 0xde, 0xc9, 0x83, 0xad, 0xbb, 0x5f, 0x2f, 0xdb, + 0xd6, 0xb7, 0xcb, 0xb6, 0x75, 0x71, 0xd9, 0xb6, 0xde, 0xaf, 0xa8, 0xdf, 0x96, 0xa1, 0x7c, 0xfa, + 0x7e, 0x7f, 0x43, 0x07, 0x8e, 0x7c, 0xe0, 0xee, 0xff, 0x0c, 0x00, 0x00, 0xff, 0xff, 0x2e, 0x97, + 0x3f, 0x6a, 0x5e, 0x05, 0x00, 0x00, } func (m *AuthorizationPolicy) Marshal() (dAtA []byte, err error) { diff --git a/security/v1beta1/authorization.pb.html b/security/v1beta1/authorization.pb.html index cecaa14465..fcfaf329db 100644 --- a/security/v1beta1/authorization.pb.html +++ b/security/v1beta1/authorization.pb.html @@ -672,6 +672,13 @@

AuthorizationPolicy.Action

Deny a request if it matches any of the rules.

+ + + +LOG + +

Log a request if it matches any of the rules.

+ diff --git a/security/v1beta1/authorization.proto b/security/v1beta1/authorization.proto index dfca03120f..75e0eeddc9 100644 --- a/security/v1beta1/authorization.proto +++ b/security/v1beta1/authorization.proto @@ -221,6 +221,9 @@ message AuthorizationPolicy { // Deny a request if it matches any of the rules. DENY = 1; + + // Log a request if it matches any of the rules. + LOG = 2; } // Optional. The action to take if the request is matched with the rules. From 8f9b2a808de11958474fd280f61236c98158b527 Mon Sep 17 00:00:00 2001 From: davidraskin Date: Thu, 11 Jun 2020 04:17:48 +0000 Subject: [PATCH 2/9] change module name --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index d7be1cd052..f979ea39eb 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module istio.io/api +module github.com/davidraskin/api go 1.12 From 1b2659b9b5205c42e4c8d34ef09c8e8402b2fee0 Mon Sep 17 00:00:00 2001 From: davidraskin Date: Thu, 11 Jun 2020 04:53:46 +0000 Subject: [PATCH 3/9] change module again --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index f979ea39eb..d7be1cd052 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/davidraskin/api +module istio.io/api go 1.12 From 9d98e3dde5843d8696a304057e2d079ab2302a65 Mon Sep 17 00:00:00 2001 From: davidraskin Date: Thu, 11 Jun 2020 16:50:26 +0000 Subject: [PATCH 4/9] change go.mod again --- go.mod | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/go.mod b/go.mod index d7be1cd052..f979ea39eb 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module istio.io/api +module github.com/davidraskin/api go 1.12 From 325e52ba9817b68780b1805352a80123bba96eaf Mon Sep 17 00:00:00 2001 From: davidraskin Date: Wed, 22 Jul 2020 16:51:50 +0000 Subject: [PATCH 5/9] Changed back go.mod, go.sum, proto.lock --- go.mod | 5 +- go.sum | 2 + proto.lock | 2136 ++++++++++------- security/v1beta1/authorization.pb.go | 41 +- security/v1beta1/authorization.pb.html | 67 +- security/v1beta1/authorization.proto | 41 +- .../v1beta1/authorization_deepcopy.gen.go | 39 +- security/v1beta1/authorization_json.gen.go | 39 +- 8 files changed, 1476 insertions(+), 894 deletions(-) diff --git a/go.mod b/go.mod index f979ea39eb..b4542ab786 100644 --- a/go.mod +++ b/go.mod @@ -1,12 +1,11 @@ -module github.com/davidraskin/api +module istio.io/api go 1.12 require ( github.com/gogo/protobuf v1.3.1 - github.com/golang/protobuf v1.3.5 + github.com/golang/protobuf v1.3.5 // indirect google.golang.org/grpc v1.28.1 istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a - k8s.io/api v0.18.1 k8s.io/apimachinery v0.18.1 ) diff --git a/go.sum b/go.sum index b315b22665..26e36a4f07 100644 --- a/go.sum +++ b/go.sum @@ -147,6 +147,8 @@ gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= honnef.co/go/tools v0.0.0-20190523083050-ea95bdfd59fc/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= +istio.io/api v0.0.0-20200722144311-7e311b6ce256 h1:n0wVbpDFutLWO2YhxmkQotfh13RaU0ql09HhHJQq4kY= +istio.io/api v0.0.0-20200722144311-7e311b6ce256/go.mod h1:88HN3o1fSD1jo+Z1WTLlJfMm9biopur6Ct9BFKjiB64= istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a h1:w7zILua2dnYo9CxImhpNW4NE/8ZxEoc/wfBfHrhUhrE= istio.io/gogo-genproto v0.0.0-20190930162913-45029607206a/go.mod h1:OzpAts7jljZceG4Vqi5/zXy/pOg1b209T3jb7Nv5wIs= k8s.io/api v0.18.1 h1:pnHr0LH69kvL29eHldoepUDKTuiOejNZI2A1gaxve3Q= diff --git a/proto.lock b/proto.lock index bd21b01e7a..a179cb5c69 100644 --- a/proto.lock +++ b/proto.lock @@ -1,5 +1,164 @@ { "definitions": [ + { + "protopath": "analysis:/:v1alpha1:/:message.proto", + "def": { + "enums": [ + { + "name": "AnalysisMessageBase.Level", + "enum_fields": [ + { + "name": "UNKNOWN" + }, + { + "name": "ERROR", + "integer": 3 + }, + { + "name": "WARNING", + "integer": 8 + }, + { + "name": "INFO", + "integer": 12 + } + ] + } + ], + "messages": [ + { + "name": "AnalysisMessageBase", + "fields": [ + { + "id": 1, + "name": "type", + "type": "Type" + }, + { + "id": 2, + "name": "level", + "type": "Level" + }, + { + "id": 3, + "name": "documentation_url", + "type": "string" + } + ], + "messages": [ + { + "name": "Type", + "fields": [ + { + "id": 1, + "name": "name", + "type": "string" + }, + { + "id": 2, + "name": "code", + "type": "string" + } + ] + } + ] + }, + { + "name": "AnalysisMessageWeakSchema", + "fields": [ + { + "id": 1, + "name": "message_base", + "type": "AnalysisMessageBase" + }, + { + "id": 2, + "name": "description", + "type": "string" + }, + { + "id": 3, + "name": "template", + "type": "string" + }, + { + "id": 4, + "name": "args", + "type": "ArgType", + "is_repeated": true + } + ], + "messages": [ + { + "name": "ArgType", + "fields": [ + { + "id": 1, + "name": "name", + "type": "string" + }, + { + "id": 2, + "name": "go_type", + "type": "string" + } + ] + } + ] + }, + { + "name": "GenericAnalysisMessage", + "fields": [ + { + "id": 1, + "name": "message_base", + "type": "AnalysisMessageBase" + }, + { + "id": 2, + "name": "args", + "type": "google.protobuf.Struct" + }, + { + "id": 3, + "name": "resource_paths", + "type": "string", + "is_repeated": true + } + ] + }, + { + "name": "InternalErrorAnalysisMessage", + "fields": [ + { + "id": 1, + "name": "message_base", + "type": "AnalysisMessageBase" + }, + { + "id": 2, + "name": "detail", + "type": "string" + } + ] + } + ], + "imports": [ + { + "path": "google/protobuf/struct.proto" + } + ], + "package": { + "name": "istio.analysis.v1alpha1" + }, + "options": [ + { + "name": "go_package", + "value": "istio.io/api/analysis/v1alpha1" + } + ] + } + }, { "protopath": "authentication:/:v1alpha1:/:policy.proto", "def": { @@ -12890,7 +13049,13 @@ "value": "/v1/services/{service_name}/configs/{config_id}" }, { - "name": "additional_bindings" + "name": "additional_bindings", + "aggregated": [ + { + "name": "get", + "value": "/v1/services/{service_name}/config" + } + ] } ] } @@ -35831,32 +35996,68 @@ { "id": 1, "name": "mixer_check_server", - "type": "string" + "type": "string", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "id": 2, "name": "mixer_report_server", - "type": "string" + "type": "string", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "id": 3, "name": "disable_policy_checks", - "type": "bool" + "type": "bool", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "id": 48, "name": "disable_mixer_http_reports", - "type": "bool" + "type": "bool", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "id": 25, "name": "policy_check_fail_open", - "type": "bool" + "type": "bool", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "id": 30, "name": "sidecar_to_telemetry_session_affinity", - "type": "bool" + "type": "bool", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "id": 4, @@ -36066,17 +36267,35 @@ { "id": 37, "name": "disable_report_batch", - "type": "bool" + "type": "bool", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "id": 38, "name": "report_batch_max_entries", - "type": "uint32" + "type": "uint32", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "id": 39, "name": "report_batch_max_time", - "type": "google.protobuf.Duration" + "type": "google.protobuf.Duration", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "id": 41, @@ -36118,7 +36337,11 @@ ], "reserved_ids": [ 15, - 18 + 18, + 53 + ], + "reserved_names": [ + "termination_drain_duration" ], "messages": [ { @@ -36772,6 +36995,16 @@ "id": 28, "name": "gateway_topology", "type": "Topology" + }, + { + "id": 29, + "name": "termination_drain_duration", + "type": "google.protobuf.Duration" + }, + { + "id": 30, + "name": "mesh_id", + "type": "int32" } ], "maps": [ @@ -36834,6 +37067,85 @@ ] } }, + { + "protopath": "meta:/:v1alpha1:/:status.proto", + "def": { + "messages": [ + { + "name": "IstioStatus", + "fields": [ + { + "id": 1, + "name": "conditions", + "type": "IstioCondition", + "is_repeated": true + }, + { + "id": 2, + "name": "validation_messages", + "type": "analysis.v1alpha1.AnalysisMessageBase", + "is_repeated": true + } + ] + }, + { + "name": "IstioCondition", + "fields": [ + { + "id": 1, + "name": "type", + "type": "string" + }, + { + "id": 2, + "name": "status", + "type": "string" + }, + { + "id": 3, + "name": "last_probe_time", + "type": "k8s.io.apimachinery.pkg.apis.meta.v1.Time" + }, + { + "id": 4, + "name": "last_transition_time", + "type": "k8s.io.apimachinery.pkg.apis.meta.v1.Time" + }, + { + "id": 5, + "name": "reason", + "type": "string" + }, + { + "id": 6, + "name": "message", + "type": "string" + } + ] + } + ], + "imports": [ + { + "path": "analysis/v1alpha1/message.proto" + }, + { + "path": "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto" + }, + { + "path": "google/api/field_behavior.proto" + } + ], + "package": { + "name": "istio.meta.v1alpha1" + }, + "options": [ + { + "name": "go_package", + "value": "istio.io/api/meta/v1alpha1" + } + ] + } + }, { "protopath": "mixer:/:adapter:/:model:/:v1beta1:/:check.proto", "def": { @@ -36890,6 +37202,10 @@ "name": "istio.mixer.adapter.model.v1beta1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/mixer/adapter/model/v1beta1" @@ -37011,6 +37327,10 @@ "name": "istio.mixer.adapter.model.v1beta1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/mixer/adapter/model/v1beta1" @@ -37115,17 +37435,35 @@ { "name": "Validate", "in_type": "ValidateRequest", - "out_type": "ValidateResponse" + "out_type": "ValidateResponse", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "name": "CreateSession", "in_type": "CreateSessionRequest", - "out_type": "CreateSessionResponse" + "out_type": "CreateSessionResponse", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "name": "CloseSession", "in_type": "CloseSessionRequest", - "out_type": "CloseSessionResponse" + "out_type": "CloseSessionResponse", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] } ] } @@ -37142,6 +37480,10 @@ "name": "istio.mixer.adapter.model.v1beta1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/mixer/adapter/model/v1beta1" @@ -37266,6 +37608,10 @@ "name": "istio.mixer.adapter.model.v1beta1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/mixer/adapter/model/v1beta1" @@ -37302,6 +37648,10 @@ "name": "istio.mixer.adapter.model.v1beta1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/mixer/adapter/model/v1beta1" @@ -37340,6 +37690,10 @@ "name": "istio.mixer.adapter.model.v1beta1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/mixer/adapter/model/v1beta1" @@ -37556,6 +37910,10 @@ "name": "istio.mixer.v1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/mixer/v1" @@ -37724,265 +38082,273 @@ }, "options": [ { - "name": "go_package", - "value": "istio.io/api/mixer/v1/config/client" - }, - { - "name": "(gogoproto.goproto_getters_all)", - "value": "false" - }, - { - "name": "(gogoproto.equal_all)", - "value": "false" - }, - { - "name": "(gogoproto.gostring_all)", - "value": "false" - }, - { - "name": "(gogoproto.stable_marshaler_all)", + "name": "deprecated", + "value": "true" + }, + { + "name": "go_package", + "value": "istio.io/api/mixer/v1/config/client" + }, + { + "name": "(gogoproto.goproto_getters_all)", + "value": "false" + }, + { + "name": "(gogoproto.equal_all)", + "value": "false" + }, + { + "name": "(gogoproto.gostring_all)", + "value": "false" + }, + { + "name": "(gogoproto.stable_marshaler_all)", + "value": "true" + } + ] + } + }, + { + "protopath": "mixer:/:v1:/:config:/:client:/:client_config.proto", + "def": { + "enums": [ + { + "name": "NetworkFailPolicy.FailPolicy", + "enum_fields": [ + { + "name": "FAIL_OPEN" + }, + { + "name": "FAIL_CLOSE", + "integer": 1 + } + ] + } + ], + "messages": [ + { + "name": "NetworkFailPolicy", + "fields": [ + { + "id": 1, + "name": "policy", + "type": "FailPolicy" + }, + { + "id": 2, + "name": "max_retry", + "type": "uint32" + }, + { + "id": 3, + "name": "base_retry_wait", + "type": "google.protobuf.Duration" + }, + { + "id": 4, + "name": "max_retry_wait", + "type": "google.protobuf.Duration" + } + ] + }, + { + "name": "ServiceConfig", + "fields": [ + { + "id": 1, + "name": "disable_check_calls", + "type": "bool" + }, + { + "id": 2, + "name": "disable_report_calls", + "type": "bool" + }, + { + "id": 3, + "name": "mixer_attributes", + "type": "Attributes" + }, + { + "id": 4, + "name": "http_api_spec", + "type": "HTTPAPISpec", + "is_repeated": true + }, + { + "id": 5, + "name": "quota_spec", + "type": "QuotaSpec", + "is_repeated": true + }, + { + "id": 7, + "name": "network_fail_policy", + "type": "NetworkFailPolicy" + }, + { + "id": 8, + "name": "forward_attributes", + "type": "Attributes" + } + ] + }, + { + "name": "TransportConfig", + "fields": [ + { + "id": 1, + "name": "disable_check_cache", + "type": "bool" + }, + { + "id": 2, + "name": "disable_quota_cache", + "type": "bool" + }, + { + "id": 3, + "name": "disable_report_batch", + "type": "bool" + }, + { + "id": 4, + "name": "network_fail_policy", + "type": "NetworkFailPolicy" + }, + { + "id": 5, + "name": "stats_update_interval", + "type": "google.protobuf.Duration" + }, + { + "id": 6, + "name": "check_cluster", + "type": "string" + }, + { + "id": 7, + "name": "report_cluster", + "type": "string" + }, + { + "id": 8, + "name": "attributes_for_mixer_proxy", + "type": "Attributes" + }, + { + "id": 9, + "name": "report_batch_max_entries", + "type": "uint32" + }, + { + "id": 10, + "name": "report_batch_max_time", + "type": "google.protobuf.Duration" + } + ] + }, + { + "name": "HttpClientConfig", + "fields": [ + { + "id": 1, + "name": "transport", + "type": "TransportConfig" + }, + { + "id": 3, + "name": "default_destination_service", + "type": "string" + }, + { + "id": 4, + "name": "mixer_attributes", + "type": "Attributes" + }, + { + "id": 5, + "name": "forward_attributes", + "type": "Attributes" + }, + { + "id": 6, + "name": "ignore_forwarded_attributes", + "type": "bool" + } + ], + "maps": [ + { + "key_type": "string", + "field": { + "id": 2, + "name": "service_configs", + "type": "ServiceConfig" + } + } + ] + }, + { + "name": "TcpClientConfig", + "fields": [ + { + "id": 1, + "name": "transport", + "type": "TransportConfig" + }, + { + "id": 2, + "name": "mixer_attributes", + "type": "Attributes" + }, + { + "id": 3, + "name": "disable_check_calls", + "type": "bool" + }, + { + "id": 4, + "name": "disable_report_calls", + "type": "bool" + }, + { + "id": 5, + "name": "connection_quota_spec", + "type": "QuotaSpec" + }, + { + "id": 6, + "name": "report_interval", + "type": "google.protobuf.Duration" + } + ] + } + ], + "imports": [ + { + "path": "gogoproto/gogo.proto" + }, + { + "path": "google/protobuf/duration.proto" + }, + { + "path": "mixer/v1/attributes.proto" + }, + { + "path": "mixer/v1/config/client/api_spec.proto" + }, + { + "path": "mixer/v1/config/client/quota.proto" + } + ], + "package": { + "name": "istio.mixer.v1.config.client" + }, + "options": [ + { + "name": "deprecated", "value": "true" - } - ] - } - }, - { - "protopath": "mixer:/:v1:/:config:/:client:/:client_config.proto", - "def": { - "enums": [ - { - "name": "NetworkFailPolicy.FailPolicy", - "enum_fields": [ - { - "name": "FAIL_OPEN" - }, - { - "name": "FAIL_CLOSE", - "integer": 1 - } - ] - } - ], - "messages": [ - { - "name": "NetworkFailPolicy", - "fields": [ - { - "id": 1, - "name": "policy", - "type": "FailPolicy" - }, - { - "id": 2, - "name": "max_retry", - "type": "uint32" - }, - { - "id": 3, - "name": "base_retry_wait", - "type": "google.protobuf.Duration" - }, - { - "id": 4, - "name": "max_retry_wait", - "type": "google.protobuf.Duration" - } - ] - }, - { - "name": "ServiceConfig", - "fields": [ - { - "id": 1, - "name": "disable_check_calls", - "type": "bool" - }, - { - "id": 2, - "name": "disable_report_calls", - "type": "bool" - }, - { - "id": 3, - "name": "mixer_attributes", - "type": "Attributes" - }, - { - "id": 4, - "name": "http_api_spec", - "type": "HTTPAPISpec", - "is_repeated": true - }, - { - "id": 5, - "name": "quota_spec", - "type": "QuotaSpec", - "is_repeated": true - }, - { - "id": 7, - "name": "network_fail_policy", - "type": "NetworkFailPolicy" - }, - { - "id": 8, - "name": "forward_attributes", - "type": "Attributes" - } - ] - }, - { - "name": "TransportConfig", - "fields": [ - { - "id": 1, - "name": "disable_check_cache", - "type": "bool" - }, - { - "id": 2, - "name": "disable_quota_cache", - "type": "bool" - }, - { - "id": 3, - "name": "disable_report_batch", - "type": "bool" - }, - { - "id": 4, - "name": "network_fail_policy", - "type": "NetworkFailPolicy" - }, - { - "id": 5, - "name": "stats_update_interval", - "type": "google.protobuf.Duration" - }, - { - "id": 6, - "name": "check_cluster", - "type": "string" - }, - { - "id": 7, - "name": "report_cluster", - "type": "string" - }, - { - "id": 8, - "name": "attributes_for_mixer_proxy", - "type": "Attributes" - }, - { - "id": 9, - "name": "report_batch_max_entries", - "type": "uint32" - }, - { - "id": 10, - "name": "report_batch_max_time", - "type": "google.protobuf.Duration" - } - ] - }, - { - "name": "HttpClientConfig", - "fields": [ - { - "id": 1, - "name": "transport", - "type": "TransportConfig" - }, - { - "id": 3, - "name": "default_destination_service", - "type": "string" - }, - { - "id": 4, - "name": "mixer_attributes", - "type": "Attributes" - }, - { - "id": 5, - "name": "forward_attributes", - "type": "Attributes" - }, - { - "id": 6, - "name": "ignore_forwarded_attributes", - "type": "bool" - } - ], - "maps": [ - { - "key_type": "string", - "field": { - "id": 2, - "name": "service_configs", - "type": "ServiceConfig" - } - } - ] - }, - { - "name": "TcpClientConfig", - "fields": [ - { - "id": 1, - "name": "transport", - "type": "TransportConfig" - }, - { - "id": 2, - "name": "mixer_attributes", - "type": "Attributes" - }, - { - "id": 3, - "name": "disable_check_calls", - "type": "bool" - }, - { - "id": 4, - "name": "disable_report_calls", - "type": "bool" - }, - { - "id": 5, - "name": "connection_quota_spec", - "type": "QuotaSpec" - }, - { - "id": 6, - "name": "report_interval", - "type": "google.protobuf.Duration" - } - ] - } - ], - "imports": [ - { - "path": "gogoproto/gogo.proto" - }, - { - "path": "google/protobuf/duration.proto" - }, - { - "path": "mixer/v1/attributes.proto" - }, - { - "path": "mixer/v1/config/client/api_spec.proto" }, - { - "path": "mixer/v1/config/client/quota.proto" - } - ], - "package": { - "name": "istio.mixer.v1.config.client" - }, - "options": [ { "name": "go_package", "value": "istio.io/api/mixer/v1/config/client" @@ -38154,6 +38520,10 @@ "name": "istio.mixer.v1.config.client" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/mixer/v1/config/client" @@ -38226,6 +38596,10 @@ "name": "istio.mixer.v1.config.client" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/mixer/v1/config/client" @@ -38645,12 +39019,24 @@ { "name": "Check", "in_type": "CheckRequest", - "out_type": "CheckResponse" + "out_type": "CheckResponse", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] }, { "name": "Report", "in_type": "ReportRequest", - "out_type": "ReportResponse" + "out_type": "ReportResponse", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] } ] } @@ -38673,6 +39059,10 @@ "name": "istio.mixer.v1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/mixer/v1" @@ -39144,6 +39534,11 @@ "name": "ca_certificates", "type": "string" }, + { + "id": 7, + "name": "credential_name", + "type": "string" + }, { "id": 5, "name": "subject_alt_names", @@ -39799,6 +40194,11 @@ "id": 5, "name": "default_endpoint", "type": "string" + }, + { + "id": 6, + "name": "name", + "type": "string" } ] }, @@ -39837,6 +40237,11 @@ "value": "REQUIRED" } ] + }, + { + "id": 4, + "name": "target_port", + "type": "uint32" } ] }, @@ -40118,12 +40523,14 @@ "id": 4, "name": "outbound_traffic_policy", "type": "OutboundTrafficPolicy" - }, - { - "id": 6, - "name": "localhost", - "type": "Localhost" } + ], + "reserved_ids": [ + 5, + 6 + ], + "reserved_names": [ + "localhost" ] }, { @@ -40160,12 +40567,14 @@ "value": "REQUIRED" } ] - }, - { - "id": 6, - "name": "localhost_client_tls", - "type": "ClientTLSSettings" } + ], + "reserved_ids": [ + 5, + 6 + ], + "reserved_names": [ + "localhost_client_tls" ] }, { @@ -40197,12 +40606,14 @@ "value": "REQUIRED" } ] - }, - { - "id": 5, - "name": "localhost_server_tls", - "type": "ServerTLSSettings" } + ], + "reserved_ids": [ + 5, + 6 + ], + "reserved_names": [ + "localhost_server_tls" ] }, { @@ -40238,21 +40649,6 @@ "type": "istio.networking.v1alpha3.Destination" } ] - }, - { - "name": "Localhost", - "fields": [ - { - "id": 1, - "name": "client_tls", - "type": "ClientTLSSettings" - }, - { - "id": 2, - "name": "server_tls", - "type": "ServerTLSSettings" - } - ] } ], "imports": [ @@ -41588,6 +41984,11 @@ "name": "ca_certificates", "type": "string" }, + { + "id": 7, + "name": "credential_name", + "type": "string" + }, { "id": 5, "name": "subject_alt_names", @@ -41816,6 +42217,11 @@ "id": 5, "name": "default_endpoint", "type": "string" + }, + { + "id": 6, + "name": "name", + "type": "string" } ] }, @@ -41854,6 +42260,11 @@ "value": "REQUIRED" } ] + }, + { + "id": 4, + "name": "target_port", + "type": "uint32" } ] }, @@ -42135,12 +42546,14 @@ "id": 4, "name": "outbound_traffic_policy", "type": "OutboundTrafficPolicy" - }, - { - "id": 6, - "name": "localhost", - "type": "Localhost" } + ], + "reserved_ids": [ + 5, + 6 + ], + "reserved_names": [ + "localhost" ] }, { @@ -42177,12 +42590,14 @@ "value": "REQUIRED" } ] - }, - { - "id": 6, - "name": "localhost_client_tls", - "type": "ClientTLSSettings" } + ], + "reserved_ids": [ + 5, + 6 + ], + "reserved_names": [ + "localhost_client_tls" ] }, { @@ -42214,12 +42629,14 @@ "value": "REQUIRED" } ] - }, - { - "id": 5, - "name": "localhost_server_tls", - "type": "ServerTLSSettings" } + ], + "reserved_ids": [ + 5, + 6 + ], + "reserved_names": [ + "localhost_server_tls" ] }, { @@ -42255,21 +42672,6 @@ "type": "istio.networking.v1beta1.Destination" } ] - }, - { - "name": "Localhost", - "fields": [ - { - "id": 1, - "name": "client_tls", - "type": "ClientTLSSettings" - }, - { - "id": 2, - "name": "server_tls", - "type": "ServerTLSSettings" - } - ] } ], "imports": [ @@ -43162,9 +43564,162 @@ } }, { - "protopath": "operator:/:v1alpha1:/:component.proto", + "protopath": "operator:/:v1alpha1:/:operator.proto", "def": { + "enums": [ + { + "name": "InstallStatus.Status", + "enum_fields": [ + { + "name": "NONE" + }, + { + "name": "UPDATING", + "integer": 1 + }, + { + "name": "RECONCILING", + "integer": 2 + }, + { + "name": "HEALTHY", + "integer": 3 + }, + { + "name": "ERROR", + "integer": 4 + }, + { + "name": "ACTION_REQUIRED", + "integer": 5 + } + ] + } + ], "messages": [ + { + "name": "IstioOperatorSpec", + "fields": [ + { + "id": 10, + "name": "profile", + "type": "string" + }, + { + "id": 11, + "name": "install_package_path", + "type": "string" + }, + { + "id": 12, + "name": "hub", + "type": "string" + }, + { + "id": 13, + "name": "tag", + "type": "TypeInterface" + }, + { + "id": 14, + "name": "resource_suffix", + "type": "string", + "options": [ + { + "name": "deprecated", + "value": "true" + } + ] + }, + { + "id": 15, + "name": "namespace", + "type": "string" + }, + { + "id": 16, + "name": "revision", + "type": "string" + }, + { + "id": 40, + "name": "mesh_config", + "type": "TypeMapStringInterface" + }, + { + "id": 50, + "name": "components", + "type": "IstioComponentSetSpec" + }, + { + "id": 100, + "name": "values", + "type": "TypeMapStringInterface" + }, + { + "id": 101, + "name": "unvalidated_values", + "type": "TypeMapStringInterface" + } + ], + "maps": [ + { + "key_type": "string", + "field": { + "id": 51, + "name": "addon_components", + "type": "ExternalComponentSpec" + } + } + ] + }, + { + "name": "InstallStatus", + "fields": [ + { + "id": 1, + "name": "status", + "type": "Status" + }, + { + "id": 3, + "name": "message", + "type": "string" + } + ], + "maps": [ + { + "key_type": "string", + "field": { + "id": 2, + "name": "component_status", + "type": "VersionStatus" + } + } + ], + "messages": [ + { + "name": "VersionStatus", + "fields": [ + { + "id": 1, + "name": "version", + "type": "string" + }, + { + "id": 2, + "name": "status", + "type": "Status" + }, + { + "id": 4, + "name": "error", + "type": "string" + } + ] + } + ] + }, { "name": "IstioComponentSetSpec", "fields": [ @@ -43233,6 +43788,11 @@ "id": 1, "name": "enabled", "type": "TypeBoolValueForPB" + }, + { + "id": 50, + "name": "k8s", + "type": "KubernetesResourcesSpec" } ] }, @@ -43413,7 +43973,7 @@ { "id": 14, "name": "tolerations", - "type": "k8s.io.api.core.v1.Toleration", + "type": "Toleration", "is_repeated": true }, { @@ -43493,63 +44053,6 @@ } ] }, - { - "name": "TypeMapStringInterface" - }, - { - "name": "TypeInterface" - }, - { - "name": "TypeBoolValueForPB" - } - ], - "imports": [ - { - "path": "google/protobuf/any.proto" - }, - { - "path": "k8s.io/api/core/v1/generated.proto" - }, - { - "path": "operator/v1alpha1/kubernetes.proto" - } - ], - "package": { - "name": "istio.operator.v1alpha1" - }, - "options": [ - { - "name": "go_package", - "value": "istio.io/api/operator/v1alpha1" - } - ] - } - }, - { - "protopath": "operator:/:v1alpha1:/:kubernetes.proto", - "def": { - "messages": [ - { - "name": "Resources", - "maps": [ - { - "key_type": "string", - "field": { - "id": 1, - "name": "limits", - "type": "string" - } - }, - { - "key_type": "string", - "field": { - "id": 2, - "name": "requests", - "type": "string" - } - } - ] - }, { "name": "Affinity", "fields": [ @@ -43571,394 +44074,540 @@ ] }, { - "name": "NodeAffinity", + "name": "ConfigMapKeySelector", "fields": [ { "id": 1, - "name": "requiredDuringSchedulingIgnoredDuringExecution", - "type": "NodeSelector" + "name": "localObjectReference", + "type": "LocalObjectReference" }, { "id": 2, - "name": "preferredDuringSchedulingIgnoredDuringExecution", - "type": "PreferredSchedulingTerm", - "is_repeated": true + "name": "key", + "type": "string" + }, + { + "id": 3, + "name": "optional", + "type": "bool" } ] }, { - "name": "NodeSelector", + "name": "ClientIPConfig", "fields": [ { "id": 1, - "name": "nodeSelectorTerms", - "type": "NodeSelectorTerm", - "is_repeated": true + "name": "timeoutSeconds", + "type": "int32" } ] }, { - "name": "NodeSelectorTerm", + "name": "CrossVersionObjectReference", "fields": [ { "id": 1, - "name": "matchExpressions", - "type": "NodeSelectorRequirement", - "is_repeated": true + "name": "kind", + "type": "string" }, { "id": 2, - "name": "matchFields", - "type": "NodeSelectorRequirement", - "is_repeated": true + "name": "name", + "type": "string" + }, + { + "id": 3, + "name": "apiVersion", + "type": "string" } ] }, { - "name": "NodeSelectorRequirement", + "name": "DeploymentStrategy", "fields": [ { "id": 1, - "name": "key", + "name": "type", "type": "string" }, { "id": 2, - "name": "operator", + "name": "rollingUpdate", + "type": "RollingUpdateDeployment" + } + ] + }, + { + "name": "EnvVar", + "fields": [ + { + "id": 1, + "name": "name", + "type": "string" + }, + { + "id": 2, + "name": "value", "type": "string" }, { "id": 3, - "name": "values", - "type": "string", - "is_repeated": true + "name": "valueFrom", + "type": "EnvVarSource" } ] }, { - "name": "PodAffinity", + "name": "EnvVarSource", "fields": [ { "id": 1, - "name": "requiredDuringSchedulingIgnoredDuringExecution", - "type": "PodAffinityTerm", - "is_repeated": true + "name": "fieldRef", + "type": "ObjectFieldSelector" }, { "id": 2, - "name": "preferredDuringSchedulingIgnoredDuringExecution", - "type": "WeightedPodAffinityTerm", - "is_repeated": true + "name": "resourceFieldRef", + "type": "ResourceFieldSelector" + }, + { + "id": 3, + "name": "configMapKeyRef", + "type": "ConfigMapKeySelector" + }, + { + "id": 4, + "name": "secretKeyRef", + "type": "SecretKeySelector" } ] }, { - "name": "PodAntiAffinity", + "name": "ExecAction", "fields": [ { "id": 1, - "name": "requiredDuringSchedulingIgnoredDuringExecution", - "type": "PodAffinityTerm", + "name": "command", + "type": "string", "is_repeated": true + } + ] + }, + { + "name": "ExternalMetricSource", + "fields": [ + { + "id": 1, + "name": "metricName", + "type": "string" }, { "id": 2, - "name": "preferredDuringSchedulingIgnoredDuringExecution", - "type": "WeightedPodAffinityTerm", - "is_repeated": true + "name": "metricSelector", + "type": "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" + }, + { + "id": 3, + "name": "targetValue", + "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" + }, + { + "id": 4, + "name": "targetAverageValue", + "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" } ] }, { - "name": "PodAffinityTerm", + "name": "HTTPGetAction", "fields": [ { "id": 1, - "name": "labelSelector", - "type": "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" + "name": "path", + "type": "string" }, { "id": 2, - "name": "namespaces", - "type": "string", - "is_repeated": true + "name": "port", + "type": "TypeInterface" }, { "id": 3, - "name": "topologyKey", + "name": "host", "type": "string" + }, + { + "id": 4, + "name": "scheme", + "type": "string" + }, + { + "id": 5, + "name": "httpHeaders", + "type": "HTTPHeader", + "is_repeated": true } ] }, { - "name": "WeightedPodAffinityTerm", + "name": "HTTPHeader", "fields": [ { "id": 1, - "name": "weight", - "type": "int32" + "name": "name", + "type": "string" }, { "id": 2, - "name": "podAffinityTerm", - "type": "PodAffinityTerm" + "name": "value", + "type": "string" } ] }, { - "name": "PreferredSchedulingTerm", + "name": "HorizontalPodAutoscalerSpec", "fields": [ { "id": 1, - "name": "weight", - "type": "int32" + "name": "scaleTargetRef", + "type": "CrossVersionObjectReference" }, { "id": 2, - "name": "preference", - "type": "NodeSelectorTerm" + "name": "minReplicas", + "type": "int32" + }, + { + "id": 3, + "name": "maxReplicas", + "type": "int32" + }, + { + "id": 4, + "name": "metrics", + "type": "MetricSpec", + "is_repeated": true } ] }, { - "name": "ReadinessProbe", + "name": "LocalObjectReference", "fields": [ { "id": 1, - "name": "exec", - "type": "ExecAction" + "name": "name", + "type": "string" + } + ] + }, + { + "name": "MetricSpec", + "fields": [ + { + "id": 1, + "name": "type", + "type": "string" }, { "id": 2, - "name": "httpGet", - "type": "HTTPGetAction" + "name": "object", + "type": "ObjectMetricSource" }, { "id": 3, - "name": "tcpSocket", - "type": "TCPSocketAction" + "name": "pods", + "type": "PodsMetricSource" }, { "id": 4, - "name": "initialDelaySeconds", - "type": "int32" + "name": "resource", + "type": "ResourceMetricSource" }, { "id": 5, - "name": "timeoutSeconds", - "type": "int32" - }, - { - "id": 6, - "name": "periodSeconds", - "type": "int32" - }, + "name": "external", + "type": "ExternalMetricSource" + } + ] + }, + { + "name": "NodeAffinity", + "fields": [ { - "id": 7, - "name": "successThreshold", - "type": "int32" + "id": 1, + "name": "requiredDuringSchedulingIgnoredDuringExecution", + "type": "NodeSelector" }, { - "id": 8, - "name": "failureThreshold", - "type": "int32" + "id": 2, + "name": "preferredDuringSchedulingIgnoredDuringExecution", + "type": "PreferredSchedulingTerm", + "is_repeated": true } ] }, { - "name": "ExecAction", + "name": "NodeSelector", "fields": [ { "id": 1, - "name": "command", - "type": "string", + "name": "nodeSelectorTerms", + "type": "NodeSelectorTerm", "is_repeated": true } ] }, { - "name": "HTTPGetAction", + "name": "NodeSelectorTerm", "fields": [ { "id": 1, - "name": "path", - "type": "string" + "name": "matchExpressions", + "type": "NodeSelectorRequirement", + "is_repeated": true }, { "id": 2, - "name": "port", - "type": "TypeInterface_kubernetes" - }, + "name": "matchFields", + "type": "NodeSelectorRequirement", + "is_repeated": true + } + ] + }, + { + "name": "NodeSelectorRequirement", + "fields": [ { - "id": 3, - "name": "host", + "id": 1, + "name": "key", "type": "string" }, { - "id": 4, - "name": "scheme", + "id": 2, + "name": "operator", "type": "string" }, { - "id": 5, - "name": "httpHeaders", - "type": "HTTPHeader", + "id": 3, + "name": "values", + "type": "string", "is_repeated": true } ] }, { - "name": "HTTPHeader", + "name": "ObjectFieldSelector", "fields": [ { "id": 1, - "name": "name", + "name": "apiVersion", "type": "string" }, { "id": 2, - "name": "value", + "name": "fieldPath", "type": "string" } ] }, { - "name": "TCPSocketAction", + "name": "ObjectMeta", "fields": [ { - "id": 1, - "name": "port", - "type": "TypeInterface_kubernetes" + "id": 5, + "name": "name", + "type": "string" }, { - "id": 2, - "name": "host", + "id": 6, + "name": "namespace", "type": "string" } ] }, { - "name": "PodDisruptionBudgetSpec", + "name": "ObjectMetricSource", "fields": [ { "id": 1, - "name": "minAvailable", - "type": "uint32" + "name": "target", + "type": "CrossVersionObjectReference" }, { "id": 2, + "name": "metricName", + "type": "string" + }, + { + "id": 3, + "name": "targetValue", + "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" + }, + { + "id": 4, "name": "selector", "type": "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" }, { - "id": 3, - "name": "maxUnavailable", - "type": "uint32" + "id": 5, + "name": "averageValue", + "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" } ] }, { - "name": "DeploymentStrategy", + "name": "PodAffinity", "fields": [ { "id": 1, - "name": "type", - "type": "string" + "name": "requiredDuringSchedulingIgnoredDuringExecution", + "type": "PodAffinityTerm", + "is_repeated": true }, { "id": 2, - "name": "rollingUpdate", - "type": "RollingUpdateDeployment" + "name": "preferredDuringSchedulingIgnoredDuringExecution", + "type": "WeightedPodAffinityTerm", + "is_repeated": true } ] }, { - "name": "RollingUpdateDeployment", + "name": "PodAntiAffinity", "fields": [ { "id": 1, - "name": "maxUnavailable", - "type": "TypeInterface_kubernetes" + "name": "requiredDuringSchedulingIgnoredDuringExecution", + "type": "PodAffinityTerm", + "is_repeated": true }, { "id": 2, - "name": "maxSurge", - "type": "TypeInterface_kubernetes" + "name": "preferredDuringSchedulingIgnoredDuringExecution", + "type": "WeightedPodAffinityTerm", + "is_repeated": true } ] }, { - "name": "ObjectMeta", + "name": "PodAffinityTerm", "fields": [ { - "id": 5, - "name": "name", - "type": "string" + "id": 1, + "name": "labelSelector", + "type": "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" }, { - "id": 6, - "name": "namespace", + "id": 2, + "name": "namespaces", + "type": "string", + "is_repeated": true + }, + { + "id": 3, + "name": "topologyKey", "type": "string" } ] }, { - "name": "EnvVar", + "name": "PodDisruptionBudgetSpec", "fields": [ { "id": 1, - "name": "name", - "type": "string" + "name": "minAvailable", + "type": "uint32" }, { "id": 2, - "name": "value", - "type": "string" + "name": "selector", + "type": "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" }, { "id": 3, - "name": "valueFrom", - "type": "EnvVarSource" + "name": "maxUnavailable", + "type": "uint32" } ] }, { - "name": "EnvVarSource", + "name": "PodsMetricSource", "fields": [ { "id": 1, - "name": "fieldRef", - "type": "ObjectFieldSelector" + "name": "metricName", + "type": "string" }, { "id": 2, - "name": "resourceFieldRef", - "type": "ResourceFieldSelector" + "name": "targetAverageValue", + "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" }, { "id": 3, - "name": "configMapKeyRef", - "type": "ConfigMapKeySelector" + "name": "selector", + "type": "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" + } + ] + }, + { + "name": "PreferredSchedulingTerm", + "fields": [ + { + "id": 1, + "name": "weight", + "type": "int32" }, { - "id": 4, - "name": "secretKeyRef", - "type": "SecretKeySelector" + "id": 2, + "name": "preference", + "type": "NodeSelectorTerm" } ] }, { - "name": "ObjectFieldSelector", + "name": "ReadinessProbe", "fields": [ { "id": 1, - "name": "apiVersion", - "type": "string" + "name": "exec", + "type": "ExecAction" }, { "id": 2, - "name": "fieldPath", - "type": "string" + "name": "httpGet", + "type": "HTTPGetAction" + }, + { + "id": 3, + "name": "tcpSocket", + "type": "TCPSocketAction" + }, + { + "id": 4, + "name": "initialDelaySeconds", + "type": "int32" + }, + { + "id": 5, + "name": "timeoutSeconds", + "type": "int32" + }, + { + "id": 6, + "name": "periodSeconds", + "type": "int32" + }, + { + "id": 7, + "name": "successThreshold", + "type": "int32" + }, + { + "id": 8, + "name": "failureThreshold", + "type": "int32" } ] }, @@ -43983,22 +44632,58 @@ ] }, { - "name": "ConfigMapKeySelector", + "name": "ResourceMetricSource", "fields": [ { "id": 1, - "name": "localObjectReference", - "type": "LocalObjectReference" + "name": "name", + "type": "string" }, { "id": 2, - "name": "key", - "type": "string" + "name": "targetAverageUtilization", + "type": "TypeInterface" }, { "id": 3, - "name": "optional", - "type": "bool" + "name": "targetAverageValue", + "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" + } + ] + }, + { + "name": "Resources", + "maps": [ + { + "key_type": "string", + "field": { + "id": 1, + "name": "limits", + "type": "string" + } + }, + { + "key_type": "string", + "field": { + "id": 2, + "name": "requests", + "type": "string" + } + } + ] + }, + { + "name": "RollingUpdateDeployment", + "fields": [ + { + "id": 1, + "name": "maxUnavailable", + "type": "TypeInterface" + }, + { + "id": 2, + "name": "maxSurge", + "type": "TypeInterface" } ] }, @@ -44022,16 +44707,6 @@ } ] }, - { - "name": "LocalObjectReference", - "fields": [ - { - "id": 1, - "name": "name", - "type": "string" - } - ] - }, { "name": "ServiceSpec", "fields": [ @@ -44131,7 +44806,7 @@ { "id": 4, "name": "targetPort", - "type": "TypeInterface_kubernetes" + "type": "TypeInterface" }, { "id": 5, @@ -44151,194 +44826,82 @@ ] }, { - "name": "ClientIPConfig", - "fields": [ - { - "id": 1, - "name": "timeoutSeconds", - "type": "int32" - } - ] - }, - { - "name": "HorizontalPodAutoscalerSpec", + "name": "TCPSocketAction", "fields": [ { "id": 1, - "name": "scaleTargetRef", - "type": "CrossVersionObjectReference" + "name": "port", + "type": "TypeInterface" }, { "id": 2, - "name": "minReplicas", - "type": "int32" - }, - { - "id": 3, - "name": "maxReplicas", - "type": "int32" - }, - { - "id": 4, - "name": "metrics", - "type": "MetricSpec", - "is_repeated": true + "name": "host", + "type": "string" } ] }, { - "name": "CrossVersionObjectReference", + "name": "Toleration", "fields": [ { "id": 1, - "name": "kind", + "name": "key", "type": "string" }, { "id": 2, - "name": "name", + "name": "operator", "type": "string" }, { "id": 3, - "name": "apiVersion", - "type": "string" - } - ] - }, - { - "name": "MetricSpec", - "fields": [ - { - "id": 1, - "name": "type", + "name": "value", "type": "string" }, - { - "id": 2, - "name": "object", - "type": "ObjectMetricSource" - }, - { - "id": 3, - "name": "pods", - "type": "PodsMetricSource" - }, { "id": 4, - "name": "resource", - "type": "ResourceMetricSource" - }, - { - "id": 5, - "name": "external", - "type": "ExternalMetricSource" - } - ] - }, - { - "name": "ObjectMetricSource", - "fields": [ - { - "id": 1, - "name": "target", - "type": "CrossVersionObjectReference" - }, - { - "id": 2, - "name": "metricName", + "name": "effect", "type": "string" }, - { - "id": 3, - "name": "targetValue", - "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" - }, - { - "id": 4, - "name": "selector", - "type": "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, { "id": 5, - "name": "averageValue", - "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" + "name": "tolerationSeconds", + "type": "int64" } ] }, { - "name": "PodsMetricSource", + "name": "WeightedPodAffinityTerm", "fields": [ { "id": 1, - "name": "metricName", - "type": "string" + "name": "weight", + "type": "int32" }, { "id": 2, - "name": "targetAverageValue", - "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" - }, - { - "id": 3, - "name": "selector", - "type": "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" + "name": "podAffinityTerm", + "type": "PodAffinityTerm" } ] }, { - "name": "ResourceMetricSource", - "fields": [ - { - "id": 1, - "name": "name", - "type": "string" - }, - { - "id": 2, - "name": "targetAverageUtilization", - "type": "TypeInterface_kubernetes" - }, - { - "id": 3, - "name": "targetAverageValue", - "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" - } - ] + "name": "TypeInterface" }, { - "name": "ExternalMetricSource", - "fields": [ - { - "id": 1, - "name": "metricName", - "type": "string" - }, - { - "id": 2, - "name": "metricSelector", - "type": "k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector" - }, - { - "id": 3, - "name": "targetValue", - "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" - }, - { - "id": 4, - "name": "targetAverageValue", - "type": "k8s.io.apimachinery.pkg.api.resource.Quantity" - } - ] + "name": "TypeMapStringInterface" }, { "name": "TypeIntOrStringForPB" }, { - "name": "TypeInterface_kubernetes" + "name": "TypeBoolValueForPB" } ], "imports": [ + { + "path": "google/protobuf/any.proto" + }, { "path": "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto" }, @@ -44346,7 +44909,7 @@ "path": "k8s.io/apimachinery/pkg/api/resource/generated.proto" }, { - "path": "k8s.io/apimachinery/pkg/util/intstr/generated.proto" + "path": "gogoproto/gogo.proto" } ], "package": { @@ -44356,177 +44919,18 @@ { "name": "go_package", "value": "istio.io/api/operator/v1alpha1" - } - ] - } - }, - { - "protopath": "operator:/:v1alpha1:/:operator.proto", - "def": { - "enums": [ - { - "name": "InstallStatus.Status", - "enum_fields": [ - { - "name": "NONE" - }, - { - "name": "UPDATING", - "integer": 1 - }, - { - "name": "RECONCILING", - "integer": 2 - }, - { - "name": "HEALTHY", - "integer": 3 - }, - { - "name": "ERROR", - "integer": 4 - } - ] - } - ], - "messages": [ - { - "name": "IstioOperatorSpec", - "fields": [ - { - "id": 10, - "name": "profile", - "type": "string" - }, - { - "id": 11, - "name": "install_package_path", - "type": "string" - }, - { - "id": 12, - "name": "hub", - "type": "string" - }, - { - "id": 13, - "name": "tag", - "type": "TypeInterface2" - }, - { - "id": 14, - "name": "resource_suffix", - "type": "string", - "options": [ - { - "name": "deprecated", - "value": "true" - } - ] - }, - { - "id": 15, - "name": "namespace", - "type": "string" - }, - { - "id": 16, - "name": "revision", - "type": "string" - }, - { - "id": 40, - "name": "mesh_config", - "type": "TypeMapStringInterface2" - }, - { - "id": 50, - "name": "components", - "type": "IstioComponentSetSpec" - }, - { - "id": 100, - "name": "values", - "type": "TypeMapStringInterface2" - }, - { - "id": 101, - "name": "unvalidated_values", - "type": "TypeMapStringInterface2" - } - ], - "maps": [ - { - "key_type": "string", - "field": { - "id": 51, - "name": "addon_components", - "type": "ExternalComponentSpec" - } - } - ] }, { - "name": "InstallStatus", - "fields": [ - { - "id": 1, - "name": "status", - "type": "Status" - } - ], - "maps": [ - { - "key_type": "string", - "field": { - "id": 2, - "name": "component_status", - "type": "VersionStatus" - } - } - ], - "messages": [ - { - "name": "VersionStatus", - "fields": [ - { - "id": 1, - "name": "version", - "type": "string" - }, - { - "id": 2, - "name": "status", - "type": "Status" - }, - { - "id": 4, - "name": "error", - "type": "string" - } - ] - } - ] + "name": "(gogoproto.marshaler_all)", + "value": "false" }, { - "name": "TypeMapStringInterface2" + "name": "(gogoproto.unmarshaler_all)", + "value": "false" }, { - "name": "TypeInterface2" - } - ], - "imports": [ - { - "path": "operator/v1alpha1/component.proto" - } - ], - "package": { - "name": "istio.operator.v1alpha1" - }, - "options": [ - { - "name": "go_package", - "value": "istio.io/api/operator/v1alpha1" + "name": "(gogoproto.sizer_all)", + "value": "false" } ] } @@ -45078,6 +45482,10 @@ "name": "istio.policy.v1beta1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/policy/v1beta1" @@ -45353,6 +45761,10 @@ "name": "istio.policy.v1beta1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/policy/v1beta1" @@ -45510,6 +45922,10 @@ "name": "istio.policy.v1beta1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/policy/v1beta1" @@ -45578,6 +45994,10 @@ "name": "istio.policy.v1beta1" }, "options": [ + { + "name": "deprecated", + "value": "true" + }, { "name": "go_package", "value": "istio.io/api/policy/v1beta1" @@ -45598,10 +46018,6 @@ { "name": "DENY", "integer": 1 - }, - { - "name": "LOG", - "integer": 2 } ] } diff --git a/security/v1beta1/authorization.pb.go b/security/v1beta1/authorization.pb.go index 64b727f2b0..804a7bcb26 100644 --- a/security/v1beta1/authorization.pb.go +++ b/security/v1beta1/authorization.pb.go @@ -12,9 +12,21 @@ // 3. If any of the ALLOW policies match the request, allow the request. // 4. Deny the request. // -// For example, the following authorization policy sets the `action` to "ALLOW" -// to create an allow policy. The default action is "ALLOW" but it is useful -// to be explicit in the policy. +// Istio Authorization Policy also supports the AUDIT action to decide whether to log requests. +// The decision can be read by telemetry plugins using the function getAuditPolicy +// defined [here](https://github.com/istio/proxy/blob/master/extensions/common/context.h). +// A call to getAuditPolicy will only return `true` in the following cases: +// +// - There exists an AUDIT policy on the workload that matches the request +// - There are no AUDIT policies on the workload +// +// AUDIT policies do not affect whether requests are allowed to the workload. +// Requests will be allowed or denied based on only ALLOW and DENY policies. +// +// Here is an example of Istio Authorization Policy: +// +// It sets the `action` to "ALLOW" to create an allow policy. The default action is "ALLOW" +// but it is useful to be explicit in the policy. // // It allows requests from: // @@ -77,6 +89,27 @@ // methods: ["POST"] // ``` // +// The following authorization policy sets the `action` to "AUDIT". It will audit any GET requests to the path with the +// prefix "/user/profile". +// +// ```yaml +// apiVersion: security.istio.io/v1beta1 +// kind: AuthorizationPolicy +// metadata: +// namespace: ns1 +// name: anyname +// spec: +// selector: +// matchLabels: +// app: myapi +// action: audit +// rules: +// - to: +// - operation: +// methods: ["GET"] +// paths: [“/user/profile/*”] +// ```` +// // Authorization Policy scope (target) is determined by "metadata/namespace" and // an optional "selector". // @@ -160,7 +193,7 @@ const ( AuthorizationPolicy_ALLOW AuthorizationPolicy_Action = 0 // Deny a request if it matches any of the rules. AuthorizationPolicy_DENY AuthorizationPolicy_Action = 1 - // Log a request if it matches any of the rules. + // Audit a request if it matches any of the rules. AuthorizationPolicy_LOG AuthorizationPolicy_Action = 2 ) diff --git a/security/v1beta1/authorization.pb.html b/security/v1beta1/authorization.pb.html index fcfaf329db..d6e846b800 100644 --- a/security/v1beta1/authorization.pb.html +++ b/security/v1beta1/authorization.pb.html @@ -22,9 +22,23 @@
  • Deny the request.
    • -

    For example, the following authorization policy sets the action to “ALLOW” -to create an allow policy. The default action is “ALLOW” but it is useful -to be explicit in the policy.

    +

    Istio Authorization Policy also supports the AUDIT action to decide whether to log requests. +The decision can be read by telemetry plugins using the function getAuditPolicy +defined here. +A call to getAuditPolicy will only return true in the following cases:

    + +
      +
    • There exists an AUDIT policy on the workload that matches the request
      • +
    • There are no AUDIT policies on the workload
      • +
    + +

    AUDIT policies do not affect whether requests are allowed to the workload. +Requests will be allowed or denied based on only ALLOW and DENY policies.

    + +

    Here is an example of Istio Authorization Policy:

    + +

    It sets the action to “ALLOW” to create an allow policy. The default action is “ALLOW” +but it is useful to be explicit in the policy.

    It allows requests from:

    @@ -89,22 +103,41 @@ methods: ["POST"] -

    Authorization Policy scope (target) is determined by “metadata/namespace” and -an optional “selector”.

    - -
      -
    • “metadata/namespace” tells which namespace the policy applies. If set to root -namespace, the policy applies to all namespaces in a mesh.
      • -
    • workload “selector” can be used to further restrict where a policy applies.
      • -
    - -

    For example,

    - -

    The following authorization policy applies to workloads containing label -“app: httpbin” in namespace bar.

    +

    The following authorization policy sets the action to “AUDIT”. It will audit any GET requests to the path with the +prefix “/user/profile”.

    apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
+metadata:
+  namespace: ns1
+  name: anyname
+spec:
+  selector:
+    matchLabels:
+      app: myapi
+  action: audit
+  rules:
+  - to:
+    - operation:
+        methods: ["GET"]
+        paths: [“/user/profile/*”]
+````
+
+Authorization Policy scope (target) is determined by "metadata/namespace" and
+an optional "selector".
+
+- "metadata/namespace" tells which namespace the policy applies. If set to root
+namespace, the policy applies to all namespaces in a mesh.
+- workload "selector" can be used to further restrict where a policy applies.
+
+For example,
+
+The following authorization policy applies to workloads containing label
+"app: httpbin" in namespace bar.
+
+```yaml
+apiVersion: security.istio.io/v1beta1
+kind: AuthorizationPolicy
 metadata:
  name: policy
  namespace: bar
@@ -677,7 +710,7 @@ 
    AuthorizationPolicy.Action
    
 
 LOG
 
-
    Log a request if it matches any of the rules.
    
+
    Audit a request if it matches any of the rules.
    
 
 
 
diff --git a/security/v1beta1/authorization.proto b/security/v1beta1/authorization.proto
index 75e0eeddc9..932de2b3bb 100644
--- a/security/v1beta1/authorization.proto
+++ b/security/v1beta1/authorization.proto
@@ -34,9 +34,21 @@ import "type/v1beta1/selector.proto";
 // 3. If any of the ALLOW policies match the request, allow the request.
 // 4. Deny the request.
 //
-// For example, the following authorization policy sets the `action` to "ALLOW"
-// to create an allow policy. The default action is "ALLOW" but it is useful
-// to be explicit in the policy.
+// Istio Authorization Policy also supports the AUDIT action to decide whether to log requests. 
+// The decision can be read by telemetry plugins using the function getAuditPolicy
+// defined [here](https://github.com/istio/proxy/blob/master/extensions/common/context.h).
+// A call to getAuditPolicy will only return `true` in the following cases:
+//
+// - There exists an AUDIT policy on the workload that matches the request
+// - There are no AUDIT policies on the workload
+// 
+// AUDIT policies do not affect whether requests are allowed to the workload.
+// Requests will be allowed or denied based on only ALLOW and DENY policies. 
+// 
+// Here is an example of Istio Authorization Policy:
+//
+// It sets the `action` to "ALLOW" to create an allow policy. The default action is "ALLOW" 
+// but it is useful to be explicit in the policy.
 //
 // It allows requests from:
 //
@@ -99,6 +111,27 @@ import "type/v1beta1/selector.proto";
 //        methods: ["POST"]
 // ```
 //
+// The following authorization policy sets the `action` to "AUDIT". It will audit any GET requests to the path with the 
+// prefix "/user/profile". 
+// 
+// ```yaml
+// apiVersion: security.istio.io/v1beta1
+// kind: AuthorizationPolicy
+// metadata:
+//   namespace: ns1
+//   name: anyname
+// spec:
+//   selector:
+//     matchLabels:
+//       app: myapi
+//   action: audit
+//   rules:
+//   - to:
+//     - operation:
+//         methods: ["GET"]
+//         paths: [“/user/profile/*”]
+// ````
+//
 // Authorization Policy scope (target) is determined by "metadata/namespace" and
 // an optional "selector".
 //
@@ -222,7 +255,7 @@ message AuthorizationPolicy {
     // Deny a request if it matches any of the rules.
     DENY = 1;
 
-    // Log a request if it matches any of the rules.
+    // Audit a request if it matches any of the rules.
     LOG = 2;
   }
 
diff --git a/security/v1beta1/authorization_deepcopy.gen.go b/security/v1beta1/authorization_deepcopy.gen.go
index 091907ab7a..b0ab012cfa 100644
--- a/security/v1beta1/authorization_deepcopy.gen.go
+++ b/security/v1beta1/authorization_deepcopy.gen.go
@@ -12,9 +12,21 @@
 // 3. If any of the ALLOW policies match the request, allow the request.
 // 4. Deny the request.
 //
-// For example, the following authorization policy sets the `action` to "ALLOW"
-// to create an allow policy. The default action is "ALLOW" but it is useful
-// to be explicit in the policy.
+// Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
+// The decision can be read by telemetry plugins using the function getAuditPolicy
+// defined [here](https://github.com/istio/proxy/blob/master/extensions/common/context.h).
+// A call to getAuditPolicy will only return `true` in the following cases:
+//
+// - There exists an AUDIT policy on the workload that matches the request
+// - There are no AUDIT policies on the workload
+//
+// AUDIT policies do not affect whether requests are allowed to the workload.
+// Requests will be allowed or denied based on only ALLOW and DENY policies.
+//
+// Here is an example of Istio Authorization Policy:
+//
+// It sets the `action` to "ALLOW" to create an allow policy. The default action is "ALLOW"
+// but it is useful to be explicit in the policy.
 //
 // It allows requests from:
 //
@@ -77,6 +89,27 @@
 //        methods: ["POST"]
 // ```
 //
+// The following authorization policy sets the `action` to "AUDIT". It will audit any GET requests to the path with the
+// prefix "/user/profile".
+//
+// ```yaml
+// apiVersion: security.istio.io/v1beta1
+// kind: AuthorizationPolicy
+// metadata:
+//   namespace: ns1
+//   name: anyname
+// spec:
+//   selector:
+//     matchLabels:
+//       app: myapi
+//   action: audit
+//   rules:
+//   - to:
+//     - operation:
+//         methods: ["GET"]
+//         paths: [“/user/profile/*”]
+// ````
+//
 // Authorization Policy scope (target) is determined by "metadata/namespace" and
 // an optional "selector".
 //
diff --git a/security/v1beta1/authorization_json.gen.go b/security/v1beta1/authorization_json.gen.go
index f7fb5d1179..62c2af6430 100644
--- a/security/v1beta1/authorization_json.gen.go
+++ b/security/v1beta1/authorization_json.gen.go
@@ -12,9 +12,21 @@
 // 3. If any of the ALLOW policies match the request, allow the request.
 // 4. Deny the request.
 //
-// For example, the following authorization policy sets the `action` to "ALLOW"
-// to create an allow policy. The default action is "ALLOW" but it is useful
-// to be explicit in the policy.
+// Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
+// The decision can be read by telemetry plugins using the function getAuditPolicy
+// defined [here](https://github.com/istio/proxy/blob/master/extensions/common/context.h).
+// A call to getAuditPolicy will only return `true` in the following cases:
+//
+// - There exists an AUDIT policy on the workload that matches the request
+// - There are no AUDIT policies on the workload
+//
+// AUDIT policies do not affect whether requests are allowed to the workload.
+// Requests will be allowed or denied based on only ALLOW and DENY policies.
+//
+// Here is an example of Istio Authorization Policy:
+//
+// It sets the `action` to "ALLOW" to create an allow policy. The default action is "ALLOW"
+// but it is useful to be explicit in the policy.
 //
 // It allows requests from:
 //
@@ -77,6 +89,27 @@
 //        methods: ["POST"]
 // ```
 //
+// The following authorization policy sets the `action` to "AUDIT". It will audit any GET requests to the path with the
+// prefix "/user/profile".
+//
+// ```yaml
+// apiVersion: security.istio.io/v1beta1
+// kind: AuthorizationPolicy
+// metadata:
+//   namespace: ns1
+//   name: anyname
+// spec:
+//   selector:
+//     matchLabels:
+//       app: myapi
+//   action: audit
+//   rules:
+//   - to:
+//     - operation:
+//         methods: ["GET"]
+//         paths: [“/user/profile/*”]
+// ````
+//
 // Authorization Policy scope (target) is determined by "metadata/namespace" and
 // an optional "selector".
 //

From be071ddfd0ca3fe6f57c0c4a895348999ecf8779 Mon Sep 17 00:00:00 2001
From: davidraskin 
Date: Wed, 22 Jul 2020 17:12:24 +0000
Subject: [PATCH 6/9] Updated proto.lock

---
 proto.lock | 66 ++++++++++++++++++++++++++++++++++++++++++++++++------
 1 file changed, 59 insertions(+), 7 deletions(-)

diff --git a/proto.lock b/proto.lock
index a179cb5c69..fb183c1356 100644
--- a/proto.lock
+++ b/proto.lock
@@ -13049,13 +13049,7 @@
                         "value": "/v1/services/{service_name}/configs/{config_id}"
                       },
                       {
-                        "name": "additional_bindings",
-                        "aggregated": [
-                          {
-                            "name": "get",
-                            "value": "/v1/services/{service_name}/config"
-                          }
-                        ]
+                        "name": "additional_bindings"
                       }
                     ]
                   }
@@ -46005,6 +45999,60 @@
         ]
       }
     },
+    {
+      "protopath": "security:/:v1alpha1:/:ca.proto",
+      "def": {
+        "messages": [
+          {
+            "name": "IstioCertificateRequest",
+            "fields": [
+              {
+                "id": 1,
+                "name": "csr",
+                "type": "string"
+              },
+              {
+                "id": 3,
+                "name": "validity_duration",
+                "type": "int64"
+              }
+            ]
+          },
+          {
+            "name": "IstioCertificateResponse",
+            "fields": [
+              {
+                "id": 1,
+                "name": "cert_chain",
+                "type": "string",
+                "is_repeated": true
+              }
+            ]
+          }
+        ],
+        "services": [
+          {
+            "name": "IstioCertificateService",
+            "rpcs": [
+              {
+                "name": "CreateCertificate",
+                "in_type": "IstioCertificateRequest",
+                "out_type": "IstioCertificateResponse"
+              }
+            ]
+          }
+        ],
+        "package": {
+          "name": "istio.v1.auth"
+        },
+        "options": [
+          {
+            "name": "go_package",
+            "value": "istio.io/api/security/v1alpha1"
+          }
+        ]
+      }
+    },
     {
       "protopath": "security:/:v1beta1:/:authorization.proto",
       "def": {
@@ -46018,6 +46066,10 @@
               {
                 "name": "DENY",
                 "integer": 1
+              },
+              {
+                "name": "AUDIT",
+                "integer": 2
               }
             ]
           }

From ab15e6e0f45d1ae7248c4f703839010ee562124f Mon Sep 17 00:00:00 2001
From: davidraskin 
Date: Wed, 29 Jul 2020 18:49:07 +0000
Subject: [PATCH 7/9] Updated Audit documentation

---
 security/v1beta1/authorization.pb.go           |  6 +++---
 security/v1beta1/authorization.pb.html         |  6 +++---
 security/v1beta1/authorization.proto           | 14 +++++++++-----
 security/v1beta1/authorization_deepcopy.gen.go |  6 +++---
 security/v1beta1/authorization_json.gen.go     |  6 +++---
 5 files changed, 21 insertions(+), 17 deletions(-)

diff --git a/security/v1beta1/authorization.pb.go b/security/v1beta1/authorization.pb.go
index 4509052aae..4edac66c68 100644
--- a/security/v1beta1/authorization.pb.go
+++ b/security/v1beta1/authorization.pb.go
@@ -13,9 +13,9 @@
 // 4. Deny the request.
 //
 // Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
-// The decision can be read by telemetry plugins using the function getAuditPolicy
-// defined [here](https://github.com/istio/proxy/blob/master/extensions/common/context.h).
-// A call to getAuditPolicy will only return `true` in the following cases:
+// Telemetry v2 access logging plugins can be set to abide by the audit decision.
+// Currently this is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
+// A request will be audited in the following cases:
 //
 // - There exists an AUDIT policy on the workload that matches the request
 // - There are no AUDIT policies on the workload
diff --git a/security/v1beta1/authorization.pb.html b/security/v1beta1/authorization.pb.html
index ac17c7b0cf..74c3f59fa6 100644
--- a/security/v1beta1/authorization.pb.html
+++ b/security/v1beta1/authorization.pb.html
@@ -23,9 +23,9 @@
 
 
 
    Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
-The decision can be read by telemetry plugins using the function getAuditPolicy
-defined here.
-A call to getAuditPolicy will only return true in the following cases:
    
+Telemetry v2 access logging plugins can be set to abide by the audit decision.
+Currently this is supported by the Stackdriver plugin.
+A request will be audited in the following cases:
    
 
 
      
 
    • There exists an AUDIT policy on the workload that matches the request
      • 
diff --git a/security/v1beta1/authorization.proto b/security/v1beta1/authorization.proto
index 3d34e1106a..016c2c39fa 100644
--- a/security/v1beta1/authorization.proto
+++ b/security/v1beta1/authorization.proto
@@ -34,16 +34,16 @@ import "type/v1beta1/selector.proto";
 // 3. If any of the ALLOW policies match the request, allow the request.
 // 4. Deny the request.
 //
-// Istio Authorization Policy also supports the AUDIT action to decide whether to log requests. 
-// The decision can be read by telemetry plugins using the function getAuditPolicy
-// defined [here](https://github.com/istio/proxy/blob/master/extensions/common/context.h).
-// A call to getAuditPolicy will only return `true` in the following cases:
+// Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
+// Telemetry v2 access logging plugins can be set to abide by the audit decision.
+// Currently this is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
+// A request will be audited in the following cases:
 //
 // - There exists an AUDIT policy on the workload that matches the request
 // - There are no AUDIT policies on the workload
 // 
 // AUDIT policies do not affect whether requests are allowed to the workload.
-// Requests will be allowed or denied based on only ALLOW and DENY policies. 
+// Requests will be allowed or denied based on only ALLOW and DENY policies.
 // 
 // Here is an example of Istio Authorization Policy:
 //
@@ -256,6 +256,10 @@ message AuthorizationPolicy {
 
     // Audit a request if it matches any of the rules.
     AUDIT = 2;
+
+    // $hide_from_docs
+    // Audit policy decisions can be read by telemetry plugins using the function getAuditPolicy
+    // defined [here](https://github.com/istio/proxy/blob/master/extensions/common/context.h).
   }
 
   // Optional. The action to take if the request is matched with the rules.
diff --git a/security/v1beta1/authorization_deepcopy.gen.go b/security/v1beta1/authorization_deepcopy.gen.go
index b0ab012cfa..230d1b6f12 100644
--- a/security/v1beta1/authorization_deepcopy.gen.go
+++ b/security/v1beta1/authorization_deepcopy.gen.go
@@ -13,9 +13,9 @@
 // 4. Deny the request.
 //
 // Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
-// The decision can be read by telemetry plugins using the function getAuditPolicy
-// defined [here](https://github.com/istio/proxy/blob/master/extensions/common/context.h).
-// A call to getAuditPolicy will only return `true` in the following cases:
+// Telemetry v2 access logging plugins can be set to abide by the audit decision.
+// Currently this is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
+// A request will be audited in the following cases:
 //
 // - There exists an AUDIT policy on the workload that matches the request
 // - There are no AUDIT policies on the workload
diff --git a/security/v1beta1/authorization_json.gen.go b/security/v1beta1/authorization_json.gen.go
index 62c2af6430..15e001eaac 100644
--- a/security/v1beta1/authorization_json.gen.go
+++ b/security/v1beta1/authorization_json.gen.go
@@ -13,9 +13,9 @@
 // 4. Deny the request.
 //
 // Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
-// The decision can be read by telemetry plugins using the function getAuditPolicy
-// defined [here](https://github.com/istio/proxy/blob/master/extensions/common/context.h).
-// A call to getAuditPolicy will only return `true` in the following cases:
+// Telemetry v2 access logging plugins can be set to abide by the audit decision.
+// Currently this is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
+// A request will be audited in the following cases:
 //
 // - There exists an AUDIT policy on the workload that matches the request
 // - There are no AUDIT policies on the workload

From 7a6b01d1065e0846105b1ec30c3f5fe941430732 Mon Sep 17 00:00:00 2001
From: davidraskin 
Date: Wed, 29 Jul 2020 21:10:33 +0000
Subject: [PATCH 8/9] Documentation update

---
 security/v1beta1/authorization.pb.go           | 14 ++++++--------
 security/v1beta1/authorization.pb.html         | 16 ++++++----------
 security/v1beta1/authorization.proto           | 14 ++++++--------
 security/v1beta1/authorization_deepcopy.gen.go | 14 ++++++--------
 security/v1beta1/authorization_json.gen.go     | 14 ++++++--------
 5 files changed, 30 insertions(+), 42 deletions(-)

diff --git a/security/v1beta1/authorization.pb.go b/security/v1beta1/authorization.pb.go
index 4edac66c68..47ab2f369a 100644
--- a/security/v1beta1/authorization.pb.go
+++ b/security/v1beta1/authorization.pb.go
@@ -13,15 +13,13 @@
 // 4. Deny the request.
 //
 // Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
-// Telemetry v2 access logging plugins can be set to abide by the audit decision.
-// Currently this is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
-// A request will be audited in the following cases:
-//
-// - There exists an AUDIT policy on the workload that matches the request
-// - There are no AUDIT policies on the workload
+// AUDIT policies do not affect whether requests are allowed or denied to the workload.
+// Requests will be allowed or denied based solely on ALLOW and DENY policies.
 //
-// AUDIT policies do not affect whether requests are allowed to the workload.
-// Requests will be allowed or denied based on only ALLOW and DENY policies.
+// Telemetry v2 access logging plugins can be set to abide by the audit decision.
+// Currently AUDIT is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
+// A request will be audited if there is an AUDIT policy on the workload that matches the request, and there is a telemetry plugin on the workload that supports auditing.
+// If there are no supporting plugins enabled, the request will not be audited.
 //
 // Here is an example of Istio Authorization Policy:
 //
diff --git a/security/v1beta1/authorization.pb.html b/security/v1beta1/authorization.pb.html
index 74c3f59fa6..e63b13b63c 100644
--- a/security/v1beta1/authorization.pb.html
+++ b/security/v1beta1/authorization.pb.html
@@ -23,17 +23,13 @@
 
 
 
      Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
-Telemetry v2 access logging plugins can be set to abide by the audit decision.
-Currently this is supported by the Stackdriver plugin.
-A request will be audited in the following cases:
      
+AUDIT policies do not affect whether requests are allowed or denied to the workload.
+Requests will be allowed or denied based solely on ALLOW and DENY policies.
      
 
-
        
-
      • There exists an AUDIT policy on the workload that matches the request
        • 
-
      • There are no AUDIT policies on the workload
        • 
-
      
-
-
      AUDIT policies do not affect whether requests are allowed to the workload.
-Requests will be allowed or denied based on only ALLOW and DENY policies.
      
+
      Telemetry v2 access logging plugins can be set to abide by the audit decision.
+Currently AUDIT is supported by the Stackdriver plugin.
+A request will be audited if there is an AUDIT policy on the workload that matches the request, and there is a telemetry plugin on the workload that supports auditing.
+If there are no supporting plugins enabled, the request will not be audited.
      
 
 
      Here is an example of Istio Authorization Policy:
      
 
diff --git a/security/v1beta1/authorization.proto b/security/v1beta1/authorization.proto
index 016c2c39fa..4e692174b1 100644
--- a/security/v1beta1/authorization.proto
+++ b/security/v1beta1/authorization.proto
@@ -35,15 +35,13 @@ import "type/v1beta1/selector.proto";
 // 4. Deny the request.
 //
 // Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
-// Telemetry v2 access logging plugins can be set to abide by the audit decision.
-// Currently this is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
-// A request will be audited in the following cases:
+// AUDIT policies do not affect whether requests are allowed or denied to the workload.
+// Requests will be allowed or denied based solely on ALLOW and DENY policies.
 //
-// - There exists an AUDIT policy on the workload that matches the request
-// - There are no AUDIT policies on the workload
-// 
-// AUDIT policies do not affect whether requests are allowed to the workload.
-// Requests will be allowed or denied based on only ALLOW and DENY policies.
+// Telemetry v2 access logging plugins can be set to abide by the audit decision.
+// Currently AUDIT is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
+// A request will be audited if there is an AUDIT policy on the workload that matches the request, and there is a telemetry plugin on the workload that supports auditing.
+// If there are no supporting plugins enabled, the request will not be audited.
 // 
 // Here is an example of Istio Authorization Policy:
 //
diff --git a/security/v1beta1/authorization_deepcopy.gen.go b/security/v1beta1/authorization_deepcopy.gen.go
index 230d1b6f12..dc897bc206 100644
--- a/security/v1beta1/authorization_deepcopy.gen.go
+++ b/security/v1beta1/authorization_deepcopy.gen.go
@@ -13,15 +13,13 @@
 // 4. Deny the request.
 //
 // Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
-// Telemetry v2 access logging plugins can be set to abide by the audit decision.
-// Currently this is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
-// A request will be audited in the following cases:
-//
-// - There exists an AUDIT policy on the workload that matches the request
-// - There are no AUDIT policies on the workload
+// AUDIT policies do not affect whether requests are allowed or denied to the workload.
+// Requests will be allowed or denied based solely on ALLOW and DENY policies.
 //
-// AUDIT policies do not affect whether requests are allowed to the workload.
-// Requests will be allowed or denied based on only ALLOW and DENY policies.
+// Telemetry v2 access logging plugins can be set to abide by the audit decision.
+// Currently AUDIT is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
+// A request will be audited if there is an AUDIT policy on the workload that matches the request, and there is a telemetry plugin on the workload that supports auditing.
+// If there are no supporting plugins enabled, the request will not be audited.
 //
 // Here is an example of Istio Authorization Policy:
 //
diff --git a/security/v1beta1/authorization_json.gen.go b/security/v1beta1/authorization_json.gen.go
index 15e001eaac..7969f8e0fb 100644
--- a/security/v1beta1/authorization_json.gen.go
+++ b/security/v1beta1/authorization_json.gen.go
@@ -13,15 +13,13 @@
 // 4. Deny the request.
 //
 // Istio Authorization Policy also supports the AUDIT action to decide whether to log requests.
-// Telemetry v2 access logging plugins can be set to abide by the audit decision.
-// Currently this is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
-// A request will be audited in the following cases:
-//
-// - There exists an AUDIT policy on the workload that matches the request
-// - There are no AUDIT policies on the workload
+// AUDIT policies do not affect whether requests are allowed or denied to the workload.
+// Requests will be allowed or denied based solely on ALLOW and DENY policies.
 //
-// AUDIT policies do not affect whether requests are allowed to the workload.
-// Requests will be allowed or denied based on only ALLOW and DENY policies.
+// Telemetry v2 access logging plugins can be set to abide by the audit decision.
+// Currently AUDIT is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
+// A request will be audited if there is an AUDIT policy on the workload that matches the request, and there is a telemetry plugin on the workload that supports auditing.
+// If there are no supporting plugins enabled, the request will not be audited.
 //
 // Here is an example of Istio Authorization Policy:
 //

From a531c591f8d1233b068d8d24c505537c7edcbb5e Mon Sep 17 00:00:00 2001
From: davidraskin 
Date: Wed, 29 Jul 2020 23:54:42 +0000
Subject: [PATCH 9/9] Updated documentation

---
 security/v1beta1/authorization.pb.go           | 8 ++++----
 security/v1beta1/authorization.pb.html         | 8 ++++----
 security/v1beta1/authorization.proto           | 8 ++++----
 security/v1beta1/authorization_deepcopy.gen.go | 8 ++++----
 security/v1beta1/authorization_json.gen.go     | 8 ++++----
 5 files changed, 20 insertions(+), 20 deletions(-)

diff --git a/security/v1beta1/authorization.pb.go b/security/v1beta1/authorization.pb.go
index 47ab2f369a..c99afe9310 100644
--- a/security/v1beta1/authorization.pb.go
+++ b/security/v1beta1/authorization.pb.go
@@ -16,10 +16,10 @@
 // AUDIT policies do not affect whether requests are allowed or denied to the workload.
 // Requests will be allowed or denied based solely on ALLOW and DENY policies.
 //
-// Telemetry v2 access logging plugins can be set to abide by the audit decision.
-// Currently AUDIT is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
-// A request will be audited if there is an AUDIT policy on the workload that matches the request, and there is a telemetry plugin on the workload that supports auditing.
-// If there are no supporting plugins enabled, the request will not be audited.
+// A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
+// A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
+// The request will not be audited if there are no such supporting plugins enabled.
+// Currently, the only supported plugin is the [Telemetry v2 Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
 //
 // Here is an example of Istio Authorization Policy:
 //
diff --git a/security/v1beta1/authorization.pb.html b/security/v1beta1/authorization.pb.html
index e63b13b63c..c09836d89a 100644
--- a/security/v1beta1/authorization.pb.html
+++ b/security/v1beta1/authorization.pb.html
@@ -26,10 +26,10 @@
 AUDIT policies do not affect whether requests are allowed or denied to the workload.
 Requests will be allowed or denied based solely on ALLOW and DENY policies.
      
 
-
      Telemetry v2 access logging plugins can be set to abide by the audit decision.
-Currently AUDIT is supported by the Stackdriver plugin.
-A request will be audited if there is an AUDIT policy on the workload that matches the request, and there is a telemetry plugin on the workload that supports auditing.
-If there are no supporting plugins enabled, the request will not be audited.
      
+
      A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
+A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
+The request will not be audited if there are no such supporting plugins enabled.
+Currently, the only supported plugin is the Telemetry v2 Stackdriver plugin.
      
 
 
      Here is an example of Istio Authorization Policy:
      
 
diff --git a/security/v1beta1/authorization.proto b/security/v1beta1/authorization.proto
index 4e692174b1..ab3f062a3e 100644
--- a/security/v1beta1/authorization.proto
+++ b/security/v1beta1/authorization.proto
@@ -38,10 +38,10 @@ import "type/v1beta1/selector.proto";
 // AUDIT policies do not affect whether requests are allowed or denied to the workload.
 // Requests will be allowed or denied based solely on ALLOW and DENY policies.
 //
-// Telemetry v2 access logging plugins can be set to abide by the audit decision.
-// Currently AUDIT is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
-// A request will be audited if there is an AUDIT policy on the workload that matches the request, and there is a telemetry plugin on the workload that supports auditing.
-// If there are no supporting plugins enabled, the request will not be audited.
+// A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
+// A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior. 
+// The request will not be audited if there are no such supporting plugins enabled.
+// Currently, the only supported plugin is the [Telemetry v2 Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
 // 
 // Here is an example of Istio Authorization Policy:
 //
diff --git a/security/v1beta1/authorization_deepcopy.gen.go b/security/v1beta1/authorization_deepcopy.gen.go
index dc897bc206..45ba558564 100644
--- a/security/v1beta1/authorization_deepcopy.gen.go
+++ b/security/v1beta1/authorization_deepcopy.gen.go
@@ -16,10 +16,10 @@
 // AUDIT policies do not affect whether requests are allowed or denied to the workload.
 // Requests will be allowed or denied based solely on ALLOW and DENY policies.
 //
-// Telemetry v2 access logging plugins can be set to abide by the audit decision.
-// Currently AUDIT is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
-// A request will be audited if there is an AUDIT policy on the workload that matches the request, and there is a telemetry plugin on the workload that supports auditing.
-// If there are no supporting plugins enabled, the request will not be audited.
+// A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
+// A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
+// The request will not be audited if there are no such supporting plugins enabled.
+// Currently, the only supported plugin is the [Telemetry v2 Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
 //
 // Here is an example of Istio Authorization Policy:
 //
diff --git a/security/v1beta1/authorization_json.gen.go b/security/v1beta1/authorization_json.gen.go
index 7969f8e0fb..2bb569014f 100644
--- a/security/v1beta1/authorization_json.gen.go
+++ b/security/v1beta1/authorization_json.gen.go
@@ -16,10 +16,10 @@
 // AUDIT policies do not affect whether requests are allowed or denied to the workload.
 // Requests will be allowed or denied based solely on ALLOW and DENY policies.
 //
-// Telemetry v2 access logging plugins can be set to abide by the audit decision.
-// Currently AUDIT is supported by the [Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
-// A request will be audited if there is an AUDIT policy on the workload that matches the request, and there is a telemetry plugin on the workload that supports auditing.
-// If there are no supporting plugins enabled, the request will not be audited.
+// A request will be internally marked that it should be audited if there is an AUDIT policy on the workload that matches the request.
+// A separate plugin must be configured and enabled to actually fulfill the audit decision and complete the audit behavior.
+// The request will not be audited if there are no such supporting plugins enabled.
+// Currently, the only supported plugin is the [Telemetry v2 Stackdriver](https://istio.io/latest/docs/reference/config/proxy_extensions/stackdriver/) plugin.
 //
 // Here is an example of Istio Authorization Policy:
 //