Skip to content

Instantly share code, notes, and snippets.

@alex-hunt-materialize

alex-hunt-materialize/serverauthorizations.yaml

Created April 1, 2022 20:22
Show Gist options
  • Save alex-hunt-materialize/2743b1e2e58a49c4df0a11ecb39f46ab to your computer and use it in GitHub Desktop.
Save alex-hunt-materialize/2743b1e2e58a49c4df0a11ecb39f46ab to your computer and use it in GitHub Desktop.
Download ZIP
Linkerd 2.11 ServerAuthorizations and Server CRD definitions
Raw
serverauthorizations.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
linkerd.io/created-by: linkerd/helm stable-2.11.1
meta.helm.sh/release-name: linkerd-cluster-instances-us-east-1-qv12bbqn
meta.helm.sh/release-namespace: default
creationTimestamp: "2022-03-30T19:33:19Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
linkerd.io/control-plane-ns: linkerd
name: serverauthorizations.policy.linkerd.io
resourceVersion: "4531"
uid: d3091fac-a87b-4cc8-abdd-483592d72317
spec:
conversion:
strategy: None
group: policy.linkerd.io
names:
kind: ServerAuthorization
listKind: ServerAuthorizationList
plural: serverauthorizations
shortNames:
- saz
singular: serverauthorization
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
description: Authorizes clients to communicate with Linkerd-proxied servers.
properties:
client:
description: Describes clients authorized to access a server.
oneOf:
- required:
- meshTLS
- required:
- unauthenticated
properties:
meshTLS:
oneOf:
- required:
- unauthenticatedTLS
- required:
- identities
- required:
- serviceAccounts
properties:
identities:
description: |-
Authorizes clients with the provided proxy identity strings (as provided via MTLS)
The `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized.
items:
pattern: ^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: array
serviceAccounts:
description: Authorizes clients with the provided proxy identity
service accounts (as provided via MTLS)
items:
properties:
name:
description: The ServiceAccount's name.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
namespace:
description: The ServiceAccount's namespace. If unset,
the authorization's namespace is used.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
type: array
unauthenticatedTLS:
description: |-
Indicates that no client identity is required for communication.
This is mostly important for the identity controller, which must terminate TLS connections from clients that do not yet have a certificate.
type: boolean
type: object
networks:
description: Limits the client IP addresses to which this authorization
applies. If unset, the server chooses a default (typically,
all IPs or the cluster's pod network).
items:
properties:
cidr:
type: string
except:
items:
type: string
type: array
required:
- cidr
type: object
type: array
unauthenticated:
description: Authorizes unauthenticated clients to access a server.
type: boolean
type: object
server:
description: |-
Identifies servers in the same namespace for which this authorization applies.
Only one of `name` or `selector` may be specified.
oneOf:
- required:
- name
- required:
- selector
properties:
name:
description: References a `Server` instance by name
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
selector:
description: A label query over servers on which this authorization
applies.
oneOf:
- required:
- matchLabels
- required:
- matchExpressions
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
required:
- server
- client
type: object
required:
- spec
type: object
served: true
storage: false
- additionalPrinterColumns:
- description: The server that this grants access to
jsonPath: .spec.server.name
name: Server
type: string
name: v1beta1
schema:
openAPIV3Schema:
properties:
spec:
description: Authorizes clients to communicate with Linkerd-proxied servers.
properties:
client:
description: Describes clients authorized to access a server.
oneOf:
- required:
- meshTLS
- required:
- unauthenticated
properties:
meshTLS:
oneOf:
- required:
- unauthenticatedTLS
- required:
- identities
- required:
- serviceAccounts
properties:
identities:
description: |-
Authorizes clients with the provided proxy identity strings (as provided via MTLS)
The `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized.
items:
pattern: ^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$
type: string
type: array
serviceAccounts:
description: Authorizes clients with the provided proxy identity
service accounts (as provided via MTLS)
items:
properties:
name:
description: The ServiceAccount's name.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
namespace:
description: The ServiceAccount's namespace. If unset,
the authorization's namespace is used.
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
required:
- name
type: object
type: array
unauthenticatedTLS:
description: |-
Indicates that no client identity is required for communication.
This is mostly important for the identity controller, which must terminate TLS connections from clients that do not yet have a certificate.
type: boolean
type: object
networks:
description: Limits the client IP addresses to which this authorization
applies. If unset, the server chooses a default (typically,
all IPs or the cluster's pod network).
items:
properties:
cidr:
type: string
except:
items:
type: string
type: array
required:
- cidr
type: object
type: array
unauthenticated:
description: Authorizes unauthenticated clients to access a server.
type: boolean
type: object
server:
description: |-
Identifies servers in the same namespace for which this authorization applies.
Only one of `name` or `selector` may be specified.
oneOf:
- required:
- name
- required:
- selector
properties:
name:
description: References a `Server` instance by name
pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$
type: string
selector:
description: A label query over servers on which this authorization
applies.
oneOf:
- required:
- matchLabels
- required:
- matchExpressions
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
type: object
required:
- server
- client
type: object
required:
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: ServerAuthorization
listKind: ServerAuthorizationList
plural: serverauthorizations
shortNames:
- saz
singular: serverauthorization
conditions:
- lastTransitionTime: "2022-03-30T19:33:19Z"
message: no conflicts found
reason: NoConflicts
status: "True"
type: NamesAccepted
- lastTransitionTime: "2022-03-30T19:33:19Z"
message: the initial names have been accepted
reason: InitialNamesAccepted
status: "True"
type: Established
storedVersions:
- v1beta1
Raw
servers.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
linkerd.io/created-by: linkerd/helm stable-2.11.1
meta.helm.sh/release-name: linkerd-cluster-instances-us-east-1-qv12bbqn
meta.helm.sh/release-namespace: default
creationTimestamp: "2022-03-30T19:33:19Z"
generation: 1
labels:
app.kubernetes.io/managed-by: Helm
linkerd.io/control-plane-ns: linkerd
name: servers.policy.linkerd.io
resourceVersion: "4530"
uid: 76c6ff94-40b4-4d8c-aec6-6aa7d25bb02a
spec:
conversion:
strategy: None
group: policy.linkerd.io
names:
kind: Server
listKind: ServerList
plural: servers
shortNames:
- srv
singular: server
scope: Namespaced
versions:
- name: v1alpha1
schema:
openAPIV3Schema:
properties:
spec:
properties:
podSelector:
description: Selects pods in the same namespace.
oneOf:
- required:
- matchExpressions
- required:
- matchLabels
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
port:
description: A port name or number. Must exist in a pod spec.
x-kubernetes-int-or-string: true
proxyProtocol:
default: unknown
description: |-
Configures protocol discovery for inbound connections.
Supersedes the `config.linkerd.io/opaque-ports` annotation.
enum:
- unknown
- HTTP/1
- HTTP/2
- gRPC
- opaque
- TLS
type: string
required:
- podSelector
- port
type: object
required:
- spec
type: object
served: true
storage: false
- additionalPrinterColumns:
- description: The port the server is listening on
jsonPath: .spec.port
name: Port
type: string
- description: The protocol of the server
jsonPath: .spec.proxyProtocol
name: Protocol
type: string
name: v1beta1
schema:
openAPIV3Schema:
properties:
spec:
properties:
podSelector:
description: Selects pods in the same namespace.
oneOf:
- required:
- matchExpressions
- required:
- matchLabels
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
enum:
- In
- NotIn
- Exists
- DoesNotExist
type: string
values:
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
type: object
x-kubernetes-preserve-unknown-fields: true
type: object
port:
description: A port name or number. Must exist in a pod spec.
x-kubernetes-int-or-string: true
proxyProtocol:
default: unknown
description: |-
Configures protocol discovery for inbound connections.
Supersedes the `config.linkerd.io/opaque-ports` annotation.
enum:
- unknown
- HTTP/1
- HTTP/2
- gRPC
- opaque
- TLS
type: string
required:
- podSelector
- port
type: object
required:
- spec
type: object
served: true
storage: true
status:
acceptedNames:
kind: Server
listKind: ServerList
plural: servers
shortNames:
- srv
singular: server
conditions:
- lastTransitionTime: "2022-03-30T19:33:19Z"
message: no conflicts found
reason: NoConflicts
status: "True"
type: NamesAccepted
- lastTransitionTime: "2022-03-30T19:33:19Z"
message: the initial names have been accepted
reason: InitialNamesAccepted
status: "True"
type: Established
storedVersions:
- v1beta1
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment