Skip to content

Commit 1b6aded

Browse files
peterjpeterj
authored
docs: add notes for ports used in AuthPolicy/PeerAuth (#3075)
Signed-off-by: Peter Jausovec <[email protected]>
1 parent 6a2e7cb commit 1b6aded

5 files changed

+31
-23
lines changed

security/v1/authorization_policy.pb.go

+2-1
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

security/v1/authorization_policy.proto

+2-1
Original file line numberDiff line numberDiff line change
@@ -168,7 +168,8 @@ import "type/v1beta1/selector.proto";
168168
//
169169
// The following is another example that sets `action` to `DENY` to create a deny policy.
170170
// It denies all the requests with `POST` method on port `8080` on all workloads
171-
// in the `foo` namespace.
171+
// in the `foo` namespace. Note the ports in the `ports` field refer to container ports,
172+
// not the Kubernetes Service ports.
172173
//
173174
// {{<tabset category-name="example">}}
174175
// {{<tab name="v1beta1" category-value="v1beta1">}}

security/v1beta1/peer_authentication.pb.go

+9-7
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

security/v1beta1/peer_authentication.pb.html

+9-7
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

security/v1beta1/peer_authentication.proto

+9-7
Original file line numberDiff line numberDiff line change
@@ -42,7 +42,7 @@ option go_package="istio.io/api/security/v1beta1";
4242
// ```
4343
// For mesh level, put the policy in root-namespace according to your Istio installation.
4444
//
45-
// Policies to allow both mTLS & plaintext traffic for all workloads under namespace `foo`, but
45+
// Policies to allow both mTLS and plaintext traffic for all workloads under namespace `foo`, but
4646
// require mTLS for workload `finance`.
4747
// ```yaml
4848
// apiVersion: security.istio.io/v1beta1
@@ -66,8 +66,9 @@ option go_package="istio.io/api/security/v1beta1";
6666
// mtls:
6767
// mode: STRICT
6868
// ```
69-
// Policy to allow mTLS strict for all workloads, but leave port 8080 to
70-
// plaintext:
69+
// Policy that enables strict mTLS for all workloads, but leaves the port `8080` to
70+
// plaintext. Note the port value in the `portLevelMtls` field refers to the port
71+
// of the workload, not the port of the Kubernetes service.
7172
// ```yaml
7273
// apiVersion: security.istio.io/v1beta1
7374
// kind: PeerAuthentication
@@ -84,8 +85,8 @@ option go_package="istio.io/api/security/v1beta1";
8485
// 8080:
8586
// mode: DISABLE
8687
// ```
87-
// Policy to inherit mTLS mode from namespace (or mesh) settings, and overwrite
88-
// settings for port 8080
88+
// Policy that inherits mTLS mode from namespace (or mesh) settings, and disables
89+
// mTLS for workload port `8080`.
8990
// ```yaml
9091
// apiVersion: security.istio.io/v1beta1
9192
// kind: PeerAuthentication
@@ -137,7 +138,7 @@ message PeerAuthentication {
137138
// Mutual TLS settings.
138139
message MutualTLS {
139140
enum Mode {
140-
// Inherit from parent, if has one. Otherwise treated as PERMISSIVE.
141+
// Inherit from parent, if has one. Otherwise treated as `PERMISSIVE`.
141142
UNSET = 0;
142143

143144
// Connection is not tunneled.
@@ -158,6 +159,7 @@ message PeerAuthentication {
158159
MutualTLS mtls = 2;
159160

160161
// Port specific mutual TLS settings. These only apply when a workload selector
161-
// is specified.
162+
// is specified. The port refers to the port of the workload, not the port of the
163+
// Kubernetes service.
162164
map<uint32, MutualTLS> port_level_mtls = 3;
163165
}

0 commit comments

Comments
 (0)