apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: name: serverauthorizations.policy.linkerd.io spec: conversion: strategy: None group: policy.linkerd.io names: kind: ServerAuthorization listKind: ServerAuthorizationList plural: serverauthorizations shortNames: - saz singular: serverauthorization scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: properties: spec: description: Authorizes clients to communicate with Linkerd-proxied servers. properties: client: description: Describes clients authorized to access a server. oneOf: - required: - meshTLS - required: - unauthenticated properties: meshTLS: oneOf: - required: - unauthenticatedTLS - required: - identities - required: - serviceAccounts properties: identities: description: |- Authorizes clients with the provided proxy identity strings (as provided via MTLS) The `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized. items: pattern: ^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array serviceAccounts: description: Authorizes clients with the provided proxy identity service accounts (as provided via MTLS) items: properties: name: description: The ServiceAccount's name. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string namespace: description: The ServiceAccount's namespace. If unset, the authorization's namespace is used. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - name type: object type: array unauthenticatedTLS: description: |- Indicates that no client identity is required for communication. This is mostly important for the identity controller, which must terminate TLS connections from clients that do not yet have a certificate. type: boolean type: object networks: description: Limits the client IP addresses to which this authorization applies. If unset, the server chooses a default (typically, all IPs or the cluster's pod network). items: properties: cidr: type: string except: items: type: string type: array required: - cidr type: object type: array unauthenticated: description: Authorizes unauthenticated clients to access a server. type: boolean type: object server: description: |- Identifies servers in the same namespace for which this authorization applies. Only one of `name` or `selector` may be specified. oneOf: - required: - name - required: - selector properties: name: description: References a `Server` instance by name pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string selector: description: A label query over servers on which this authorization applies. oneOf: - required: - matchLabels - required: - matchExpressions properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: type: object x-kubernetes-preserve-unknown-fields: true type: object type: object required: - server - client type: object required: - spec type: object served: true storage: false - additionalPrinterColumns: - description: The server that this grants access to jsonPath: .spec.server.name name: Server type: string name: v1beta1 schema: openAPIV3Schema: properties: spec: description: Authorizes clients to communicate with Linkerd-proxied servers. properties: client: description: Describes clients authorized to access a server. oneOf: - required: - meshTLS - required: - unauthenticated properties: meshTLS: oneOf: - required: - unauthenticatedTLS - required: - identities - required: - serviceAccounts properties: identities: description: |- Authorizes clients with the provided proxy identity strings (as provided via MTLS) The `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized. items: pattern: ^(\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string type: array serviceAccounts: description: Authorizes clients with the provided proxy identity service accounts (as provided via MTLS) items: properties: name: description: The ServiceAccount's name. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string namespace: description: The ServiceAccount's namespace. If unset, the authorization's namespace is used. pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string required: - name type: object type: array unauthenticatedTLS: description: |- Indicates that no client identity is required for communication. This is mostly important for the identity controller, which must terminate TLS connections from clients that do not yet have a certificate. type: boolean type: object networks: description: Limits the client IP addresses to which this authorization applies. If unset, the server chooses a default (typically, all IPs or the cluster's pod network). items: properties: cidr: type: string except: items: type: string type: array required: - cidr type: object type: array unauthenticated: description: Authorizes unauthenticated clients to access a server. type: boolean type: object server: description: |- Identifies servers in the same namespace for which this authorization applies. Only one of `name` or `selector` may be specified. oneOf: - required: - name - required: - selector properties: name: description: References a `Server` instance by name pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?$ type: string selector: description: A label query over servers on which this authorization applies. oneOf: - required: - matchLabels - required: - matchExpressions properties: matchExpressions: items: properties: key: type: string operator: enum: - In - NotIn - Exists - DoesNotExist type: string values: items: type: string type: array required: - key - operator type: object type: array matchLabels: type: object x-kubernetes-preserve-unknown-fields: true type: object type: object required: - server - client type: object required: - spec type: object served: true storage: true