From 8655fab91d5de3229b5bd52d4ecb5ad9a0f07683 Mon Sep 17 00:00:00 2001 From: Istio Automation Date: Tue, 12 Dec 2023 18:05:15 -0800 Subject: [PATCH] Add note on targetRef + authorization policy in multi-revision environment (#3023) Signed-off-by: Keith Mattix II Co-authored-by: Keith Mattix II --- kubernetes/customresourcedefinitions.gen.yaml | 4 ++++ security/v1/authorization_policy.pb.go | 6 +++++- security/v1/authorization_policy.proto | 12 +++++++---- security/v1/request_authentication.pb.go | 1 - security/v1/request_authentication.proto | 5 ++--- security/v1beta1/authorization_policy.pb.go | 6 +++++- security/v1beta1/authorization_policy.pb.html | 21 +++++++++++++++++++ security/v1beta1/authorization_policy.proto | 12 +++++++---- security/v1beta1/request_authentication.pb.go | 1 - .../v1beta1/request_authentication.pb.html | 19 +++++++++++++++++ security/v1beta1/request_authentication.proto | 5 ++--- 11 files changed, 74 insertions(+), 18 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index 93d388f468..c259f01bab 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -7404,6 +7404,7 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: description: group is the group of the target resource. @@ -7605,6 +7606,7 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: description: group is the group of the target resource. @@ -7839,6 +7841,7 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: description: group is the group of the target resource. @@ -7952,6 +7955,7 @@ spec: type: object type: object targetRef: + description: Optional. properties: group: description: group is the group of the target resource. diff --git a/security/v1/authorization_policy.pb.go b/security/v1/authorization_policy.pb.go index 04c725d7da..427dc9c7ad 100644 --- a/security/v1/authorization_policy.pb.go +++ b/security/v1/authorization_policy.pb.go @@ -581,7 +581,6 @@ type AuthorizationPolicy struct { // If the selector and the targetRef are not set, the selector will match all workloads. At most one of the selector // and targetRef can be set. Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` - // $hide_from_docs // Optional. The targetRef specifies the gateway the policy should be // applied to. The targeted resource specified will determine which // workloads the authorization policy applies to. The targeted resource @@ -590,6 +589,11 @@ type AuthorizationPolicy struct { // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRef can be set. + // + // NOTE: If you are using the `targetRef` field in a multi-revision environment with Istio versions prior to 1.20, + // it is highly recommended that you pin the authorization policy to a revision running 1.20+ via the istio.io/rev label. + // This is to prevent proxies connected to older istiod control planes (that don't know about the targetRef field) + // from misinterpreting the policy as namespace-wide during the upgrade process. TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"` // Optional. A list of rules to match the request. A match occurs when at least one rule matches the request. // diff --git a/security/v1/authorization_policy.proto b/security/v1/authorization_policy.proto index c6661e2719..3da91e09f8 100644 --- a/security/v1/authorization_policy.proto +++ b/security/v1/authorization_policy.proto @@ -467,19 +467,23 @@ message AuthorizationPolicy { // in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector // will additionally match with workloads in all namespaces. // - // If the selector and the targetRef are not set, the selector will match all workloads. At most one of the selector + // If the selector and the targetRef are not set, the selector will match all workloads. At most one of the selector // and targetRef can be set. istio.type.v1beta1.WorkloadSelector selector = 1; - // $hide_from_docs - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which + // Optional. The targetRef specifies the gateway the policy should be + // applied to. The targeted resource specified will determine which // workloads the authorization policy applies to. The targeted resource // must be a `Gateway` in the group `gateway.networking.k8s.io`. The // gateway must be in the same namespace as the authorization policy. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRef can be set. + // + // NOTE: If you are using the `targetRef` field in a multi-revision environment with Istio versions prior to 1.20, + // it is highly recommended that you pin the authorization policy to a revision running 1.20+ via the istio.io/rev label. + // This is to prevent proxies connected to older istiod control planes (that don't know about the targetRef field) + // from misinterpreting the policy as namespace-wide during the upgrade process. istio.type.v1beta1.PolicyTargetReference targetRef = 5; // Optional. A list of rules to match the request. A match occurs when at least one rule matches the request. diff --git a/security/v1/request_authentication.pb.go b/security/v1/request_authentication.pb.go index ae7f72fc8f..458c03cc49 100644 --- a/security/v1/request_authentication.pb.go +++ b/security/v1/request_authentication.pb.go @@ -546,7 +546,6 @@ type RequestAuthentication struct { // // If not set, the selector will match all workloads. At most one of the selector and targetRef can be set. Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` - // $hide_from_docs // Optional. The targetRef specifies the gateway the policy should be // applied to. The targeted resource specified will determine which // workloads the request authentication policy to. The targeted resource diff --git a/security/v1/request_authentication.proto b/security/v1/request_authentication.proto index 3fd19db41e..fd474da03c 100644 --- a/security/v1/request_authentication.proto +++ b/security/v1/request_authentication.proto @@ -448,9 +448,8 @@ message RequestAuthentication { // If not set, the selector will match all workloads. At most one of the selector and targetRef can be set. istio.type.v1beta1.WorkloadSelector selector = 1; - // $hide_from_docs - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which + // Optional. The targetRef specifies the gateway the policy should be + // applied to. The targeted resource specified will determine which // workloads the request authentication policy to. The targeted resource // must be a `Gateway` in the group `gateway.networking.k8s.io`. The // gateway must be in the same namespace as the request authentication diff --git a/security/v1beta1/authorization_policy.pb.go b/security/v1beta1/authorization_policy.pb.go index 09ad293743..faf1e667d2 100644 --- a/security/v1beta1/authorization_policy.pb.go +++ b/security/v1beta1/authorization_policy.pb.go @@ -581,7 +581,6 @@ type AuthorizationPolicy struct { // If the selector and the targetRef are not set, the selector will match all workloads. At most one of the selector // and targetRef can be set. Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` - // $hide_from_docs // Optional. The targetRef specifies the gateway the policy should be // applied to. The targeted resource specified will determine which // workloads the authorization policy applies to. The targeted resource @@ -590,6 +589,11 @@ type AuthorizationPolicy struct { // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRef can be set. + // + // NOTE: If you are using the `targetRef` field in a multi-revision environment with Istio versions prior to 1.20, + // it is highly recommended that you pin the authorization policy to a revision running 1.20+ via the istio.io/rev label. + // This is to prevent proxies connected to older istiod control planes (that don't know about the targetRef field) + // from misinterpreting the policy as namespace-wide during the upgrade process. TargetRef *v1beta1.PolicyTargetReference `protobuf:"bytes,5,opt,name=targetRef,proto3" json:"targetRef,omitempty"` // Optional. A list of rules to match the request. A match occurs when at least one rule matches the request. // diff --git a/security/v1beta1/authorization_policy.pb.html b/security/v1beta1/authorization_policy.pb.html index b2746034c2..b31655bdfe 100644 --- a/security/v1beta1/authorization_policy.pb.html +++ b/security/v1beta1/authorization_policy.pb.html @@ -394,6 +394,27 @@

AuthorizationPolicy

If the selector and the targetRef are not set, the selector will match all workloads. At most one of the selector and targetRef can be set.

+ + +No + + + +targetRef +PolicyTargetReference + +

Optional. The targetRef specifies the gateway the policy should be +applied to. The targeted resource specified will determine which +workloads the authorization policy applies to. The targeted resource +must be a Gateway in the group gateway.networking.k8s.io. The +gateway must be in the same namespace as the authorization policy.

+

If not set, the policy is applied as defined by the selector. +At most one of the selector and targetRef can be set.

+

NOTE: If you are using the targetRef field in a multi-revision environment with Istio versions prior to 1.20, +it is highly recommended that you pin the authorization policy to a revision running 1.20+ via the istio.io/rev label. +This is to prevent proxies connected to older istiod control planes (that don’t know about the targetRef field) +from misinterpreting the policy as namespace-wide during the upgrade process.

+ No diff --git a/security/v1beta1/authorization_policy.proto b/security/v1beta1/authorization_policy.proto index 3a3c59a692..963f8d72a9 100644 --- a/security/v1beta1/authorization_policy.proto +++ b/security/v1beta1/authorization_policy.proto @@ -467,19 +467,23 @@ message AuthorizationPolicy { // in the same namespace as the authorization policy. If the authorization policy is in the root namespace, the selector // will additionally match with workloads in all namespaces. // - // If the selector and the targetRef are not set, the selector will match all workloads. At most one of the selector + // If the selector and the targetRef are not set, the selector will match all workloads. At most one of the selector // and targetRef can be set. istio.type.v1beta1.WorkloadSelector selector = 1; - // $hide_from_docs - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which + // Optional. The targetRef specifies the gateway the policy should be + // applied to. The targeted resource specified will determine which // workloads the authorization policy applies to. The targeted resource // must be a `Gateway` in the group `gateway.networking.k8s.io`. The // gateway must be in the same namespace as the authorization policy. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRef can be set. + // + // NOTE: If you are using the `targetRef` field in a multi-revision environment with Istio versions prior to 1.20, + // it is highly recommended that you pin the authorization policy to a revision running 1.20+ via the istio.io/rev label. + // This is to prevent proxies connected to older istiod control planes (that don't know about the targetRef field) + // from misinterpreting the policy as namespace-wide during the upgrade process. istio.type.v1beta1.PolicyTargetReference targetRef = 5; // Optional. A list of rules to match the request. A match occurs when at least one rule matches the request. diff --git a/security/v1beta1/request_authentication.pb.go b/security/v1beta1/request_authentication.pb.go index 4b10c201f5..7b5a9173ad 100644 --- a/security/v1beta1/request_authentication.pb.go +++ b/security/v1beta1/request_authentication.pb.go @@ -545,7 +545,6 @@ type RequestAuthentication struct { // // If not set, the selector will match all workloads. At most one of the selector and targetRef can be set. Selector *v1beta1.WorkloadSelector `protobuf:"bytes,1,opt,name=selector,proto3" json:"selector,omitempty"` - // $hide_from_docs // Optional. The targetRef specifies the gateway the policy should be // applied to. The targeted resource specified will determine which // workloads the request authentication policy to. The targeted resource diff --git a/security/v1beta1/request_authentication.pb.html b/security/v1beta1/request_authentication.pb.html index 7c7a884836..3cc676f972 100644 --- a/security/v1beta1/request_authentication.pb.html +++ b/security/v1beta1/request_authentication.pb.html @@ -405,6 +405,25 @@

RequestAuthentication

the selector will additionally match with workloads in all namespaces.

If not set, the selector will match all workloads. At most one of the selector and targetRef can be set.

+ + +No + + + +targetRef +PolicyTargetReference + +

Optional. The targetRef specifies the gateway the policy should be +applied to. The targeted resource specified will determine which +workloads the request authentication policy to. The targeted resource +must be a Gateway in the group gateway.networking.k8s.io. The +gateway must be in the same namespace as the request authentication +policy.

+

If not set, the policy is applied as defined by the selector. +At most one of the selector and targetRef can be set. +Waypoint proxies will not respect selectors even if they match.

+ No diff --git a/security/v1beta1/request_authentication.proto b/security/v1beta1/request_authentication.proto index 6dea373815..d5f3502cba 100644 --- a/security/v1beta1/request_authentication.proto +++ b/security/v1beta1/request_authentication.proto @@ -447,9 +447,8 @@ message RequestAuthentication { // If not set, the selector will match all workloads. At most one of the selector and targetRef can be set. istio.type.v1beta1.WorkloadSelector selector = 1; - // $hide_from_docs - // Optional. The targetRef specifies the gateway the policy should be - // applied to. The targeted resource specified will determine which + // Optional. The targetRef specifies the gateway the policy should be + // applied to. The targeted resource specified will determine which // workloads the request authentication policy to. The targeted resource // must be a `Gateway` in the group `gateway.networking.k8s.io`. The // gateway must be in the same namespace as the request authentication