Movatterモバイル変換

[0]ホーム
URL:

Workload Selector

 3 minute read 

WorkloadSelector

WorkloadSelector specifies the criteria used to determine if a policy can be appliedto a proxy. The matching criteria includes the metadata associated with a proxy,workload instance info such as labels attached to the pod/VM, or any other infothat the proxy provides to Istio during the initial handshake. If multiple conditions arespecified, all conditions need to match in order for the workload instance to beselected. Currently, only label based selection mechanism is supported.

FieldDescription
matchLabels
map<string, string>

One or more labels that indicate a specific set of pods/VMson which a policy should be applied. The scope of label search is restricted tothe configuration namespace in which the resource is present.

PortSelector

PortSelector is the criteria for specifying if a policy can be applied toa listener having a specific port.

FieldDescription
number
uint32
Required

Port number

PolicyTargetReference

PolicyTargetReference format as defined byGEP-2648.

PolicyTargetReference specifies the targeted resource which the policyshould be applied to. It must only target a single resource at a time, but itcan be used to target larger resources such as Gateways that may apply tomultiple child resources. The PolicyTargetReference will be used instead ofa WorkloadSelector in the RequestAuthentication, AuthorizationPolicy,Telemetry, and WasmPlugin CRDs to target a Kubernetes Gateway.

The following is an example of an AuthorizationPolicy bound to a waypoint proxy usinga PolicyTargetReference. The example setsaction toDENY to create a deny policy.It denies all the requests withPOST method on port8080 directed through thewaypoint Gateway in thefoo namespace.

apiVersion: security.istio.io/v1kind: AuthorizationPolicymetadata:  name: httpbin  namespace: foospec:  targetRefs:  - name: waypoint    kind: Gateway    group: gateway.networking.k8s.io  action: DENY  rules:  - to:    - operation:        methods: ["POST"]        ports: ["8080"]

When binding to a GatewayClass resource using PolicyTargetReference, your policy must be in the root namespace.

FieldDescription
group
string

group is the group of the target resource.

kind
string
Required

kind is kind of the target resource.

name
string
Required

name is the name of the target resource.

namespace
string

namespace is the namespace of the referent. When unspecified, the localnamespace is inferred.

WorkloadMode

WorkloadMode allows selection of the role of the underlying workload innetwork traffic. A workload is considered as acting as a SERVER if it isthe destination of the traffic (that is, traffic direction, from theperspective of the workload isinbound). If the workload is the source ofthe network traffic, it is considered to be in CLIENT mode (traffic isoutbound from the workload).

NameDescription
UNDEFINED

Default value, which will be interpreted by its own usage.

CLIENT

Selects for scenarios when the workload is thesource of the network traffic. In addition,if the workload is a gateway, selects this.

SERVER

Selects for scenarios when the workload is thedestination of the network traffic.

CLIENT_AND_SERVER

Selects for scenarios when the workload is either thesource or destination of the network traffic.

Was this information useful?
Do you have any suggestions for improvement?

Thanks for your feedback!
[8]ページ先頭
©2009-2026 Movatter.jp