{ "properties": { "spec": { "description": "Authorizes clients to communicate with Linkerd-proxied servers.", "properties": { "client": { "description": "Describes clients authorized to access a server.", "properties": { "meshTLS": { "properties": { "identities": { "description": "Authorizes clients with the provided proxy identity strings (as provided via MTLS)\nThe `*` prefix can be used to match all identities in a domain. An identity string of `*` indicates that all authentication clients are authorized.", "items": { "pattern": "^(\\*|[a-z0-9]([-a-z0-9]*[a-z0-9])?)(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "type": "array" }, "serviceAccounts": { "description": "Authorizes clients with the provided proxy identity service accounts (as provided via MTLS)", "items": { "properties": { "name": { "description": "The ServiceAccount's name.", "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "namespace": { "description": "The ServiceAccount's namespace. If unset, the authorization's namespace is used.", "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "unauthenticatedTLS": { "description": "Indicates that no client identity is required for communication.\nThis is mostly important for the identity controller, which must terminate TLS connections from clients that do not yet have a certificate.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "networks": { "description": "Limits the client IP addresses to which this authorization applies. If unset, the server chooses a default (typically, all IPs or the cluster's pod network).", "items": { "properties": { "cidr": { "type": "string" }, "except": { "items": { "type": "string" }, "type": "array" } }, "required": [ "cidr" ], "type": "object", "additionalProperties": false }, "type": "array" }, "unauthenticated": { "description": "Authorizes unauthenticated clients to access a server.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "server": { "description": "Identifies servers in the same namespace for which this authorization applies.\nOnly one of `name` or `selector` may be specified.", "oneOf": [ { "required": [ "name" ] }, { "required": [ "selector" ] } ], "properties": { "name": { "description": "References a `Server` instance by name", "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?$", "type": "string" }, "selector": { "description": "A label query over servers on which this authorization applies.", "properties": { "matchExpressions": { "items": { "properties": { "key": { "type": "string" }, "operator": { "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "items": { "type": "string" }, "type": "array" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array" }, "matchLabels": { "type": "object", "x-kubernetes-preserve-unknown-fields": true } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false } }, "required": [ "server", "client" ], "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }