Currently, the following resource attachment types are supported:
kind: Gateway with group: gateway.networking.k8s.io in the same namespace.kind: GatewayClass with group: gateway.networking.k8s.io in the root namespace.kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.kind: ServiceEntry with group: networking.istio.io in the same namespace.If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.
diff --git a/extensions/v1alpha1/wasm.proto b/extensions/v1alpha1/wasm.proto index 1232fddad8..dfdfaef889 100644 --- a/extensions/v1alpha1/wasm.proto +++ b/extensions/v1alpha1/wasm.proto @@ -257,7 +257,9 @@ message WasmPlugin { // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace. // * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints. + // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index c721143053..d17e91fe25 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -177,12 +177,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' targetRefs: description: Optional. items: @@ -213,12 +207,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' maxItems: 16 type: array type: @@ -6439,12 +6427,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' maxItems: 16 type: array workloadSelector: @@ -14875,12 +14857,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' targetRefs: description: Optional. items: @@ -14911,12 +14887,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' maxItems: 16 type: array type: object @@ -15257,12 +15227,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' targetRefs: description: Optional. items: @@ -15293,12 +15257,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' maxItems: 16 type: array type: object @@ -15932,12 +15890,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' targetRefs: description: Optional. items: @@ -15968,12 +15920,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' maxItems: 16 type: array type: object @@ -16227,12 +16173,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' targetRefs: description: Optional. items: @@ -16263,12 +16203,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' maxItems: 16 type: array type: object @@ -16600,12 +16534,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' targetRefs: description: Optional. items: @@ -16636,12 +16564,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' maxItems: 16 type: array tracing: @@ -17060,12 +16982,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' targetRefs: description: Optional. items: @@ -17096,12 +17012,6 @@ spec: - kind - name type: object - x-kubernetes-validations: - - message: Support kinds are core/Service, networking.istio.io/ServiceEntry, - gateway.networking.k8s.io/Gateway - rule: '[self.group, self.kind] in [["core", "Service"], ["", "Service"], - ["gateway.networking.k8s.io", "Gateway"], ["networking.istio.io", - "ServiceEntry"]]' maxItems: 16 type: array tracing: diff --git a/networking/v1alpha3/envoy_filter.pb.go b/networking/v1alpha3/envoy_filter.pb.go index 9d5684cb18..665ef7c62d 100644 --- a/networking/v1alpha3/envoy_filter.pb.go +++ b/networking/v1alpha3/envoy_filter.pb.go @@ -838,7 +838,9 @@ type EnvoyFilter struct { // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace. // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. + // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/networking/v1alpha3/envoy_filter.pb.html b/networking/v1alpha3/envoy_filter.pb.html index fbc73314f5..27a926a289 100644 --- a/networking/v1alpha3/envoy_filter.pb.html +++ b/networking/v1alpha3/envoy_filter.pb.html @@ -391,7 +391,9 @@Currently, the following resource attachment types are supported:
kind: Gateway with group: gateway.networking.k8s.io in the same namespace.kind: GatewayClass with group: gateway.networking.k8s.io in the root namespace.kind: Service with "" in the same namespace. This type is only supported for waypoints.kind: ServiceEntry with group: networking.istio.io in the same namespace.If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.
diff --git a/networking/v1alpha3/envoy_filter.proto b/networking/v1alpha3/envoy_filter.proto index 1aff86589f..e309bf8309 100644 --- a/networking/v1alpha3/envoy_filter.proto +++ b/networking/v1alpha3/envoy_filter.proto @@ -856,7 +856,9 @@ message EnvoyFilter { // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace. // * `kind: Service` with `""` in the same namespace. This type is only supported for waypoints. + // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/releasenotes/notes/3412.yaml b/releasenotes/notes/3412.yaml new file mode 100644 index 0000000000..8bdb489e48 --- /dev/null +++ b/releasenotes/notes/3412.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: feature +area: traffic-management +issue: + - https://github.com/istio/istio/issues/54696 +releaseNotes: +- | + **Removed** CEL validation of group/kind for PolicyTargetReference to enable vendor extensions diff --git a/security/v1beta1/authorization_policy.pb.go b/security/v1beta1/authorization_policy.pb.go index cbd4290ce3..30c00af7f4 100644 --- a/security/v1beta1/authorization_policy.pb.go +++ b/security/v1beta1/authorization_policy.pb.go @@ -396,7 +396,9 @@ type AuthorizationPolicy struct { // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace. // * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints. + // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/security/v1beta1/authorization_policy.pb.html b/security/v1beta1/authorization_policy.pb.html index 8b9d9df943..0332da58b7 100644 --- a/security/v1beta1/authorization_policy.pb.html +++ b/security/v1beta1/authorization_policy.pb.html @@ -230,7 +230,9 @@Currently, the following resource attachment types are supported:
kind: Gateway with group: gateway.networking.k8s.io in the same namespace.kind: GatewayClass with group: gateway.networking.k8s.io in the root namespace.kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.kind: ServiceEntry with group: networking.istio.io in the same namespace.If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.
diff --git a/security/v1beta1/authorization_policy.proto b/security/v1beta1/authorization_policy.proto index c55021c98d..ba9afbb049 100644 --- a/security/v1beta1/authorization_policy.proto +++ b/security/v1beta1/authorization_policy.proto @@ -290,7 +290,9 @@ message AuthorizationPolicy { // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace. // * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints. + // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/security/v1beta1/request_authentication.pb.go b/security/v1beta1/request_authentication.pb.go index af1d8adea6..51690369d1 100644 --- a/security/v1beta1/request_authentication.pb.go +++ b/security/v1beta1/request_authentication.pb.go @@ -279,7 +279,9 @@ type RequestAuthentication struct { // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace. // * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints. + // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/security/v1beta1/request_authentication.pb.html b/security/v1beta1/request_authentication.pb.html index 8482f4bca5..1b8531a708 100644 --- a/security/v1beta1/request_authentication.pb.html +++ b/security/v1beta1/request_authentication.pb.html @@ -228,7 +228,9 @@Currently, the following resource attachment types are supported:
kind: Gateway with group: gateway.networking.k8s.io in the same namespace.kind: GatewayClass with group: gateway.networking.k8s.io in the root namespace.kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.kind: ServiceEntry with group: networking.istio.io in the same namespace.If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.
diff --git a/security/v1beta1/request_authentication.proto b/security/v1beta1/request_authentication.proto index a7c4500244..444621682f 100644 --- a/security/v1beta1/request_authentication.proto +++ b/security/v1beta1/request_authentication.proto @@ -264,7 +264,9 @@ message RequestAuthentication { // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace. // * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints. + // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/telemetry/v1alpha1/telemetry.pb.go b/telemetry/v1alpha1/telemetry.pb.go index efa2d29d55..537c756f3a 100644 --- a/telemetry/v1alpha1/telemetry.pb.go +++ b/telemetry/v1alpha1/telemetry.pb.go @@ -567,7 +567,9 @@ type Telemetry struct { // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace. // * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints. + // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/telemetry/v1alpha1/telemetry.pb.html b/telemetry/v1alpha1/telemetry.pb.html index defacc1aa4..4153a9b3e8 100644 --- a/telemetry/v1alpha1/telemetry.pb.html +++ b/telemetry/v1alpha1/telemetry.pb.html @@ -228,7 +228,9 @@Currently, the following resource attachment types are supported:
kind: Gateway with group: gateway.networking.k8s.io in the same namespace.kind: GatewayClass with group: gateway.networking.k8s.io in the root namespace.kind: Service with group: "" or group: "core" in the same namespace. This type is only supported for waypoints.kind: ServiceEntry with group: networking.istio.io in the same namespace.If not set, the policy is applied as defined by the selector. At most one of the selector and targetRefs can be set.
diff --git a/telemetry/v1alpha1/telemetry.proto b/telemetry/v1alpha1/telemetry.proto index c162463296..fd476f6834 100644 --- a/telemetry/v1alpha1/telemetry.proto +++ b/telemetry/v1alpha1/telemetry.proto @@ -282,7 +282,9 @@ message Telemetry { // // Currently, the following resource attachment types are supported: // * `kind: Gateway` with `group: gateway.networking.k8s.io` in the same namespace. + // * `kind: GatewayClass` with `group: gateway.networking.k8s.io` in the root namespace. // * `kind: Service` with `group: ""` or `group: "core"` in the same namespace. This type is only supported for waypoints. + // * `kind: ServiceEntry` with `group: networking.istio.io` in the same namespace. // // If not set, the policy is applied as defined by the selector. // At most one of the selector and targetRefs can be set. diff --git a/type/v1beta1/selector.pb.go b/type/v1beta1/selector.pb.go index 3395f12400..d84a458146 100644 --- a/type/v1beta1/selector.pb.go +++ b/type/v1beta1/selector.pb.go @@ -248,7 +248,8 @@ func (x *PortSelector) GetNumber() uint32 { // ports: ["8080"] // // ``` -// +kubebuilder:validation:XValidation:message="Support kinds are core/Service, networking.istio.io/ServiceEntry, gateway.networking.k8s.io/Gateway",rule="[self.group, self.kind] in [['core','Service'], [”,'Service'], ['gateway.networking.k8s.io','Gateway'], ['networking.istio.io','ServiceEntry']]" +// +// When binding to a GatewayClass resource using PolicyTargetReference, your policy must be in the root namespace. type PolicyTargetReference struct { state protoimpl.MessageState `protogen:"open.v1"` // group is the group of the target resource. diff --git a/type/v1beta1/selector.pb.html b/type/v1beta1/selector.pb.html index eeabe97d6a..7caf080ba4 100644 --- a/type/v1beta1/selector.pb.html +++ b/type/v1beta1/selector.pb.html @@ -93,6 +93,7 @@When binding to a GatewayClass resource using PolicyTargetReference, your policy must be in the root namespace.