NetworkSecurityAuthorizationPolicy
Property | Value |
---|---|
Google Cloud Service Name | Network Security |
Google Cloud Service Documentation | /traffic-director/docs/ |
Google Cloud REST Resource Name | v1beta1/projects.locations.authorizationPolicies |
Google Cloud REST Resource Documentation | /traffic-director/docs/reference/network-security/rest/v1beta1/projects.locations.authorizationPolicies |
Config Connector Resource Short Names | gcpnetworksecurityauthorizationpolicy gcpnetworksecurityauthorizationpolicies networksecurityauthorizationpolicy |
Config Connector Service Name | networksecurity.googleapis.com |
Config Connector Resource Fully Qualified Name | networksecurityauthorizationpolicies.networksecurity.cnrm.cloud.google.com |
Can Be Referenced by IAMPolicy/IAMPolicyMember | Yes |
IAMPolicy/IAMPartialPolicy Supports Conditions | Yes |
IAMPolicyMember Supports Conditions | No |
Supports IAM Audit Configs | No |
IAM External Reference Format |
projects/{{project}}/locations/{{location}}/authorizationPolicies/{{name}} |
Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Spec
Schema
action: string
description: string
location: string
projectRef:
external: string
name: string
namespace: string
resourceID: string
rules:
- destinations:
- hosts:
- string
httpHeaderMatch:
headerName: string
regexMatch: string
methods:
- string
ports:
- integer
sources:
- ipBlocks:
- string
principals:
- string
Fields | |
---|---|
Required |
Required. The action to take when a rule match is found. Possible values are "ALLOW" or "DENY". Possible values: ACTION_UNSPECIFIED, ALLOW, DENY |
Optional |
Optional. Free-text description of the resource. |
Required |
Immutable. The location for the resource |
Required |
Immutable. The Project that this resource belongs to. |
Optional |
The project for the resource Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`). |
Optional |
Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names |
Optional |
Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/ |
Optional |
Immutable. Optional. The name of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default. |
Optional |
Optional. List of rules to match. If not set, the action specified in the ‘action’ field will be applied without any additional rule checks. |
Optional |
|
Optional |
Optional. List of attributes for the traffic destination. If not set, the action specified in the ‘action’ field will be applied without any rule checks for the destination. |
Optional |
|
Required* |
Required. List of host names to match. Matched against HOST header in http requests. Each host can be an exact match, or a prefix match (example, “mydomain.*”) or a suffix match (example, *.myorg.com”) or a presence(any) match “*”. |
Required* |
|
Optional |
Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. |
Required* |
Required. The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method". |
Required* |
Required. The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier. |
Optional |
Optional. A list of HTTP methods to match. Should not be set for gRPC services. |
Optional |
|
Required* |
Required. List of destination ports to match. |
Required* |
|
Optional |
Optional. List of attributes for the traffic source. If not set, the action specified in the ‘action’ field will be applied without any rule checks for the source. |
Optional |
|
Optional |
Optional. List of CIDR ranges to match based on source IP address. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. |
Optional |
|
Optional |
Optional. List of peer identities to match for authorization. Each peer can be an exact match, or a prefix match (example, “namespace/*”) or a suffix match (example, */service-account”) or a presence match “*”. |
Optional |
|
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
createTime: string
observedGeneration: integer
updateTime: string
Fields | |
---|---|
conditions |
Conditions represent the latest available observation of the resource's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
createTime |
Output only. The timestamp when the resource was created. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
updateTime |
Output only. The timestamp when the resource was updated. |
Sample YAML(s)
Typical Use Case
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: networksecurity.cnrm.cloud.google.com/v1beta1
kind: NetworkSecurityAuthorizationPolicy
metadata:
labels:
key-one: value-one
name: networksecurityauthorizationpolicy-sample
spec:
projectRef:
# Replace ${PROJECT_ID?} with your project ID
external: "projects/${PROJECT_ID?}"
location: global
action: ALLOW
description: Test Authorization Policy
rules:
- sources:
- ipBlocks:
- "1.2.3.4"
principals:
- "*"
destinations:
- hosts:
- "demo-service"
ports:
- 8080
methods:
- "POST"
- sources:
- ipBlocks:
- "1.2.3.5"
principals:
- "*"
destinations:
- hosts:
- "test-service"
ports:
- 8081
methods:
- "GET"