Resource: ClientTlsPolicy
ClientTlsPolicy is a resource that specifies how a client should authenticate connections to backends of a service. This resource itself does not affect configuration unless it is attached to a backend service resource.
JSON representation |
---|
{ "name": string, "description": string, "createTime": string, "updateTime": string, "labels": { string: string, ... }, "sni": string, "clientCertificate": { object ( |
Fields | |
---|---|
name |
Required. Name of the ClientTlsPolicy resource. It matches the pattern |
description |
Optional. Free-text description of the resource. |
createTime |
Output only. The timestamp when the resource was created. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
updateTime |
Output only. The timestamp when the resource was updated. A timestamp in RFC3339 UTC "Zulu" format, with nanosecond resolution and up to nine fractional digits. Examples: |
labels |
Optional. Set of label tags associated with the resource. An object containing a list of |
sni |
Optional. Server Name Indication string to present to the server during TLS handshake. E.g: "secure.example.com". |
clientCertificate |
Optional. Defines a mechanism to provision client identity (public and private keys) for peer to peer authentication. The presence of this dictates mTLS. |
serverValidationCa[] |
Optional. Defines the mechanism to obtain the Certificate Authority certificate to validate the server certificate. If empty, client does not validate the server certificate. |
targets[] |
Optional. Define a list of targets this policy should serve. A target can only be a BackendService and it should be the fully qualified name of the BackendService, e.g.: projects/xxx/backendServices/locations/global/xxx NOTE: ClientTlsPolicy and the referenced BackendServices must be present in the same project. This is used only for Google Service Mesh (GSM) product. |
workloadContextSelectors[] |
Optional. Selects the workload where the policy should be applied to its targets. A policy without a WorkloadContextSelector should always be applied to its targets when there is no conflict. If there are multiple WorkloadContextSelectors then the policy will be applied to all targets if ANY of the WorkloadContextSelectors match. Therefore these selectors can be combined in an OR fashion. If there are multiple ClientTlsPolicy targeted to the same BackendService, There should be only one effective ClientTlsPolicy and the precdence is as following: 1) ClientTlsPolicy with workloadContextSelectors will take precedence first. 2) If there are multiple ClientTlsPolicy with workloadContextSelectors matched, earliest created one will take take precedence. 3) Then ClientTlsPolicy without workloadSelector will take precedence. Right now we don't allow multiple ClientTlsPolicy without workloadSelector attached the same backendService. NOTE: For GSM use only. |
subjectAltNames[] |
Optional. A list of alternate names to verify the server identity in the certificate. If specified, the client will verify that the server certificate’s subject alt name matches one of the specified values. If specified, this list overrides the value of subjectAltNames from the BackendService.securitySettings.subjectAltNames[]. The domain names can be either be exact match (e.g foo) or suffix matches (e.g foo* or foo/*) |
internalCaller |
Optional. A flag set to identify internal controllers Setting this will trigger a P4SA check to validate the caller is from an allowlisted service's P4SA even if other optional fields are unset. |
WorkloadContextSelector
Determines which workloads a policy is applicable for.
JSON representation |
---|
{
"metadataSelectors": [
{
object ( |
Fields | |
---|---|
metadataSelectors[] |
Required. A map of metadata label values used to select workloads. If multiple MetadataSelectors are provided, all MetadataSelectors must match in order for the policy to be applied to this workload. Therefore these selectors must be combined in an AND fashion. |
MetadataSelector
This message type exists as opposed to using a map to support additional fields in the future such as priority.
JSON representation |
---|
{ "key": string, "value": string } |
Fields | |
---|---|
key |
Required. The metadata field being selected on |
value |
Required. The value for this metadata field to be compared with |
Methods |
|
---|---|
|
Creates a new ClientTlsPolicy in a given project and location. |
|
Deletes a single ClientTlsPolicy. |
|
Gets details of a single ClientTlsPolicy. |
|
Gets the access control policy for a resource. |
|
Lists ClientTlsPolicies in a given project and location. |
|
Updates the parameters of a single ClientTlsPolicy. |
|
Sets the access control policy on the specified resource. |
|
Returns permissions that a caller has on the specified resource. |