{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://github.com/api-evangelist/istio/blob/main/json-schema/authorization-policy.json", "title": "Istio AuthorizationPolicy", "description": "An AuthorizationPolicy enables access control on workloads in the mesh. It supports ALLOW, DENY, AUDIT, and CUSTOM actions based on source, operation, and condition matching rules.", "type": "object", "properties": { "selector": { "type": "object", "properties": { "matchLabels": { "type": "object", "additionalProperties": { "type": "string" }, "description": "One or more labels that indicate a specific set of pods/VMs on which the policy should be applied." } }, "description": "Workload selector to apply the policy to specific workloads." }, "targetRefs": { "type": "array", "items": { "type": "object", "properties": { "group": { "type": "string", "description": "Group of the target resource." }, "kind": { "type": "string", "description": "Kind of the target resource." }, "name": { "type": "string", "description": "Name of the target resource." } } }, "description": "Target references to apply the policy to specific resources." }, "action": { "type": "string", "enum": ["ALLOW", "DENY", "AUDIT", "CUSTOM"], "description": "The action to take when a rule is matched. Default is ALLOW." }, "provider": { "type": "object", "properties": { "name": { "type": "string", "description": "The name of the extension provider. Used when action is CUSTOM." } }, "description": "Specifies the external authorization provider when action is CUSTOM." }, "rules": { "type": "array", "items": { "$ref": "#/$defs/Rule" }, "description": "A list of rules to match for the policy." } }, "$defs": { "Rule": { "type": "object", "properties": { "from": { "type": "array", "items": { "type": "object", "properties": { "source": { "type": "object", "properties": { "principals": { "type": "array", "items": { "type": "string" }, "description": "A list of peer identities derived from the peer certificate." }, "notPrincipals": { "type": "array", "items": { "type": "string" }, "description": "A list of negative match of peer identities." }, "requestPrincipals": { "type": "array", "items": { "type": "string" }, "description": "A list of request identities derived from the JWT." }, "notRequestPrincipals": { "type": "array", "items": { "type": "string" }, "description": "A list of negative match of request identities." }, "namespaces": { "type": "array", "items": { "type": "string" }, "description": "A list of namespaces derived from the peer certificate." }, "notNamespaces": { "type": "array", "items": { "type": "string" }, "description": "A list of negative match of namespaces." }, "ipBlocks": { "type": "array", "items": { "type": "string" }, "description": "A list of IP blocks in CIDR format." }, "notIpBlocks": { "type": "array", "items": { "type": "string" }, "description": "A list of negative match of IP blocks." }, "remoteIpBlocks": { "type": "array", "items": { "type": "string" }, "description": "A list of remote IP blocks in CIDR format." }, "notRemoteIpBlocks": { "type": "array", "items": { "type": "string" }, "description": "A list of negative match of remote IP blocks." } } } } }, "description": "Specifies the source of a request." }, "to": { "type": "array", "items": { "type": "object", "properties": { "operation": { "type": "object", "properties": { "hosts": { "type": "array", "items": { "type": "string" }, "description": "A list of hosts as specified in the HTTP request." }, "notHosts": { "type": "array", "items": { "type": "string" }, "description": "A list of negative match of hosts." }, "ports": { "type": "array", "items": { "type": "string" }, "description": "A list of ports as specified in the connection." }, "notPorts": { "type": "array", "items": { "type": "string" }, "description": "A list of negative match of ports." }, "methods": { "type": "array", "items": { "type": "string" }, "description": "A list of methods as specified in the HTTP request." }, "notMethods": { "type": "array", "items": { "type": "string" }, "description": "A list of negative match of methods." }, "paths": { "type": "array", "items": { "type": "string" }, "description": "A list of paths as specified in the HTTP request." }, "notPaths": { "type": "array", "items": { "type": "string" }, "description": "A list of negative match of paths." } } } } }, "description": "Specifies the operation of a request." }, "when": { "type": "array", "items": { "type": "object", "properties": { "key": { "type": "string", "description": "The name of an Istio attribute." }, "values": { "type": "array", "items": { "type": "string" }, "description": "A list of allowed values for the attribute." }, "notValues": { "type": "array", "items": { "type": "string" }, "description": "A list of negative match of values for the attribute." } }, "required": ["key"] }, "description": "Additional conditions for the rule." } } } } }