Search Options

Results per page
Sort
Preferred Languages
Advance

Results 1 - 6 of 6 for SecretAllowed (0.15 sec)

  2. github.com/istio/istio

    pilot/pkg/config/kube/gateway/model.go 

    	Context GatewayContext
}

type Grants struct {
	AllowAll     bool
	AllowedNames sets.String
}

type AllowedReferences map[Reference]map[Reference]*Grants

func (refs AllowedReferences) SecretAllowed(resourceName string, namespace string) bool {
	p, err := creds.ParseResourceName(resourceName, "", "", "")
	if err != nil {
		log.Warnf("failed to parse resource name %q: %v", resourceName, err)
		return false
	}
    Registered: Fri Jun 14 15:00:06 UTC 2024
    - Last Modified: Thu Mar 28 17:09:09 UTC 2024
    - 4K bytes
    - Viewed (0)
  3. github.com/istio/istio

    pilot/pkg/config/kube/gateway/controller.go 

    	}
}

func (c *Controller) HasSynced() bool {
	return c.cache.HasSynced() && c.namespaces.HasSynced()
}

func (c *Controller) SecretAllowed(resourceName string, namespace string) bool {
	c.stateMu.RLock()
	defer c.stateMu.RUnlock()
	return c.state.AllowedReferences.SecretAllowed(resourceName, namespace)
}

// namespaceEvent handles a namespace add/update. Gateway's can select routes by label, so we need to handle
    Registered: Fri Jun 14 15:00:06 UTC 2024
    - Last Modified: Sat Mar 30 05:26:03 UTC 2024
    - 13.5K bytes
    - Viewed (0)
  4. github.com/istio/istio

    pilot/pkg/model/context.go 

    	Reconcile(ctx *PushContext) error
	// SecretAllowed determines if a SDS credential is accessible to a given namespace.
	// For example, for resourceName of `kubernetes-gateway://ns-name/secret-name` and namespace of `ingress-ns`,
	// this would return true only if there was a policy allowing `ingress-ns` to access Secrets in the `ns-name` namespace.
	SecretAllowed(resourceName string, namespace string) bool
}
    Registered: Fri Jun 14 15:00:06 UTC 2024
    - Last Modified: Mon Jun 03 08:29:05 UTC 2024
    - 33.6K bytes
    - Viewed (0)
  5. github.com/istio/istio

    pilot/pkg/config/kube/gateway/conversion_test.go 

    			c := &Controller{
				state: output,
			}
			for _, sc := range tt.expectations {
				t.Run(fmt.Sprintf("%v/%v", sc.name, sc.namespace), func(t *testing.T) {
					got := c.SecretAllowed(sc.name, sc.namespace)
					if got != sc.allowed {
						t.Fatalf("expected allowed=%v, got allowed=%v", sc.allowed, got)
					}
				})
			}
		})
	}
}
    Registered: Fri Jun 14 15:00:06 UTC 2024
    - Last Modified: Wed May 08 20:24:52 UTC 2024
    - 34.9K bytes
    - Viewed (0)
  6. github.com/istio/istio

    pilot/pkg/config/kube/gateway/conversion.go 

    		if err != nil {
			return out, err
		}
		credNs := ptr.OrDefault((*string)(tls.CertificateRefs[0].Namespace), namespace)
		sameNamespace := credNs == namespace
		if !sameNamespace && !ctx.AllowedReferences.SecretAllowed(creds.ToResourceName(cred), namespace) {
			return out, &ConfigError{
				Reason: InvalidListenerRefNotPermitted,
				Message: fmt.Sprintf(
    Registered: Fri Jun 14 15:00:06 UTC 2024
    - Last Modified: Fri Jun 14 04:34:37 UTC 2024
    - 84.7K bytes
    - Viewed (0)
  7. github.com/istio/istio

    pilot/pkg/model/push_context.go 

    	// Currently, only Secret has reference policy, and only implemented by Gateway API controller.
	switch kind {
	case gvk.Secret:
		if ps.GatewayAPIController != nil {
			return ps.GatewayAPIController.SecretAllowed(resourceName, namespace)
		}
	default:
	}
	return false
}

func (ps *PushContext) ServiceAccounts(hostname host.Name, namespace string) []string {
	return ps.serviceAccounts[serviceAccountKey{
    Registered: Fri Jun 14 15:00:06 UTC 2024
    - Last Modified: Wed May 15 09:02:11 UTC 2024
    - 91.8K bytes
    - Viewed (0)
Back to top