From 25ec80ecc4d3540bbadf72c1ba811ccd9671d3be Mon Sep 17 00:00:00 2001 From: Yossi Mesika Date: Thu, 5 Mar 2026 13:42:10 +0000 Subject: [PATCH 1/2] Add trustDomains and notTrustDomains to AuthzPolicy source --- kubernetes/customresourcedefinitions.gen.yaml | 20 ++++++++++ security/v1alpha1/ca_grpc.pb.go | 6 +-- security/v1beta1/authorization_policy.pb.go | 37 +++++++++++++++++-- security/v1beta1/authorization_policy.pb.html | 22 +++++++++++ security/v1beta1/authorization_policy.proto | 15 ++++++++ tests/testdata/authz-valid.yaml | 5 +++ 6 files changed, 98 insertions(+), 7 deletions(-) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index dea2de3fcc..dada168ca4 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -15287,6 +15287,11 @@ spec: type: string maxItems: 16 type: array + notTrustDomains: + description: Optional. + items: + type: string + type: array principals: description: Optional. items: @@ -15309,6 +15314,11 @@ spec: type: string maxItems: 16 type: array + trustDomains: + description: Optional. + items: + type: string + type: array type: object x-kubernetes-validations: - message: Cannot set serviceAccounts with namespaces @@ -15657,6 +15667,11 @@ spec: type: string maxItems: 16 type: array + notTrustDomains: + description: Optional. + items: + type: string + type: array principals: description: Optional. items: @@ -15679,6 +15694,11 @@ spec: type: string maxItems: 16 type: array + trustDomains: + description: Optional. + items: + type: string + type: array type: object x-kubernetes-validations: - message: Cannot set serviceAccounts with namespaces diff --git a/security/v1alpha1/ca_grpc.pb.go b/security/v1alpha1/ca_grpc.pb.go index d0dc59baac..59957ad976 100644 --- a/security/v1alpha1/ca_grpc.pb.go +++ b/security/v1alpha1/ca_grpc.pb.go @@ -14,7 +14,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: -// - protoc-gen-go-grpc v1.5.1 +// - protoc-gen-go-grpc v1.6.1 // - protoc (unknown) // source: security/v1alpha1/ca.proto @@ -85,7 +85,7 @@ type IstioCertificateServiceServer interface { type UnimplementedIstioCertificateServiceServer struct{} func (UnimplementedIstioCertificateServiceServer) CreateCertificate(context.Context, *IstioCertificateRequest) (*IstioCertificateResponse, error) { - return nil, status.Errorf(codes.Unimplemented, "method CreateCertificate not implemented") + return nil, status.Error(codes.Unimplemented, "method CreateCertificate not implemented") } func (UnimplementedIstioCertificateServiceServer) mustEmbedUnimplementedIstioCertificateServiceServer() { } @@ -99,7 +99,7 @@ type UnsafeIstioCertificateServiceServer interface { } func RegisterIstioCertificateServiceServer(s grpc.ServiceRegistrar, srv IstioCertificateServiceServer) { - // If the following call pancis, it indicates UnimplementedIstioCertificateServiceServer was + // If the following call panics, it indicates UnimplementedIstioCertificateServiceServer was // embedded by pointer and is nil. This will cause panics if an // unimplemented method is ever invoked, so we test this at initialization // time to prevent it from happening at runtime later due to I/O. diff --git a/security/v1beta1/authorization_policy.pb.go b/security/v1beta1/authorization_policy.pb.go index 6561500fc0..7c0cb4c684 100644 --- a/security/v1beta1/authorization_policy.pb.go +++ b/security/v1beta1/authorization_policy.pb.go @@ -680,8 +680,21 @@ type Source struct { RemoteIpBlocks []string `protobuf:"bytes,9,rep,name=remote_ip_blocks,json=remoteIpBlocks,proto3" json:"remote_ip_blocks,omitempty"` // Optional. A list of negative match of remote IP blocks. NotRemoteIpBlocks []string `protobuf:"bytes,10,rep,name=not_remote_ip_blocks,json=notRemoteIpBlocks,proto3" json:"not_remote_ip_blocks,omitempty"` - unknownFields protoimpl.UnknownFields - sizeCache protoimpl.SizeCache + // Optional. A list of trust domains derived from the peer certificate. + // Can be exact, prefix, suffix and presence. + // This field requires mTLS enabled and is the same as the `source.trustDomain` attribute. + // + // If not set, any trust domain is allowed. + // + // +cue-gen:AuthorizationPolicy:releaseChannel:extended + TrustDomains []string `protobuf:"bytes,13,rep,name=trust_domains,json=trustDomains,proto3" json:"trust_domains,omitempty"` + // Optional. A list of negative match of trust domains. + // Can be exact, prefix, suffix and presence. + // + // +cue-gen:AuthorizationPolicy:releaseChannel:extended + NotTrustDomains []string `protobuf:"bytes,14,rep,name=not_trust_domains,json=notTrustDomains,proto3" json:"not_trust_domains,omitempty"` + unknownFields protoimpl.UnknownFields + sizeCache protoimpl.SizeCache } func (x *Source) Reset() { @@ -798,6 +811,20 @@ func (x *Source) GetNotRemoteIpBlocks() []string { return nil } +func (x *Source) GetTrustDomains() []string { + if x != nil { + return x.TrustDomains + } + return nil +} + +func (x *Source) GetNotTrustDomains() []string { + if x != nil { + return x.NotTrustDomains + } + return nil +} + // Operation specifies the operations of a request. Fields in the operation are // ANDed together. // @@ -1179,7 +1206,7 @@ const file_security_v1beta1_authorization_policy_proto_rawDesc = "" + "\x04From\x126\n" + "\x06source\x18\x01 \x01(\v2\x1e.istio.security.v1beta1.SourceR\x06source\x1aE\n" + "\x02To\x12?\n" + - "\toperation\x18\x01 \x01(\v2!.istio.security.v1beta1.OperationR\toperation\"\xf4\x03\n" + + "\toperation\x18\x01 \x01(\v2!.istio.security.v1beta1.OperationR\toperation\"\xc5\x04\n" + "\x06Source\x12\x1e\n" + "\n" + "principals\x18\x01 \x03(\tR\n" + @@ -1197,7 +1224,9 @@ const file_security_v1beta1_authorization_policy_proto_rawDesc = "" + "\rnot_ip_blocks\x18\b \x03(\tR\vnotIpBlocks\x12(\n" + "\x10remote_ip_blocks\x18\t \x03(\tR\x0eremoteIpBlocks\x12/\n" + "\x14not_remote_ip_blocks\x18\n" + - " \x03(\tR\x11notRemoteIpBlocks\"\xdf\x01\n" + + " \x03(\tR\x11notRemoteIpBlocks\x12#\n" + + "\rtrust_domains\x18\r \x03(\tR\ftrustDomains\x12*\n" + + "\x11not_trust_domains\x18\x0e \x03(\tR\x0fnotTrustDomains\"\xdf\x01\n" + "\tOperation\x12\x14\n" + "\x05hosts\x18\x01 \x03(\tR\x05hosts\x12\x1b\n" + "\tnot_hosts\x18\x05 \x03(\tR\bnotHosts\x12\x14\n" + diff --git a/security/v1beta1/authorization_policy.pb.html b/security/v1beta1/authorization_policy.pb.html index b49ecc4c35..816b16428c 100644 --- a/security/v1beta1/authorization_policy.pb.html +++ b/security/v1beta1/authorization_policy.pb.html @@ -621,6 +621,28 @@

Source

A list of negative match of remote IP blocks.

+ + + +
trustDomains
+
string[]
+
+ +

A list of trust domains derived from the peer certificate. +Can be exact, prefix, suffix and presence. +This field requires mTLS enabled and is the same as the source.trustDomain attribute.

+

If not set, any trust domain is allowed.

+ + + + +
notTrustDomains
+
string[]
+
+ +

A list of negative match of trust domains. +Can be exact, prefix, suffix and presence.

+ diff --git a/security/v1beta1/authorization_policy.proto b/security/v1beta1/authorization_policy.proto index 025cc374bf..39a0b3da8b 100644 --- a/security/v1beta1/authorization_policy.proto +++ b/security/v1beta1/authorization_policy.proto @@ -506,6 +506,21 @@ message Source { // Optional. A list of negative match of remote IP blocks. repeated string not_remote_ip_blocks = 10; + + // Optional. A list of trust domains derived from the peer certificate. + // Can be exact, prefix, suffix and presence. + // This field requires mTLS enabled and is the same as the `source.trustDomain` attribute. + // + // If not set, any trust domain is allowed. + // + // +cue-gen:AuthorizationPolicy:releaseChannel:extended + repeated string trust_domains = 13; + + // Optional. A list of negative match of trust domains. + // Can be exact, prefix, suffix and presence. + // + // +cue-gen:AuthorizationPolicy:releaseChannel:extended + repeated string not_trust_domains = 14; } // Operation specifies the operations of a request. Fields in the operation are diff --git a/tests/testdata/authz-valid.yaml b/tests/testdata/authz-valid.yaml index 4cc7c692b7..347c9583a3 100644 --- a/tests/testdata/authz-valid.yaml +++ b/tests/testdata/authz-valid.yaml @@ -19,6 +19,8 @@ spec: notNamespaces: ["not-ns", "not-ns-prefix-*", "*-not-ns-suffix", "*"] notIpBlocks: ["9.0.0.1", "9.2.0.0/16"] notRemoteIpBlocks: ["9.0.0.1", "9.2.0.0/16"] + trustDomains: ["cluster.local", "cluster-prefix-*", "*-suffix-cluster", "*"] + notTrustDomains: ["not-cluster.local", "not-cluster-prefix-*", "*-not-suffix-cluster", "*"] to: - operation: methods: ["method", "method-prefix-*", "*-suffix-method", "*"] @@ -69,6 +71,9 @@ spec: - key: "connection.sni" values: ["exact.com", "*.suffix.com", "prefix.*", "*"] notValues: ["not-exact.com", "*.not-suffix.com", "not-prefix.*", "*"] + - key: "source.trustDomain" + values: ["cluster.local", "cluster-prefix-*", "*-suffix-cluster", "*"] + notValues: ["not-cluster.local", "not-cluster-prefix-*", "*-not-suffix-cluster", "*"] - key: "experimental.envoy.filters.a.b[c]" values: ["exact", "prefix-*", "*-suffix", "*"] notValues: ["not-exact", "not-prefix-*", "*-not-suffix", "*"] From a23a5bc7d3b28a0ca57056462867817b380479c7 Mon Sep 17 00:00:00 2001 From: Yossi Mesika Date: Mon, 9 Mar 2026 12:41:59 +0000 Subject: [PATCH 2/2] Release note and lint fix --- releasenotes/notes/add-trust-domains-to-authz-policy.yaml | 8 ++++++++ security/v1alpha1/ca_grpc.pb.go | 6 +++--- 2 files changed, 11 insertions(+), 3 deletions(-) create mode 100644 releasenotes/notes/add-trust-domains-to-authz-policy.yaml diff --git a/releasenotes/notes/add-trust-domains-to-authz-policy.yaml b/releasenotes/notes/add-trust-domains-to-authz-policy.yaml new file mode 100644 index 0000000000..1d83505021 --- /dev/null +++ b/releasenotes/notes/add-trust-domains-to-authz-policy.yaml @@ -0,0 +1,8 @@ +apiVersion: release-notes/v2 +kind: feature +area: security + +releaseNotes: + - | + **Added** `trustDomains` and `notTrustDomains` fields to the `Source` in `AuthorizationPolicy`, + allowing users to match or exclude requests based on the trust domain derived from the peer certificate. diff --git a/security/v1alpha1/ca_grpc.pb.go b/security/v1alpha1/ca_grpc.pb.go index 59957ad976..d0dc59baac 100644 --- a/security/v1alpha1/ca_grpc.pb.go +++ b/security/v1alpha1/ca_grpc.pb.go @@ -14,7 +14,7 @@ // Code generated by protoc-gen-go-grpc. DO NOT EDIT. // versions: -// - protoc-gen-go-grpc v1.6.1 +// - protoc-gen-go-grpc v1.5.1 // - protoc (unknown) // source: security/v1alpha1/ca.proto @@ -85,7 +85,7 @@ type IstioCertificateServiceServer interface { type UnimplementedIstioCertificateServiceServer struct{} func (UnimplementedIstioCertificateServiceServer) CreateCertificate(context.Context, *IstioCertificateRequest) (*IstioCertificateResponse, error) { - return nil, status.Error(codes.Unimplemented, "method CreateCertificate not implemented") + return nil, status.Errorf(codes.Unimplemented, "method CreateCertificate not implemented") } func (UnimplementedIstioCertificateServiceServer) mustEmbedUnimplementedIstioCertificateServiceServer() { } @@ -99,7 +99,7 @@ type UnsafeIstioCertificateServiceServer interface { } func RegisterIstioCertificateServiceServer(s grpc.ServiceRegistrar, srv IstioCertificateServiceServer) { - // If the following call panics, it indicates UnimplementedIstioCertificateServiceServer was + // If the following call pancis, it indicates UnimplementedIstioCertificateServiceServer was // embedded by pointer and is nil. This will cause panics if an // unimplemented method is ever invoked, so we test this at initialization // time to prevent it from happening at runtime later due to I/O.