NetworkSecurityAuthorizationPolicy
| Property | Value |
|---|---|
| Google Cloud Service Name | Network Security |
| Google Cloud Service Documentation | /traffic-director/docs/ |
| Google Cloud REST Resource Name | v1beta1/projects.locations.authorizationPolicies |
| Google Cloud REST Resource Documentation | /traffic-director/docs/reference/network-security/rest/v1beta1/projects.locations.authorizationPolicies |
| Config Connector Resource Short Names | gcpnetworksecurityauthorizationpolicy gcpnetworksecurityauthorizationpolicies networksecurityauthorizationpolicy |
| Config Connector Service Name | networksecurity.googleapis.com |
| Config Connector Resource Fully Qualified Name | networksecurityauthorizationpolicies.networksecurity.cnrm.cloud.google.com |
| Can Be Referenced by IAMPolicy/IAMPolicyMember | Yes |
| IAMPolicy/IAMPartialPolicy Supports Conditions | Yes |
| IAMPolicyMember Supports Conditions | No |
| Supports IAM Audit Configs | No |
| IAM External Reference Format |
projects/{{project}}/locations/{{location}}/authorizationPolicies/{{name}} |
| Config Connector Default Average Reconcile Interval In Seconds | 600 |
Custom Resource Definition Properties
Spec
Schema
action: string
description: string
location: string
projectRef:
external: string
kind: string
name: string
namespace: string
resourceID: string
rules:
- destinations:
- hosts:
- string
httpHeaderMatch:
headerName: string
regexMatch: string
methods:
- string
ports:
- integer
sources:
- ipBlocks:
- string
principals:
- string
| Fields | |
|---|---|
|
Required |
Required. The action to take when a rule match is found. Possible values are "ALLOW" or "DENY". |
|
Optional |
Optional. Free-text description of the resource. |
|
Required |
Immutable. |
|
Required |
The Project that this resource belongs to. |
|
Optional |
The `projectID` field of a project, when not managed by Config Connector. |
|
Optional |
The kind of the Project resource; optional but must be `Project` if provided. |
|
Optional |
The `name` field of a `Project` resource. |
|
Optional |
The `namespace` field of a `Project` resource. |
|
Optional |
The NetworkSecurityAuthorizationPolicy name. If not given, the metadata.name will be used. |
|
Optional |
Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the `action` field will be applied on every request. |
|
Optional |
|
|
Optional |
Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination. |
|
Optional |
|
|
Required* |
Required. List of host names to match. Matched against the ":authority" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example "mydomain.*") or a suffix match (example "*.myorg.com") or a presence (any) match "*". |
|
Required* |
|
|
Optional |
Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy. |
|
Required* |
Required. The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name ":authority". For matching a request's method, use the headerName ":method". |
|
Required* |
Required. The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier. |
|
Optional |
Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services. |
|
Optional |
|
|
Required* |
Required. List of destination ports to match. At least one port should match. |
|
Required* |
|
|
Optional |
Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source. |
|
Optional |
|
|
Optional |
Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., "1.2.3.4") and CIDR (e.g., "1.2.3.0/24") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted. |
|
Optional |
|
|
Optional |
Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, "namespace/*") or a suffix match (example, "*/service-account") or a presence match "*". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure. |
|
Optional |
|
* Field is required when parent field is specified
Status
Schema
conditions:
- lastTransitionTime: string
message: string
reason: string
status: string
type: string
createTime: string
externalRef: string
observedGeneration: integer
updateTime: string
| Fields | |
|---|---|
conditions |
Conditions represent the latest available observations of the object's current state. |
conditions[] |
|
conditions[].lastTransitionTime |
Last time the condition transitioned from one status to another. |
conditions[].message |
Human-readable message indicating details about last transition. |
conditions[].reason |
Unique, one-word, CamelCase reason for the condition's last transition. |
conditions[].status |
Status is the status of the condition. Can be True, False, Unknown. |
conditions[].type |
Type is the type of the condition. |
createTime |
Output only. The timestamp when the resource was created. |
externalRef |
A unique specifier for the NetworkSecurityAuthorizationPolicy resource in GCP. |
observedGeneration |
ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. |
updateTime |
Output only. The timestamp when the resource was updated. |
Sample YAML(s)
Typical Use Case
# Copyright 2021 Google LLC
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
apiVersion: networksecurity.cnrm.cloud.google.com/v1beta1
kind: NetworkSecurityAuthorizationPolicy
metadata:
labels:
key-one: value-one
name: networksecurityauthorizationpolicy-sample
spec:
projectRef:
# Replace ${PROJECT_ID?} with your project ID
external: "projects/${PROJECT_ID?}"
location: global
action: ALLOW
description: Test Authorization Policy
rules:
- sources:
- ipBlocks:
- "1.2.3.4"
principals:
- "*"
destinations:
- hosts:
- "demo-service"
ports:
- 8080
methods:
- "POST"
- sources:
- ipBlocks:
- "1.2.3.5"
principals:
- "*"
destinations:
- hosts:
- "test-service"
ports:
- 8081
methods:
- "GET"