Skip to content

Commit eaf8bda

Browse files
craigboxcraigbox
committed
manual cherry-pick of istio#3184 
1 parent b6815be commit eaf8bda

5 files changed

+47
-26
lines changed

security/v1/peer_authentication.pb.go

+10-5
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

security/v1/peer_authentication.proto

+10-5
Original file line numberDiff line numberDiff line change
@@ -26,14 +26,19 @@ package istio.security.v1;
2626

2727
option go_package="istio.io/api/security/v1";
2828

29-
// {{< warning >}}
30-
// Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient.
31-
// {{< /warning >}}
32-
// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
29+
// PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
30+
//
31+
// In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
32+
// for connections to an Envoy proxy sidecar.
33+
//
34+
// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
35+
// (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
36+
// Because of this, `DISABLE` mode is not supported.
37+
// `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible.
3338
//
3439
// Examples:
3540
//
36-
// Policy to allow mTLS traffic for all workloads under namespace `foo`:
41+
// Policy to require mTLS traffic for all workloads under namespace `foo`:
3742
// ```yaml
3843
// apiVersion: security.istio.io/v1
3944
// kind: PeerAuthentication

security/v1beta1/peer_authentication.pb.go

+9-5
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

security/v1beta1/peer_authentication.pb.html

+9-6
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

security/v1beta1/peer_authentication.proto

+9-5
Original file line numberDiff line numberDiff line change
@@ -25,14 +25,18 @@ package istio.security.v1beta1;
2525

2626
option go_package="istio.io/api/security/v1beta1";
2727

28-
// {{< warning >}}
29-
// Development of PeerAuthentication is currently frozen and likely to be replaced in Ambient.
30-
// {{< /warning >}}
31-
// PeerAuthentication defines how traffic will be tunneled (or not) to the sidecar.
28+
// PeerAuthentication defines mutual TLS (mTLS) requirements for incoming connections.
3229
//
30+
// In sidecar mode, PeerAuthentication determines whether or not mTLS is allowed or required
31+
// for connections to an Envoy proxy sidecar.
32+
//
33+
// In ambient mode, security is transparently enabled for a pod by the ztunnel node agent.
34+
// (Traffic between proxies uses the HBONE protocol, which includes encryption with mTLS.)
35+
// Because of this, `DISABLE` mode is not supported.
36+
// `STRICT` mode is useful to ensure that connections that bypass the mesh are not possible.//
3337
// Examples:
3438
//
35-
// Policy to allow mTLS traffic for all workloads under namespace `foo`:
39+
// Policy to require mTLS traffic for all workloads under namespace `foo`:
3640
// ```yaml
3741
// apiVersion: security.istio.io/v1
3842
// kind: PeerAuthentication

0 commit comments

Comments
 (0)