From d3964748b97db21f55efe2a72df7a199b97e92e3 Mon Sep 17 00:00:00 2001 From: Kuat Yessenov Date: Thu, 25 May 2023 12:28:31 -0700 Subject: [PATCH 1/2] wasm: add restrictions Signed-off-by: Kuat Yessenov --- extensions/v1alpha1/wasm.gen.json | 46 ++ extensions/v1alpha1/wasm.pb.go | 440 ++++++++++++++---- extensions/v1alpha1/wasm.pb.html | 164 ++++++- extensions/v1alpha1/wasm.proto | 47 ++ extensions/v1alpha1/wasm_deepcopy.gen.go | 42 ++ extensions/v1alpha1/wasm_json.gen.go | 22 + kubernetes/customresourcedefinitions.gen.yaml | 29 ++ proto.lock | 61 +++ 8 files changed, 764 insertions(+), 87 deletions(-) diff --git a/extensions/v1alpha1/wasm.gen.json b/extensions/v1alpha1/wasm.gen.json index 80e9e0c296a..9bfcaf59043 100644 --- a/extensions/v1alpha1/wasm.gen.json +++ b/extensions/v1alpha1/wasm.gen.json @@ -6,6 +6,24 @@ }, "components": { "schemas": { + "istio.extensions.v1alpha1.CapabilityRestriction": { + "description": "Capability restriction enforces limits on the Wasm ABI calls.", + "type": "object", + "properties": { + "set": { + "$ref": "#/components/schemas/istio.extensions.v1alpha1.CapabilitySet" + } + } + }, + "istio.extensions.v1alpha1.CapabilitySet": { + "description": "A set of capabilities in the increasing order.", + "type": "string", + "enum": [ + "DEFAULT", + "BASIC", + "ADVANCED" + ] + }, "istio.extensions.v1alpha1.EnvValueSource": { "type": "string", "enum": [ @@ -29,6 +47,28 @@ } } }, + "istio.extensions.v1alpha1.EventRestriction": { + "description": "Event restrictions enforces limits on the callback to the Wasm module.", + "type": "object", + "properties": { + "OnRequestHeaders": { + "description": "Trigger Wasm execution on receiving the request headers.", + "type": "boolean" + }, + "OnRequestBody": { + "description": "Trigger Wasm execution on receiving the request body.", + "type": "boolean" + }, + "OnResponseHeaders": { + "description": "Trigger Wasm execution on receiving the response headers.", + "type": "boolean" + }, + "OnResponseBody": { + "description": "Trigger Wasm execution on receiving the response body.", + "type": "boolean" + } + } + }, "istio.extensions.v1alpha1.PluginPhase": { "description": "The phase in the filter chain where the plugin will be injected.", "type": "string", @@ -112,6 +152,12 @@ "items": { "$ref": "#/components/schemas/istio.extensions.v1alpha1.WasmPlugin.TrafficSelector" } + }, + "capabilities": { + "$ref": "#/components/schemas/istio.extensions.v1alpha1.CapabilityRestriction" + }, + "events": { + "$ref": "#/components/schemas/istio.extensions.v1alpha1.EventRestriction" } } }, diff --git a/extensions/v1alpha1/wasm.pb.go b/extensions/v1alpha1/wasm.pb.go index 10d7ccce6f0..fb222566f3f 100644 --- a/extensions/v1alpha1/wasm.pb.go +++ b/extensions/v1alpha1/wasm.pb.go @@ -224,6 +224,68 @@ const ( _ = protoimpl.EnforceVersion(protoimpl.MaxVersion - 20) ) +// A set of capabilities in the increasing order. +type CapabilitySet int32 + +const ( + // The default set is the safe and the recommended setting. + // The following ABI calls are permitted: + // * logging; + // * property read. + CapabilitySet_DEFAULT CapabilitySet = 0 + // The basic set is the superset of the default set with extra capabilities that can cause + // stability or performance problems. + // The following additional ABI calls are permitted: + // * metrics; + // * timers; + // * side requests (HTTP and gRPC). + CapabilitySet_BASIC CapabilitySet = 1 + // The advanced set has no restrictions on the ABI calls. This is not + // recommended for use with untrusted modules. + CapabilitySet_ADVANCED CapabilitySet = 2 +) + +// Enum value maps for CapabilitySet. +var ( + CapabilitySet_name = map[int32]string{ + 0: "DEFAULT", + 1: "BASIC", + 2: "ADVANCED", + } + CapabilitySet_value = map[string]int32{ + "DEFAULT": 0, + "BASIC": 1, + "ADVANCED": 2, + } +) + +func (x CapabilitySet) Enum() *CapabilitySet { + p := new(CapabilitySet) + *p = x + return p +} + +func (x CapabilitySet) String() string { + return protoimpl.X.EnumStringOf(x.Descriptor(), protoreflect.EnumNumber(x)) +} + +func (CapabilitySet) Descriptor() protoreflect.EnumDescriptor { + return file_extensions_v1alpha1_wasm_proto_enumTypes[0].Descriptor() +} + +func (CapabilitySet) Type() protoreflect.EnumType { + return &file_extensions_v1alpha1_wasm_proto_enumTypes[0] +} + +func (x CapabilitySet) Number() protoreflect.EnumNumber { + return protoreflect.EnumNumber(x) +} + +// Deprecated: Use CapabilitySet.Descriptor instead. +func (CapabilitySet) EnumDescriptor() ([]byte, []int) { + return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{0} +} + // The phase in the filter chain where the plugin will be injected. type PluginPhase int32 @@ -267,11 +329,11 @@ func (x PluginPhase) String() string { } func (PluginPhase) Descriptor() protoreflect.EnumDescriptor { - return file_extensions_v1alpha1_wasm_proto_enumTypes[0].Descriptor() + return file_extensions_v1alpha1_wasm_proto_enumTypes[1].Descriptor() } func (PluginPhase) Type() protoreflect.EnumType { - return &file_extensions_v1alpha1_wasm_proto_enumTypes[0] + return &file_extensions_v1alpha1_wasm_proto_enumTypes[1] } func (x PluginPhase) Number() protoreflect.EnumNumber { @@ -280,7 +342,7 @@ func (x PluginPhase) Number() protoreflect.EnumNumber { // Deprecated: Use PluginPhase.Descriptor instead. func (PluginPhase) EnumDescriptor() ([]byte, []int) { - return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{0} + return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{1} } // The pull behaviour to be applied when fetching a Wam module, @@ -329,11 +391,11 @@ func (x PullPolicy) String() string { } func (PullPolicy) Descriptor() protoreflect.EnumDescriptor { - return file_extensions_v1alpha1_wasm_proto_enumTypes[1].Descriptor() + return file_extensions_v1alpha1_wasm_proto_enumTypes[2].Descriptor() } func (PullPolicy) Type() protoreflect.EnumType { - return &file_extensions_v1alpha1_wasm_proto_enumTypes[1] + return &file_extensions_v1alpha1_wasm_proto_enumTypes[2] } func (x PullPolicy) Number() protoreflect.EnumNumber { @@ -342,7 +404,7 @@ func (x PullPolicy) Number() protoreflect.EnumNumber { // Deprecated: Use PullPolicy.Descriptor instead. func (PullPolicy) EnumDescriptor() ([]byte, []int) { - return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{1} + return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{2} } type EnvValueSource int32 @@ -377,11 +439,11 @@ func (x EnvValueSource) String() string { } func (EnvValueSource) Descriptor() protoreflect.EnumDescriptor { - return file_extensions_v1alpha1_wasm_proto_enumTypes[2].Descriptor() + return file_extensions_v1alpha1_wasm_proto_enumTypes[3].Descriptor() } func (EnvValueSource) Type() protoreflect.EnumType { - return &file_extensions_v1alpha1_wasm_proto_enumTypes[2] + return &file_extensions_v1alpha1_wasm_proto_enumTypes[3] } func (x EnvValueSource) Number() protoreflect.EnumNumber { @@ -390,7 +452,7 @@ func (x EnvValueSource) Number() protoreflect.EnumNumber { // Deprecated: Use EnvValueSource.Descriptor instead. func (EnvValueSource) EnumDescriptor() ([]byte, []int) { - return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{2} + return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{3} } // WasmPlugins provides a mechanism to extend the functionality provided by @@ -497,6 +559,12 @@ type WasmPlugin struct { // If a traffic satisfies any of TrafficSelectors, // the traffic passes the WasmPlugin. Match []*WasmPlugin_TrafficSelector `protobuf:"bytes,12,rep,name=match,proto3" json:"match,omitempty"` + // Specifies the restrictions on the execution of the module via limiting access + // to the host ABI calls. Must be set. + Capabilities *CapabilityRestriction `protobuf:"bytes,13,opt,name=capabilities,proto3" json:"capabilities,omitempty"` + // Specifies the restrictions on the callbacks from the host to the module. + // If not set, places no restrictions. + Events *EventRestriction `protobuf:"bytes,14,opt,name=events,proto3" json:"events,omitempty"` } func (x *WasmPlugin) Reset() { @@ -615,6 +683,145 @@ func (x *WasmPlugin) GetMatch() []*WasmPlugin_TrafficSelector { return nil } +func (x *WasmPlugin) GetCapabilities() *CapabilityRestriction { + if x != nil { + return x.Capabilities + } + return nil +} + +func (x *WasmPlugin) GetEvents() *EventRestriction { + if x != nil { + return x.Events + } + return nil +} + +// Capability restriction enforces limits on the Wasm ABI calls. +type CapabilityRestriction struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // The capability group to limit the ABI calls. + Set CapabilitySet `protobuf:"varint,1,opt,name=set,proto3,enum=istio.extensions.v1alpha1.CapabilitySet" json:"set,omitempty"` +} + +func (x *CapabilityRestriction) Reset() { + *x = CapabilityRestriction{} + if protoimpl.UnsafeEnabled { + mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[1] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *CapabilityRestriction) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*CapabilityRestriction) ProtoMessage() {} + +func (x *CapabilityRestriction) ProtoReflect() protoreflect.Message { + mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[1] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use CapabilityRestriction.ProtoReflect.Descriptor instead. +func (*CapabilityRestriction) Descriptor() ([]byte, []int) { + return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{1} +} + +func (x *CapabilityRestriction) GetSet() CapabilitySet { + if x != nil { + return x.Set + } + return CapabilitySet_DEFAULT +} + +// Event restrictions enforces limits on the callback to the Wasm module. +type EventRestriction struct { + state protoimpl.MessageState + sizeCache protoimpl.SizeCache + unknownFields protoimpl.UnknownFields + + // Trigger Wasm execution on receiving the request headers. + OnRequestHeaders bool `protobuf:"varint,1,opt,name=OnRequestHeaders,proto3" json:"OnRequestHeaders,omitempty"` + // Trigger Wasm execution on receiving the request body. + OnRequestBody bool `protobuf:"varint,2,opt,name=OnRequestBody,proto3" json:"OnRequestBody,omitempty"` + // Trigger Wasm execution on receiving the response headers. + OnResponseHeaders bool `protobuf:"varint,3,opt,name=OnResponseHeaders,proto3" json:"OnResponseHeaders,omitempty"` + // Trigger Wasm execution on receiving the response body. + OnResponseBody bool `protobuf:"varint,4,opt,name=OnResponseBody,proto3" json:"OnResponseBody,omitempty"` +} + +func (x *EventRestriction) Reset() { + *x = EventRestriction{} + if protoimpl.UnsafeEnabled { + mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[2] + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + ms.StoreMessageInfo(mi) + } +} + +func (x *EventRestriction) String() string { + return protoimpl.X.MessageStringOf(x) +} + +func (*EventRestriction) ProtoMessage() {} + +func (x *EventRestriction) ProtoReflect() protoreflect.Message { + mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[2] + if protoimpl.UnsafeEnabled && x != nil { + ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) + if ms.LoadMessageInfo() == nil { + ms.StoreMessageInfo(mi) + } + return ms + } + return mi.MessageOf(x) +} + +// Deprecated: Use EventRestriction.ProtoReflect.Descriptor instead. +func (*EventRestriction) Descriptor() ([]byte, []int) { + return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{2} +} + +func (x *EventRestriction) GetOnRequestHeaders() bool { + if x != nil { + return x.OnRequestHeaders + } + return false +} + +func (x *EventRestriction) GetOnRequestBody() bool { + if x != nil { + return x.OnRequestBody + } + return false +} + +func (x *EventRestriction) GetOnResponseHeaders() bool { + if x != nil { + return x.OnResponseHeaders + } + return false +} + +func (x *EventRestriction) GetOnResponseBody() bool { + if x != nil { + return x.OnResponseBody + } + return false +} + // Configuration for a Wasm VM. // more details can be found [here](https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/wasm/v3/wasm.proto#extensions-wasm-v3-vmconfig). type VmConfig struct { @@ -630,7 +837,7 @@ type VmConfig struct { func (x *VmConfig) Reset() { *x = VmConfig{} if protoimpl.UnsafeEnabled { - mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[1] + mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[3] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -643,7 +850,7 @@ func (x *VmConfig) String() string { func (*VmConfig) ProtoMessage() {} func (x *VmConfig) ProtoReflect() protoreflect.Message { - mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[1] + mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[3] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -656,7 +863,7 @@ func (x *VmConfig) ProtoReflect() protoreflect.Message { // Deprecated: Use VmConfig.ProtoReflect.Descriptor instead. func (*VmConfig) Descriptor() ([]byte, []int) { - return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{1} + return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{3} } func (x *VmConfig) GetEnv() []*EnvVar { @@ -686,7 +893,7 @@ type EnvVar struct { func (x *EnvVar) Reset() { *x = EnvVar{} if protoimpl.UnsafeEnabled { - mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[2] + mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[4] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -699,7 +906,7 @@ func (x *EnvVar) String() string { func (*EnvVar) ProtoMessage() {} func (x *EnvVar) ProtoReflect() protoreflect.Message { - mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[2] + mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[4] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -712,7 +919,7 @@ func (x *EnvVar) ProtoReflect() protoreflect.Message { // Deprecated: Use EnvVar.ProtoReflect.Descriptor instead. func (*EnvVar) Descriptor() ([]byte, []int) { - return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{2} + return file_extensions_v1alpha1_wasm_proto_rawDescGZIP(), []int{4} } func (x *EnvVar) GetName() string { @@ -764,7 +971,7 @@ type WasmPlugin_TrafficSelector struct { func (x *WasmPlugin_TrafficSelector) Reset() { *x = WasmPlugin_TrafficSelector{} if protoimpl.UnsafeEnabled { - mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[3] + mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[5] ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) ms.StoreMessageInfo(mi) } @@ -777,7 +984,7 @@ func (x *WasmPlugin_TrafficSelector) String() string { func (*WasmPlugin_TrafficSelector) ProtoMessage() {} func (x *WasmPlugin_TrafficSelector) ProtoReflect() protoreflect.Message { - mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[3] + mi := &file_extensions_v1alpha1_wasm_proto_msgTypes[5] if protoimpl.UnsafeEnabled && x != nil { ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x)) if ms.LoadMessageInfo() == nil { @@ -819,7 +1026,7 @@ var file_extensions_v1alpha1_wasm_proto_rawDesc = []byte{ 0x67, 0x6c, 0x65, 0x2f, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x62, 0x75, 0x66, 0x2f, 0x73, 0x74, 0x72, 0x75, 0x63, 0x74, 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x1a, 0x1b, 0x74, 0x79, 0x70, 0x65, 0x2f, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2f, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, - 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0x88, 0x06, 0x0a, 0x0a, 0x57, 0x61, 0x73, 0x6d, 0x50, + 0x2e, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x22, 0xa3, 0x07, 0x0a, 0x0a, 0x57, 0x61, 0x73, 0x6d, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x12, 0x40, 0x0a, 0x08, 0x73, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x24, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x57, 0x6f, 0x72, @@ -860,40 +1067,71 @@ var file_extensions_v1alpha1_wasm_proto_rawDesc = []byte{ 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x57, 0x61, 0x73, 0x6d, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x2e, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x05, 0x6d, 0x61, 0x74, 0x63, 0x68, - 0x1a, 0x7f, 0x0a, 0x0f, 0x54, 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x53, 0x65, 0x6c, 0x65, 0x63, - 0x74, 0x6f, 0x72, 0x12, 0x34, 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, - 0x0e, 0x32, 0x20, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, - 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x4d, - 0x6f, 0x64, 0x65, 0x52, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x36, 0x0a, 0x05, 0x70, 0x6f, 0x72, - 0x74, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, - 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x6f, - 0x72, 0x74, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x05, 0x70, 0x6f, 0x72, 0x74, - 0x73, 0x22, 0x3f, 0x0a, 0x08, 0x56, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x33, 0x0a, - 0x03, 0x65, 0x6e, 0x76, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69, 0x73, 0x74, - 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, - 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x52, 0x03, 0x65, - 0x6e, 0x76, 0x22, 0x7c, 0x0a, 0x06, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x12, 0x12, 0x0a, 0x04, - 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, - 0x12, 0x48, 0x0a, 0x0a, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x03, - 0x20, 0x01, 0x28, 0x0e, 0x32, 0x29, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, - 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, - 0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, - 0x09, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x46, 0x72, 0x6f, 0x6d, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, - 0x6c, 0x75, 0x65, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, - 0x2a, 0x45, 0x0a, 0x0b, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x50, 0x68, 0x61, 0x73, 0x65, 0x12, - 0x15, 0x0a, 0x11, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, - 0x48, 0x41, 0x53, 0x45, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x4e, 0x10, - 0x01, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x5a, 0x10, 0x02, 0x12, 0x09, 0x0a, 0x05, - 0x53, 0x54, 0x41, 0x54, 0x53, 0x10, 0x03, 0x2a, 0x42, 0x0a, 0x0a, 0x50, 0x75, 0x6c, 0x6c, 0x50, - 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x16, 0x0a, 0x12, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, - 0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43, 0x59, 0x10, 0x00, 0x12, 0x10, 0x0a, - 0x0c, 0x49, 0x66, 0x4e, 0x6f, 0x74, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, 0x74, 0x10, 0x01, 0x12, - 0x0a, 0x0a, 0x06, 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x10, 0x02, 0x2a, 0x26, 0x0a, 0x0e, 0x45, - 0x6e, 0x76, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x12, 0x0a, 0x0a, - 0x06, 0x49, 0x4e, 0x4c, 0x49, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x08, 0x0a, 0x04, 0x48, 0x4f, 0x53, - 0x54, 0x10, 0x01, 0x42, 0x22, 0x5a, 0x20, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x69, 0x6f, 0x2f, - 0x61, 0x70, 0x69, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2f, 0x76, - 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33, + 0x12, 0x54, 0x0a, 0x0c, 0x63, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, + 0x18, 0x0d, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x30, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, + 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x31, 0x2e, 0x43, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x52, 0x65, 0x73, + 0x74, 0x72, 0x69, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x52, 0x0c, 0x63, 0x61, 0x70, 0x61, 0x62, 0x69, + 0x6c, 0x69, 0x74, 0x69, 0x65, 0x73, 0x12, 0x43, 0x0a, 0x06, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x73, + 0x18, 0x0e, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x2b, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, + 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, + 0x61, 0x31, 0x2e, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x74, 0x72, 0x69, 0x63, 0x74, + 0x69, 0x6f, 0x6e, 0x52, 0x06, 0x65, 0x76, 0x65, 0x6e, 0x74, 0x73, 0x1a, 0x7f, 0x0a, 0x0f, 0x54, + 0x72, 0x61, 0x66, 0x66, 0x69, 0x63, 0x53, 0x65, 0x6c, 0x65, 0x63, 0x74, 0x6f, 0x72, 0x12, 0x34, + 0x0a, 0x04, 0x6d, 0x6f, 0x64, 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0e, 0x32, 0x20, 0x2e, 0x69, + 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, + 0x31, 0x2e, 0x57, 0x6f, 0x72, 0x6b, 0x6c, 0x6f, 0x61, 0x64, 0x4d, 0x6f, 0x64, 0x65, 0x52, 0x04, + 0x6d, 0x6f, 0x64, 0x65, 0x12, 0x36, 0x0a, 0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x18, 0x02, 0x20, + 0x03, 0x28, 0x0b, 0x32, 0x20, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x74, 0x79, 0x70, 0x65, + 0x2e, 0x76, 0x31, 0x62, 0x65, 0x74, 0x61, 0x31, 0x2e, 0x50, 0x6f, 0x72, 0x74, 0x53, 0x65, 0x6c, + 0x65, 0x63, 0x74, 0x6f, 0x72, 0x52, 0x05, 0x70, 0x6f, 0x72, 0x74, 0x73, 0x22, 0x53, 0x0a, 0x15, + 0x43, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x52, 0x65, 0x73, 0x74, 0x72, 0x69, + 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x3a, 0x0a, 0x03, 0x73, 0x65, 0x74, 0x18, 0x01, 0x20, 0x01, + 0x28, 0x0e, 0x32, 0x28, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, + 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x43, + 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x53, 0x65, 0x74, 0x52, 0x03, 0x73, 0x65, + 0x74, 0x22, 0xba, 0x01, 0x0a, 0x10, 0x45, 0x76, 0x65, 0x6e, 0x74, 0x52, 0x65, 0x73, 0x74, 0x72, + 0x69, 0x63, 0x74, 0x69, 0x6f, 0x6e, 0x12, 0x2a, 0x0a, 0x10, 0x4f, 0x6e, 0x52, 0x65, 0x71, 0x75, + 0x65, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x08, + 0x52, 0x10, 0x4f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x65, 0x61, 0x64, 0x65, + 0x72, 0x73, 0x12, 0x24, 0x0a, 0x0d, 0x4f, 0x6e, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x42, + 0x6f, 0x64, 0x79, 0x18, 0x02, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0d, 0x4f, 0x6e, 0x52, 0x65, 0x71, + 0x75, 0x65, 0x73, 0x74, 0x42, 0x6f, 0x64, 0x79, 0x12, 0x2c, 0x0a, 0x11, 0x4f, 0x6e, 0x52, 0x65, + 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x48, 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x18, 0x03, 0x20, + 0x01, 0x28, 0x08, 0x52, 0x11, 0x4f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x48, + 0x65, 0x61, 0x64, 0x65, 0x72, 0x73, 0x12, 0x26, 0x0a, 0x0e, 0x4f, 0x6e, 0x52, 0x65, 0x73, 0x70, + 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x6f, 0x64, 0x79, 0x18, 0x04, 0x20, 0x01, 0x28, 0x08, 0x52, 0x0e, + 0x4f, 0x6e, 0x52, 0x65, 0x73, 0x70, 0x6f, 0x6e, 0x73, 0x65, 0x42, 0x6f, 0x64, 0x79, 0x22, 0x3f, + 0x0a, 0x08, 0x56, 0x6d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x12, 0x33, 0x0a, 0x03, 0x65, 0x6e, + 0x76, 0x18, 0x01, 0x20, 0x03, 0x28, 0x0b, 0x32, 0x21, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, + 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, + 0x68, 0x61, 0x31, 0x2e, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x52, 0x03, 0x65, 0x6e, 0x76, 0x22, + 0x7c, 0x0a, 0x06, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x72, 0x12, 0x12, 0x0a, 0x04, 0x6e, 0x61, 0x6d, + 0x65, 0x18, 0x01, 0x20, 0x01, 0x28, 0x09, 0x52, 0x04, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x48, 0x0a, + 0x0a, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x5f, 0x66, 0x72, 0x6f, 0x6d, 0x18, 0x03, 0x20, 0x01, 0x28, + 0x0e, 0x32, 0x29, 0x2e, 0x69, 0x73, 0x74, 0x69, 0x6f, 0x2e, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, + 0x69, 0x6f, 0x6e, 0x73, 0x2e, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x2e, 0x45, 0x6e, + 0x76, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, 0x65, 0x52, 0x09, 0x76, 0x61, + 0x6c, 0x75, 0x65, 0x46, 0x72, 0x6f, 0x6d, 0x12, 0x14, 0x0a, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, + 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52, 0x05, 0x76, 0x61, 0x6c, 0x75, 0x65, 0x2a, 0x35, 0x0a, + 0x0d, 0x43, 0x61, 0x70, 0x61, 0x62, 0x69, 0x6c, 0x69, 0x74, 0x79, 0x53, 0x65, 0x74, 0x12, 0x0b, + 0x0a, 0x07, 0x44, 0x45, 0x46, 0x41, 0x55, 0x4c, 0x54, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x42, + 0x41, 0x53, 0x49, 0x43, 0x10, 0x01, 0x12, 0x0c, 0x0a, 0x08, 0x41, 0x44, 0x56, 0x41, 0x4e, 0x43, + 0x45, 0x44, 0x10, 0x02, 0x2a, 0x45, 0x0a, 0x0b, 0x50, 0x6c, 0x75, 0x67, 0x69, 0x6e, 0x50, 0x68, + 0x61, 0x73, 0x65, 0x12, 0x15, 0x0a, 0x11, 0x55, 0x4e, 0x53, 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, + 0x45, 0x44, 0x5f, 0x50, 0x48, 0x41, 0x53, 0x45, 0x10, 0x00, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, + 0x54, 0x48, 0x4e, 0x10, 0x01, 0x12, 0x09, 0x0a, 0x05, 0x41, 0x55, 0x54, 0x48, 0x5a, 0x10, 0x02, + 0x12, 0x09, 0x0a, 0x05, 0x53, 0x54, 0x41, 0x54, 0x53, 0x10, 0x03, 0x2a, 0x42, 0x0a, 0x0a, 0x50, + 0x75, 0x6c, 0x6c, 0x50, 0x6f, 0x6c, 0x69, 0x63, 0x79, 0x12, 0x16, 0x0a, 0x12, 0x55, 0x4e, 0x53, + 0x50, 0x45, 0x43, 0x49, 0x46, 0x49, 0x45, 0x44, 0x5f, 0x50, 0x4f, 0x4c, 0x49, 0x43, 0x59, 0x10, + 0x00, 0x12, 0x10, 0x0a, 0x0c, 0x49, 0x66, 0x4e, 0x6f, 0x74, 0x50, 0x72, 0x65, 0x73, 0x65, 0x6e, + 0x74, 0x10, 0x01, 0x12, 0x0a, 0x0a, 0x06, 0x41, 0x6c, 0x77, 0x61, 0x79, 0x73, 0x10, 0x02, 0x2a, + 0x26, 0x0a, 0x0e, 0x45, 0x6e, 0x76, 0x56, 0x61, 0x6c, 0x75, 0x65, 0x53, 0x6f, 0x75, 0x72, 0x63, + 0x65, 0x12, 0x0a, 0x0a, 0x06, 0x49, 0x4e, 0x4c, 0x49, 0x4e, 0x45, 0x10, 0x00, 0x12, 0x08, 0x0a, + 0x04, 0x48, 0x4f, 0x53, 0x54, 0x10, 0x01, 0x42, 0x22, 0x5a, 0x20, 0x69, 0x73, 0x74, 0x69, 0x6f, + 0x2e, 0x69, 0x6f, 0x2f, 0x61, 0x70, 0x69, 0x2f, 0x65, 0x78, 0x74, 0x65, 0x6e, 0x73, 0x69, 0x6f, + 0x6e, 0x73, 0x2f, 0x76, 0x31, 0x61, 0x6c, 0x70, 0x68, 0x61, 0x31, 0x62, 0x06, 0x70, 0x72, 0x6f, + 0x74, 0x6f, 0x33, } var ( @@ -908,39 +1146,45 @@ func file_extensions_v1alpha1_wasm_proto_rawDescGZIP() []byte { return file_extensions_v1alpha1_wasm_proto_rawDescData } -var file_extensions_v1alpha1_wasm_proto_enumTypes = make([]protoimpl.EnumInfo, 3) -var file_extensions_v1alpha1_wasm_proto_msgTypes = make([]protoimpl.MessageInfo, 4) +var file_extensions_v1alpha1_wasm_proto_enumTypes = make([]protoimpl.EnumInfo, 4) +var file_extensions_v1alpha1_wasm_proto_msgTypes = make([]protoimpl.MessageInfo, 6) var file_extensions_v1alpha1_wasm_proto_goTypes = []interface{}{ - (PluginPhase)(0), // 0: istio.extensions.v1alpha1.PluginPhase - (PullPolicy)(0), // 1: istio.extensions.v1alpha1.PullPolicy - (EnvValueSource)(0), // 2: istio.extensions.v1alpha1.EnvValueSource - (*WasmPlugin)(nil), // 3: istio.extensions.v1alpha1.WasmPlugin - (*VmConfig)(nil), // 4: istio.extensions.v1alpha1.VmConfig - (*EnvVar)(nil), // 5: istio.extensions.v1alpha1.EnvVar - (*WasmPlugin_TrafficSelector)(nil), // 6: istio.extensions.v1alpha1.WasmPlugin.TrafficSelector - (*v1beta1.WorkloadSelector)(nil), // 7: istio.type.v1beta1.WorkloadSelector - (*_struct.Struct)(nil), // 8: google.protobuf.Struct - (*wrappers.Int32Value)(nil), // 9: google.protobuf.Int32Value - (v1beta1.WorkloadMode)(0), // 10: istio.type.v1beta1.WorkloadMode - (*v1beta1.PortSelector)(nil), // 11: istio.type.v1beta1.PortSelector + (CapabilitySet)(0), // 0: istio.extensions.v1alpha1.CapabilitySet + (PluginPhase)(0), // 1: istio.extensions.v1alpha1.PluginPhase + (PullPolicy)(0), // 2: istio.extensions.v1alpha1.PullPolicy + (EnvValueSource)(0), // 3: istio.extensions.v1alpha1.EnvValueSource + (*WasmPlugin)(nil), // 4: istio.extensions.v1alpha1.WasmPlugin + (*CapabilityRestriction)(nil), // 5: istio.extensions.v1alpha1.CapabilityRestriction + (*EventRestriction)(nil), // 6: istio.extensions.v1alpha1.EventRestriction + (*VmConfig)(nil), // 7: istio.extensions.v1alpha1.VmConfig + (*EnvVar)(nil), // 8: istio.extensions.v1alpha1.EnvVar + (*WasmPlugin_TrafficSelector)(nil), // 9: istio.extensions.v1alpha1.WasmPlugin.TrafficSelector + (*v1beta1.WorkloadSelector)(nil), // 10: istio.type.v1beta1.WorkloadSelector + (*_struct.Struct)(nil), // 11: google.protobuf.Struct + (*wrappers.Int32Value)(nil), // 12: google.protobuf.Int32Value + (v1beta1.WorkloadMode)(0), // 13: istio.type.v1beta1.WorkloadMode + (*v1beta1.PortSelector)(nil), // 14: istio.type.v1beta1.PortSelector } var file_extensions_v1alpha1_wasm_proto_depIdxs = []int32{ - 7, // 0: istio.extensions.v1alpha1.WasmPlugin.selector:type_name -> istio.type.v1beta1.WorkloadSelector - 1, // 1: istio.extensions.v1alpha1.WasmPlugin.image_pull_policy:type_name -> istio.extensions.v1alpha1.PullPolicy - 8, // 2: istio.extensions.v1alpha1.WasmPlugin.plugin_config:type_name -> google.protobuf.Struct - 0, // 3: istio.extensions.v1alpha1.WasmPlugin.phase:type_name -> istio.extensions.v1alpha1.PluginPhase - 9, // 4: istio.extensions.v1alpha1.WasmPlugin.priority:type_name -> google.protobuf.Int32Value - 4, // 5: istio.extensions.v1alpha1.WasmPlugin.vm_config:type_name -> istio.extensions.v1alpha1.VmConfig - 6, // 6: istio.extensions.v1alpha1.WasmPlugin.match:type_name -> istio.extensions.v1alpha1.WasmPlugin.TrafficSelector - 5, // 7: istio.extensions.v1alpha1.VmConfig.env:type_name -> istio.extensions.v1alpha1.EnvVar - 2, // 8: istio.extensions.v1alpha1.EnvVar.value_from:type_name -> istio.extensions.v1alpha1.EnvValueSource - 10, // 9: istio.extensions.v1alpha1.WasmPlugin.TrafficSelector.mode:type_name -> istio.type.v1beta1.WorkloadMode - 11, // 10: istio.extensions.v1alpha1.WasmPlugin.TrafficSelector.ports:type_name -> istio.type.v1beta1.PortSelector - 11, // [11:11] is the sub-list for method output_type - 11, // [11:11] is the sub-list for method input_type - 11, // [11:11] is the sub-list for extension type_name - 11, // [11:11] is the sub-list for extension extendee - 0, // [0:11] is the sub-list for field type_name + 10, // 0: istio.extensions.v1alpha1.WasmPlugin.selector:type_name -> istio.type.v1beta1.WorkloadSelector + 2, // 1: istio.extensions.v1alpha1.WasmPlugin.image_pull_policy:type_name -> istio.extensions.v1alpha1.PullPolicy + 11, // 2: istio.extensions.v1alpha1.WasmPlugin.plugin_config:type_name -> google.protobuf.Struct + 1, // 3: istio.extensions.v1alpha1.WasmPlugin.phase:type_name -> istio.extensions.v1alpha1.PluginPhase + 12, // 4: istio.extensions.v1alpha1.WasmPlugin.priority:type_name -> google.protobuf.Int32Value + 7, // 5: istio.extensions.v1alpha1.WasmPlugin.vm_config:type_name -> istio.extensions.v1alpha1.VmConfig + 9, // 6: istio.extensions.v1alpha1.WasmPlugin.match:type_name -> istio.extensions.v1alpha1.WasmPlugin.TrafficSelector + 5, // 7: istio.extensions.v1alpha1.WasmPlugin.capabilities:type_name -> istio.extensions.v1alpha1.CapabilityRestriction + 6, // 8: istio.extensions.v1alpha1.WasmPlugin.events:type_name -> istio.extensions.v1alpha1.EventRestriction + 0, // 9: istio.extensions.v1alpha1.CapabilityRestriction.set:type_name -> istio.extensions.v1alpha1.CapabilitySet + 8, // 10: istio.extensions.v1alpha1.VmConfig.env:type_name -> istio.extensions.v1alpha1.EnvVar + 3, // 11: istio.extensions.v1alpha1.EnvVar.value_from:type_name -> istio.extensions.v1alpha1.EnvValueSource + 13, // 12: istio.extensions.v1alpha1.WasmPlugin.TrafficSelector.mode:type_name -> istio.type.v1beta1.WorkloadMode + 14, // 13: istio.extensions.v1alpha1.WasmPlugin.TrafficSelector.ports:type_name -> istio.type.v1beta1.PortSelector + 14, // [14:14] is the sub-list for method output_type + 14, // [14:14] is the sub-list for method input_type + 14, // [14:14] is the sub-list for extension type_name + 14, // [14:14] is the sub-list for extension extendee + 0, // [0:14] is the sub-list for field type_name } func init() { file_extensions_v1alpha1_wasm_proto_init() } @@ -962,7 +1206,7 @@ func file_extensions_v1alpha1_wasm_proto_init() { } } file_extensions_v1alpha1_wasm_proto_msgTypes[1].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*VmConfig); i { + switch v := v.(*CapabilityRestriction); i { case 0: return &v.state case 1: @@ -974,7 +1218,7 @@ func file_extensions_v1alpha1_wasm_proto_init() { } } file_extensions_v1alpha1_wasm_proto_msgTypes[2].Exporter = func(v interface{}, i int) interface{} { - switch v := v.(*EnvVar); i { + switch v := v.(*EventRestriction); i { case 0: return &v.state case 1: @@ -986,6 +1230,30 @@ func file_extensions_v1alpha1_wasm_proto_init() { } } file_extensions_v1alpha1_wasm_proto_msgTypes[3].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*VmConfig); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_extensions_v1alpha1_wasm_proto_msgTypes[4].Exporter = func(v interface{}, i int) interface{} { + switch v := v.(*EnvVar); i { + case 0: + return &v.state + case 1: + return &v.sizeCache + case 2: + return &v.unknownFields + default: + return nil + } + } + file_extensions_v1alpha1_wasm_proto_msgTypes[5].Exporter = func(v interface{}, i int) interface{} { switch v := v.(*WasmPlugin_TrafficSelector); i { case 0: return &v.state @@ -1003,8 +1271,8 @@ func file_extensions_v1alpha1_wasm_proto_init() { File: protoimpl.DescBuilder{ GoPackagePath: reflect.TypeOf(x{}).PkgPath(), RawDescriptor: file_extensions_v1alpha1_wasm_proto_rawDesc, - NumEnums: 3, - NumMessages: 4, + NumEnums: 4, + NumMessages: 6, NumExtensions: 0, NumServices: 0, }, diff --git a/extensions/v1alpha1/wasm.pb.html b/extensions/v1alpha1/wasm.pb.html index 381752ee81f..8cd09a1e4ff 100644 --- a/extensions/v1alpha1/wasm.pb.html +++ b/extensions/v1alpha1/wasm.pb.html @@ -6,7 +6,7 @@ generator: protoc-gen-docs schema: istio.extensions.v1alpha1.WasmPlugin aliases: [/docs/reference/config/extensions/v1alpha1/wasm-plugin] -number_of_entries: 7 +number_of_entries: 10 ---

WasmPlugins provides a mechanism to extend the functionality provided by the Istio proxy through WebAssembly filters.

@@ -329,6 +329,119 @@

WasmPlugin

If a traffic satisfies any of TrafficSelectors, the traffic passes the WasmPlugin.

+ + +No + + + +capabilities +CapabilityRestriction + +

Specifies the restrictions on the execution of the module via limiting access +to the host ABI calls. Must be set.

+ + + +No + + + +events +EventRestriction + +

Specifies the restrictions on the callbacks from the host to the module. +If not set, places no restrictions.

+ + + +No + + + + + +

CapabilityRestriction

+
+

Capability restriction enforces limits on the Wasm ABI calls.

+ + + + + + + + + + + + + + + + + + +
FieldTypeDescriptionRequired
setCapabilitySet +

The capability group to limit the ABI calls.

+ +		 +No +
+
+

EventRestriction

+
+

Event restrictions enforces limits on the callback to the Wasm module.

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
FieldTypeDescriptionRequired
OnRequestHeadersbool +

Trigger Wasm execution on receiving the request headers.

+ +		 +No +
OnRequestBodybool +

Trigger Wasm execution on receiving the request body.

+ +		 +No +
OnResponseHeadersbool +

Trigger Wasm execution on receiving the response headers.

+ +		 +No +
OnResponseBodybool +

Trigger Wasm execution on receiving the response body.

+ 		No @@ -465,6 +578,55 @@

WasmPlugin.TrafficSelector

 No +
+
+

CapabilitySet

+
+

A set of capabilities in the increasing order.

+ + + + + + + + + + + + + + + + + + + + diff --git a/extensions/v1alpha1/wasm.proto b/extensions/v1alpha1/wasm.proto index 7452d2fb4ff..db0be939ba9 100644 --- a/extensions/v1alpha1/wasm.proto +++ b/extensions/v1alpha1/wasm.proto @@ -341,6 +341,53 @@ message WasmPlugin { // If a traffic satisfies any of TrafficSelectors, // the traffic passes the WasmPlugin. repeated TrafficSelector match = 12; + + // Specifies the restrictions on the execution of the module via limiting access + // to the host ABI calls. Must be set. + CapabilityRestriction capabilities = 13; + + // Specifies the restrictions on the callbacks from the host to the module. + // If not set, places no restrictions. + EventRestriction events = 14; +} + +// Capability restriction enforces limits on the Wasm ABI calls. +message CapabilityRestriction { + // The capability group to limit the ABI calls. + CapabilitySet set = 1; +} + +// Event restrictions enforces limits on the callback to the Wasm module. +message EventRestriction { + // Trigger Wasm execution on receiving the request headers. + bool OnRequestHeaders = 1; + // Trigger Wasm execution on receiving the request body. + bool OnRequestBody = 2; + // Trigger Wasm execution on receiving the response headers. + bool OnResponseHeaders = 3; + // Trigger Wasm execution on receiving the response body. + bool OnResponseBody = 4; +} + +// A set of capabilities in the increasing order. +enum CapabilitySet { + // The default set is the safe and the recommended setting. + // The following ABI calls are permitted: + // * logging; + // * property read. + DEFAULT = 0; + + // The basic set is the superset of the default set with extra capabilities that can cause + // stability or performance problems. + // The following additional ABI calls are permitted: + // * metrics; + // * timers; + // * side requests (HTTP and gRPC). + BASIC = 1; + + // The advanced set has no restrictions on the ABI calls. This is not + // recommended for use with untrusted modules. + ADVANCED = 2; } // The phase in the filter chain where the plugin will be injected. diff --git a/extensions/v1alpha1/wasm_deepcopy.gen.go b/extensions/v1alpha1/wasm_deepcopy.gen.go index 46403fbb11d..1115597639e 100644 --- a/extensions/v1alpha1/wasm_deepcopy.gen.go +++ b/extensions/v1alpha1/wasm_deepcopy.gen.go @@ -47,6 +47,48 @@ func (in *WasmPlugin_TrafficSelector) DeepCopyInterface() interface{} { return in.DeepCopy() } +// DeepCopyInto supports using CapabilityRestriction within kubernetes types, where deepcopy-gen is used. +func (in *CapabilityRestriction) DeepCopyInto(out *CapabilityRestriction) { + p := proto.Clone(in).(*CapabilityRestriction) + *out = *p +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CapabilityRestriction. Required by controller-gen. +func (in *CapabilityRestriction) DeepCopy() *CapabilityRestriction { + if in == nil { + return nil + } + out := new(CapabilityRestriction) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new CapabilityRestriction. Required by controller-gen. +func (in *CapabilityRestriction) DeepCopyInterface() interface{} { + return in.DeepCopy() +} + +// DeepCopyInto supports using EventRestriction within kubernetes types, where deepcopy-gen is used. +func (in *EventRestriction) DeepCopyInto(out *EventRestriction) { + p := proto.Clone(in).(*EventRestriction) + *out = *p +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EventRestriction. Required by controller-gen. +func (in *EventRestriction) DeepCopy() *EventRestriction { + if in == nil { + return nil + } + out := new(EventRestriction) + in.DeepCopyInto(out) + return out +} + +// DeepCopyInterface is an autogenerated deepcopy function, copying the receiver, creating a new EventRestriction. Required by controller-gen. +func (in *EventRestriction) DeepCopyInterface() interface{} { + return in.DeepCopy() +} + // DeepCopyInto supports using VmConfig within kubernetes types, where deepcopy-gen is used. func (in *VmConfig) DeepCopyInto(out *VmConfig) { p := proto.Clone(in).(*VmConfig) diff --git a/extensions/v1alpha1/wasm_json.gen.go b/extensions/v1alpha1/wasm_json.gen.go index 03edc851c7c..e9337d2b918 100644 --- a/extensions/v1alpha1/wasm_json.gen.go +++ b/extensions/v1alpha1/wasm_json.gen.go @@ -28,6 +28,28 @@ func (this *WasmPlugin_TrafficSelector) UnmarshalJSON(b []byte) error { return WasmUnmarshaler.Unmarshal(bytes.NewReader(b), this) } +// MarshalJSON is a custom marshaler for CapabilityRestriction +func (this *CapabilityRestriction) MarshalJSON() ([]byte, error) { + str, err := WasmMarshaler.MarshalToString(this) + return []byte(str), err +} + +// UnmarshalJSON is a custom unmarshaler for CapabilityRestriction +func (this *CapabilityRestriction) UnmarshalJSON(b []byte) error { + return WasmUnmarshaler.Unmarshal(bytes.NewReader(b), this) +} + +// MarshalJSON is a custom marshaler for EventRestriction +func (this *EventRestriction) MarshalJSON() ([]byte, error) { + str, err := WasmMarshaler.MarshalToString(this) + return []byte(str), err +} + +// UnmarshalJSON is a custom unmarshaler for EventRestriction +func (this *EventRestriction) UnmarshalJSON(b []byte) error { + return WasmUnmarshaler.Unmarshal(bytes.NewReader(b), this) +} + // MarshalJSON is a custom marshaler for VmConfig func (this *VmConfig) MarshalJSON() ([]byte, error) { str, err := WasmMarshaler.MarshalToString(this) diff --git a/kubernetes/customresourcedefinitions.gen.yaml b/kubernetes/customresourcedefinitions.gen.yaml index 51338b7681f..15573756447 100644 --- a/kubernetes/customresourcedefinitions.gen.yaml +++ b/kubernetes/customresourcedefinitions.gen.yaml @@ -39,6 +39,35 @@ spec: description: 'Extend the functionality provided by the Istio proxy through WebAssembly filters. See more details at: https://istio.io/docs/reference/config/proxy_extensions/wasm-plugin.html' properties: + capabilities: + properties: + set: + description: The capability group to limit the ABI calls. + enum: + - DEFAULT + - BASIC + - ADVANCED + type: string + type: object + events: + description: Specifies the restrictions on the callbacks from the + host to the module. + properties: + OnRequestBody: + description: Trigger Wasm execution on receiving the request body. + type: boolean + OnRequestHeaders: + description: Trigger Wasm execution on receiving the request headers. + type: boolean + OnResponseBody: + description: Trigger Wasm execution on receiving the response + body. + type: boolean + OnResponseHeaders: + description: Trigger Wasm execution on receiving the response + headers. + type: boolean + type: object imagePullPolicy: enum: - UNSPECIFIED_POLICY diff --git a/proto.lock b/proto.lock index d2f9817801e..706490278b9 100644 --- a/proto.lock +++ b/proto.lock @@ -36453,6 +36453,22 @@ "protopath": "extensions:/:v1alpha1:/:wasm.proto", "def": { "enums": [ + { + "name": "CapabilitySet", + "enum_fields": [ + { + "name": "DEFAULT" + }, + { + "name": "BASIC", + "integer": 1 + }, + { + "name": "ADVANCED", + "integer": 2 + } + ] + }, { "name": "PluginPhase", "enum_fields": [ @@ -36566,6 +36582,16 @@ "name": "match", "type": "TrafficSelector", "is_repeated": true + }, + { + "id": 13, + "name": "capabilities", + "type": "CapabilityRestriction" + }, + { + "id": 14, + "name": "events", + "type": "EventRestriction" } ], "messages": [ @@ -36587,6 +36613,41 @@ } ] }, + { + "name": "CapabilityRestriction", + "fields": [ + { + "id": 1, + "name": "set", + "type": "CapabilitySet" + } + ] + }, + { + "name": "EventRestriction", + "fields": [ + { + "id": 1, + "name": "OnRequestHeaders", + "type": "bool" + }, + { + "id": 2, + "name": "OnRequestBody", + "type": "bool" + }, + { + "id": 3, + "name": "OnResponseHeaders", + "type": "bool" + }, + { + "id": 4, + "name": "OnResponseBody", + "type": "bool" + } + ] + }, { "name": "VmConfig", "fields": [ From bbdb21718902846204afe5ac42dc7ab10adb105e Mon Sep 17 00:00:00 2001 From: Kuat Yessenov Date: Thu, 25 May 2023 12:30:20 -0700 Subject: [PATCH 2/2] fix Signed-off-by: Kuat Yessenov --- extensions/v1alpha1/wasm.pb.go | 2 +- extensions/v1alpha1/wasm.pb.html | 2 +- extensions/v1alpha1/wasm.proto | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/extensions/v1alpha1/wasm.pb.go b/extensions/v1alpha1/wasm.pb.go index fb222566f3f..e228f9de476 100644 --- a/extensions/v1alpha1/wasm.pb.go +++ b/extensions/v1alpha1/wasm.pb.go @@ -560,7 +560,7 @@ type WasmPlugin struct { // the traffic passes the WasmPlugin. Match []*WasmPlugin_TrafficSelector `protobuf:"bytes,12,rep,name=match,proto3" json:"match,omitempty"` // Specifies the restrictions on the execution of the module via limiting access - // to the host ABI calls. Must be set. + // to the host ABI calls. If not set, uses the default capability set. Capabilities *CapabilityRestriction `protobuf:"bytes,13,opt,name=capabilities,proto3" json:"capabilities,omitempty"` // Specifies the restrictions on the callbacks from the host to the module. // If not set, places no restrictions. diff --git a/extensions/v1alpha1/wasm.pb.html b/extensions/v1alpha1/wasm.pb.html index 8cd09a1e4ff..9cdbe88eae0 100644 --- a/extensions/v1alpha1/wasm.pb.html +++ b/extensions/v1alpha1/wasm.pb.html @@ -339,7 +339,7 @@

WasmPlugin

NameDescription
DEFAULT +

The default set is the safe and the recommended setting. +The following ABI calls are permitted:

+
    +
  • logging;
    • +
  • property read.
    • +
+ +
BASIC +

The basic set is the superset of the default set with extra capabilities that can cause +stability or performance problems. +The following additional ABI calls are permitted:

+
    +
  • metrics;
    • +
  • timers;
    • +
  • side requests (HTTP and gRPC).
    • +
+ +
ADVANCED +

The advanced set has no restrictions on the ABI calls. This is not +recommended for use with untrusted modules.

+
CapabilityRestriction

Specifies the restrictions on the execution of the module via limiting access -to the host ABI calls. Must be set.

+to the host ABI calls. If not set, uses the default capability set.

 diff --git a/extensions/v1alpha1/wasm.proto b/extensions/v1alpha1/wasm.proto index db0be939ba9..493e5f80ad3 100644 --- a/extensions/v1alpha1/wasm.proto +++ b/extensions/v1alpha1/wasm.proto @@ -343,7 +343,7 @@ message WasmPlugin { repeated TrafficSelector match = 12; // Specifies the restrictions on the execution of the module via limiting access - // to the host ABI calls. Must be set. + // to the host ABI calls. If not set, uses the default capability set. CapabilityRestriction capabilities = 13; // Specifies the restrictions on the callbacks from the host to the module.