--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: helm.sh/resource-policy: keep operatorframework.io/installed-alongside-63e273da4c200797: openshift-operators/servicemeshoperator3.v3.1.0 creationTimestamp: "2026-03-18T16:53:28Z" generation: 1 labels: app: istio-pilot chart: istio heritage: Tiller istio: security olm.managed: "true" operators.coreos.com/servicemeshoperator3.openshift-operators: "" release: istio managedFields: - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:annotations: .: {} f:helm.sh/resource-policy: {} f:operatorframework.io/installed-alongside-63e273da4c200797: {} f:labels: .: {} f:app: {} f:chart: {} f:heritage: {} f:istio: {} f:olm.managed: {} f:release: {} f:spec: f:conversion: .: {} f:strategy: {} f:group: {} f:names: f:categories: {} f:kind: {} f:listKind: {} f:plural: {} f:shortNames: {} f:singular: {} f:scope: {} f:versions: {} manager: catalog operation: Update time: "2026-03-18T16:53:28Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:status: f:acceptedNames: f:categories: {} f:kind: {} f:listKind: {} f:plural: {} f:shortNames: {} f:singular: {} f:conditions: k:{"type":"Established"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} k:{"type":"NamesAccepted"}: .: {} f:lastTransitionTime: {} f:message: {} f:reason: {} f:status: {} f:type: {} manager: kube-apiserver operation: Update subresource: status time: "2026-03-18T16:53:28Z" - apiVersion: apiextensions.k8s.io/v1 fieldsType: FieldsV1 fieldsV1: f:metadata: f:labels: f:operators.coreos.com/servicemeshoperator3.openshift-operators: {} manager: olm operation: Update time: "2026-03-18T16:53:38Z" name: authorizationpolicies.security.istio.io resourceVersion: "12583" uid: a8715c66-2843-4cf3-bba8-ebb23401c861 spec: conversion: strategy: None group: security.istio.io names: categories: - istio-io - security-istio-io kind: AuthorizationPolicy listKind: AuthorizationPolicyList plural: authorizationpolicies shortNames: - ap singular: authorizationpolicy scope: Namespaced versions: - additionalPrinterColumns: - description: The operation to take. jsonPath: .spec.action name: Action type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1 schema: openAPIV3Schema: properties: spec: description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' oneOf: - not: anyOf: - required: - provider - required: - provider properties: action: description: |- Optional. Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY - AUDIT - CUSTOM type: string provider: description: Specifies detailed configuration of the CUSTOM action. properties: name: description: Specifies the name of the extension provider. type: string type: object rules: description: Optional. items: properties: from: description: Optional. items: properties: source: description: Source specifies the source of a request. properties: ipBlocks: description: Optional. items: type: string type: array namespaces: description: Optional. items: type: string type: array notIpBlocks: description: Optional. items: type: string type: array notNamespaces: description: Optional. items: type: string type: array notPrincipals: description: Optional. items: type: string type: array notRemoteIpBlocks: description: Optional. items: type: string type: array notRequestPrincipals: description: Optional. items: type: string type: array notServiceAccounts: description: Optional. items: maxLength: 320 type: string maxItems: 16 type: array principals: description: Optional. items: type: string type: array remoteIpBlocks: description: Optional. items: type: string type: array requestPrincipals: description: Optional. items: type: string type: array serviceAccounts: description: Optional. items: maxLength: 320 type: string maxItems: 16 type: array type: object x-kubernetes-validations: - message: Cannot set serviceAccounts with namespaces or principals rule: |- (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) && !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true type: object maxItems: 512 type: array to: description: Optional. items: properties: operation: description: Operation specifies the operation of a request. properties: hosts: description: Optional. items: type: string type: array methods: description: Optional. items: type: string type: array notHosts: description: Optional. items: type: string type: array notMethods: description: Optional. items: type: string type: array notPaths: description: Optional. items: type: string type: array notPorts: description: Optional. items: type: string type: array paths: description: Optional. items: type: string type: array ports: description: Optional. items: type: string type: array type: object type: object type: array when: description: Optional. items: properties: key: description: The name of an Istio attribute. type: string notValues: description: Optional. items: type: string type: array values: description: Optional. items: type: string type: array required: - key type: object type: array type: object maxItems: 512 type: array selector: description: Optional. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains("*")' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains("*")) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object maxItems: 16 type: array type: object x-kubernetes-validations: - message: only one of targetRefs or selector can be set rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0) + (has(self.targetRefs) ? 1 : 0) <= 1' status: properties: conditions: description: Current service state of the resource. items: properties: lastProbeTime: description: Last time we probed the condition. format: date-time type: string lastTransitionTime: description: Last time the condition transitioned from one status to another. format: date-time type: string message: description: Human-readable message indicating details about last transition. type: string observedGeneration: anyOf: - type: integer - type: string description: Resource Generation to which the Condition refers. x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. type: string status: description: Status is the status of the condition. type: string type: description: Type is the type of the condition. type: string type: object type: array observedGeneration: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. items: properties: documentationUrl: description: A url pointing to the Istio documentation for this specific error type. type: string level: description: |- Represents how severe a message is. Valid Options: UNKNOWN, ERROR, WARNING, INFO enum: - UNKNOWN - ERROR - WARNING - INFO type: string type: properties: code: description: A 7 character code matching `^IST[0-9]{4}$` intended to uniquely identify the message type. type: string name: description: A human-readable name for the message type. type: string type: object type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: false subresources: status: {} - additionalPrinterColumns: - description: The operation to take. jsonPath: .spec.action name: Action type: string - description: 'CreationTimestamp is a timestamp representing the server time when this object was created. It is not guaranteed to be set in happens-before order across separate operations. Clients may not set this value. It is represented in RFC3339 form and is in UTC. Populated by the system. Read-only. Null for lists. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata' jsonPath: .metadata.creationTimestamp name: Age type: date name: v1beta1 schema: openAPIV3Schema: properties: spec: description: 'Configuration for access control on workloads. See more details at: https://istio.io/docs/reference/config/security/authorization-policy.html' oneOf: - not: anyOf: - required: - provider - required: - provider properties: action: description: |- Optional. Valid Options: ALLOW, DENY, AUDIT, CUSTOM enum: - ALLOW - DENY - AUDIT - CUSTOM type: string provider: description: Specifies detailed configuration of the CUSTOM action. properties: name: description: Specifies the name of the extension provider. type: string type: object rules: description: Optional. items: properties: from: description: Optional. items: properties: source: description: Source specifies the source of a request. properties: ipBlocks: description: Optional. items: type: string type: array namespaces: description: Optional. items: type: string type: array notIpBlocks: description: Optional. items: type: string type: array notNamespaces: description: Optional. items: type: string type: array notPrincipals: description: Optional. items: type: string type: array notRemoteIpBlocks: description: Optional. items: type: string type: array notRequestPrincipals: description: Optional. items: type: string type: array notServiceAccounts: description: Optional. items: maxLength: 320 type: string maxItems: 16 type: array principals: description: Optional. items: type: string type: array remoteIpBlocks: description: Optional. items: type: string type: array requestPrincipals: description: Optional. items: type: string type: array serviceAccounts: description: Optional. items: maxLength: 320 type: string maxItems: 16 type: array type: object x-kubernetes-validations: - message: Cannot set serviceAccounts with namespaces or principals rule: |- (has(self.serviceAccounts) || has(self.notServiceAccounts)) ? (!has(self.principals) && !has(self.notPrincipals) && !has(self.namespaces) && !has(self.notNamespaces)) : true type: object maxItems: 512 type: array to: description: Optional. items: properties: operation: description: Operation specifies the operation of a request. properties: hosts: description: Optional. items: type: string type: array methods: description: Optional. items: type: string type: array notHosts: description: Optional. items: type: string type: array notMethods: description: Optional. items: type: string type: array notPaths: description: Optional. items: type: string type: array notPorts: description: Optional. items: type: string type: array paths: description: Optional. items: type: string type: array ports: description: Optional. items: type: string type: array type: object type: object type: array when: description: Optional. items: properties: key: description: The name of an Istio attribute. type: string notValues: description: Optional. items: type: string type: array values: description: Optional. items: type: string type: array required: - key type: object type: array type: object maxItems: 512 type: array selector: description: Optional. properties: matchLabels: additionalProperties: maxLength: 63 type: string x-kubernetes-validations: - message: wildcard not allowed in label value match rule: '!self.contains("*")' description: One or more labels that indicate a specific set of pods/VMs on which a policy should be applied. maxProperties: 4096 type: object x-kubernetes-validations: - message: wildcard not allowed in label key match rule: self.all(key, !key.contains("*")) - message: key must not be empty rule: self.all(key, key.size() != 0) type: object targetRef: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object targetRefs: description: Optional. items: properties: group: description: group is the group of the target resource. maxLength: 253 pattern: ^$|^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string kind: description: kind is kind of the target resource. maxLength: 63 minLength: 1 pattern: ^[a-zA-Z]([-a-zA-Z0-9]*[a-zA-Z0-9])?$ type: string name: description: name is the name of the target resource. maxLength: 253 minLength: 1 type: string namespace: description: namespace is the namespace of the referent. type: string x-kubernetes-validations: - message: cross namespace referencing is not currently supported rule: self.size() == 0 required: - kind - name type: object maxItems: 16 type: array type: object x-kubernetes-validations: - message: only one of targetRefs or selector can be set rule: '(has(self.selector) ? 1 : 0) + (has(self.targetRef) ? 1 : 0) + (has(self.targetRefs) ? 1 : 0) <= 1' status: properties: conditions: description: Current service state of the resource. items: properties: lastProbeTime: description: Last time we probed the condition. format: date-time type: string lastTransitionTime: description: Last time the condition transitioned from one status to another. format: date-time type: string message: description: Human-readable message indicating details about last transition. type: string observedGeneration: anyOf: - type: integer - type: string description: Resource Generation to which the Condition refers. x-kubernetes-int-or-string: true reason: description: Unique, one-word, CamelCase reason for the condition's last transition. type: string status: description: Status is the status of the condition. type: string type: description: Type is the type of the condition. type: string type: object type: array observedGeneration: anyOf: - type: integer - type: string x-kubernetes-int-or-string: true validationMessages: description: Includes any errors or warnings detected by Istio's analyzers. items: properties: documentationUrl: description: A url pointing to the Istio documentation for this specific error type. type: string level: description: |- Represents how severe a message is. Valid Options: UNKNOWN, ERROR, WARNING, INFO enum: - UNKNOWN - ERROR - WARNING - INFO type: string type: properties: code: description: A 7 character code matching `^IST[0-9]{4}$` intended to uniquely identify the message type. type: string name: description: A human-readable name for the message type. type: string type: object type: object type: array type: object x-kubernetes-preserve-unknown-fields: true type: object served: true storage: true subresources: status: {} status: acceptedNames: categories: - istio-io - security-istio-io kind: AuthorizationPolicy listKind: AuthorizationPolicyList plural: authorizationpolicies shortNames: - ap singular: authorizationpolicy conditions: - lastTransitionTime: "2026-03-18T16:53:28Z" message: no conflicts found reason: NoConflicts status: "True" type: NamesAccepted - lastTransitionTime: "2026-03-18T16:53:28Z" message: the initial names have been accepted reason: InitialNamesAccepted status: "True" type: Established storedVersions: - v1beta1