Skip to content
This repository was archived by the owner on Oct 20, 2023. It is now read-only.

Commit 4314b5f

Browse files
keithmattixkeithmattix
committed
Limit to 1 podLabelSelector
Multiple podLabelSelectors doesn't seem necessary and the semantics around such configuration are confusing. If the need arises for multiple selectors, we can reconsider, but let's keep it simple for now Signed-off-by: Keith Mattix II <[email protected]>
1 parent 2340800 commit 4314b5f

File tree

1 file changed

+6
-7
lines changed

1 file changed

+6
-7
lines changed

apis/traffic-access/v1alpha4/traffic-access.md

+6-7
Original file line numberDiff line numberDiff line change
@@ -22,7 +22,7 @@ An `IdentityBinding` declares the set of identities belonging to a particular wo
2222
for the purposes of policy. At present, Kubernetes does not natively provide any
2323
sort of identity resource outside of `ServiceAccount`. As such, many mesh
2424
implementations have turned to alternative identification schemes for more control
25-
over traffic routing and policy (e.g. SPIFFE, pod selectors, etc). Unfortunately,
25+
over traffic routing and policy (e.g. SPIFFE, pod selector, etc). Unfortunately,
2626
these arbitrary identity mechanisms are rarely stored in a machine-accessible
2727
manner. This is the role of the `IdentityBinding` resource.
2828

@@ -34,10 +34,9 @@ metadata:
3434
namespace: default
3535
spec:
3636
schemes:
37-
podLabelSelectors:
38-
- name: podWorkloads
39-
matchLabels:
40-
app: service-a
37+
podLabelSelector:
38+
matchLabels:
39+
app: service-a
4140
spiffeIdentities:
4241
- "cluster.local/ns/default/sa/service-a"
4342
- "federated.trustdomain/boundary/boundaryName/identifierType/identifier"
@@ -56,11 +55,11 @@ such as SPIFFE, JWT, Kubernetes pod specs, etc. This allows for more consistent
5655
and predictable behavior across runtime environments. `IdentityBinding` currently
5756
supports 3 schemes:
5857

59-
- Pod Label selector (`podLabelSelectors`)
58+
- Pod Label selector (`podLabelSelector`)
6059
- Mutually exclusive with `serviceAccount`
6160
- SPIFFE (`spiffeIdentities`)
6261
- Service Account (`serviceAccount`)
63-
- Mutually exclusive with `podLabelSelectors`
62+
- Mutually exclusive with `podLabelSelector`
6463
- *Note:* The service account specified in this field is implied to exist
6564
in the `IdentityBinding`'s namespace. If one desires to govern access control
6665
for services replicated across different namespaces, they should create an

0 commit comments

Comments
 (0)