{
  "properties": {
    "spec": {
      "additionalProperties": false,
      "description": "Peer authentication configuration for workloads. See more details at: https://istio.io/docs/reference/config/security/peer_authentication.html",
      "properties": {
        "mtls": {
          "additionalProperties": false,
          "description": "Mutual TLS settings for workload.",
          "properties": {
            "mode": {
              "description": "Defines the mTLS mode used for peer authentication.\n\nValid Options: DISABLE, PERMISSIVE, STRICT",
              "enum": [
                "UNSET",
                "DISABLE",
                "PERMISSIVE",
                "STRICT"
              ],
              "type": [
                "string",
                "null"
              ]
            }
          },
          "type": [
            "object",
            "null"
          ]
        },
        "portLevelMtls": {
          "additionalProperties": {
            "additionalProperties": false,
            "properties": {
              "mode": {
                "description": "Defines the mTLS mode used for peer authentication.\n\nValid Options: DISABLE, PERMISSIVE, STRICT",
                "enum": [
                  "UNSET",
                  "DISABLE",
                  "PERMISSIVE",
                  "STRICT"
                ],
                "type": [
                  "string",
                  "null"
                ]
              }
            },
            "type": "object"
          },
          "description": "Port specific mutual TLS settings.",
          "minProperties": 1,
          "type": [
            "object",
            "null"
          ],
          "x-kubernetes-validations": [
            {
              "message": "port must be between 1-65535",
              "rule": "self.all(key, 0 \u003c int(key) \u0026\u0026 int(key) \u003c= 65535)"
            }
          ]
        },
        "selector": {
          "additionalProperties": false,
          "description": "The selector determines the workloads to apply the PeerAuthentication on.",
          "properties": {
            "matchLabels": {
              "additionalProperties": {
                "maxLength": 63,
                "type": "string",
                "x-kubernetes-validations": [
                  {
                    "message": "wildcard not allowed in label value match",
                    "rule": "!self.contains('*')"
                  }
                ]
              },
              "description": "One or more labels that indicate a specific set of pods/VMs on which a policy should be applied.",
              "maxProperties": 4096,
              "type": [
                "object",
                "null"
              ],
              "x-kubernetes-validations": [
                {
                  "message": "wildcard not allowed in label key match",
                  "rule": "self.all(key, !key.contains('*'))"
                },
                {
                  "message": "key must not be empty",
                  "rule": "self.all(key, key.size() != 0)"
                }
              ]
            }
          },
          "type": [
            "object",
            "null"
          ]
        }
      },
      "type": [
        "object",
        "null"
      ],
      "x-kubernetes-validations": [
        {
          "message": "portLevelMtls requires selector",
          "rule": "(has(self.selector) \u0026\u0026 has(self.selector.matchLabels) \u0026\u0026 self.selector.matchLabels.size() \u003e 0) || !has(self.portLevelMtls)"
        }
      ]
    },
    "status": {
      "type": [
        "object",
        "null"
      ],
      "x-kubernetes-preserve-unknown-fields": true
    }
  },
  "type": "object"
}