Replace misc. occurrences of whitelist/blacklist (istio#25479)

tbarrella · web-flow · commit 831495068a87 · 2020-07-14T11:15:33.000-07:00
As part of istio#25381
diff --git a/codecov.threshold b/codecov.threshold
@@ -2,13 +2,13 @@
 # unexpected drop of code coverage. And this supplements the packages specified
 # in codecov.skip.
 #
-# This is useful to temporarily whitelist the packages that have either non
+# This is useful to temporarily allowlist the packages that have either non
 # deterministic code path. (E.g. test may retry on failure. Some paths may not
 # be exercised when there is no error, but are hit when there is an error
 # before the test retries.)
 #
 # Ideally this file should contain only istio.io=x as the default. All other
-# whitelisted packages or files should eventually be removed when the tests
+# allowlisted packages or files should eventually be removed when the tests
 # are made deteministic.
 #
 # Format:
diff --git a/manifests/charts/global.yaml b/manifests/charts/global.yaml
@@ -95,7 +95,7 @@ global:
     # The number of successive failed probes before indicating readiness failure.
     readinessFailureThreshold: 30
 
-    # istio egress capture whitelist
+    # istio egress capture allowlist
     # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
     # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
     # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
@@ -104,7 +104,7 @@ global:
     excludeIPRanges: ""
     excludeOutboundPorts: ""
 
-    # istio ingress capture whitelist
+    # istio ingress capture allowlist
     # examples:
     #     Redirect only selected ports:            --includeInboundPorts="80,8080"
     excludeInboundPorts: ""
diff --git a/manifests/charts/istio-control/istio-discovery/values.yaml b/manifests/charts/istio-control/istio-discovery/values.yaml
@@ -410,12 +410,12 @@ global:
     # If set, newly injected sidecars will have core dumps enabled.
     enableCoreDump: false
 
-    # istio ingress capture whitelist
+    # istio ingress capture allowlist
     # examples:
     #     Redirect only selected ports:            --includeInboundPorts="80,8080"
     excludeInboundPorts: ""
 
-    # istio egress capture whitelist
+    # istio egress capture allowlist
     # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
     # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
     # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
diff --git a/operator/cmd/mesh/testdata/manifest-generate/data-snapshot/charts/global.yaml b/operator/cmd/mesh/testdata/manifest-generate/data-snapshot/charts/global.yaml
@@ -97,7 +97,7 @@ global:
     # The number of successive failed probes before indicating readiness failure.
     readinessFailureThreshold: 30
 
-    # istio egress capture whitelist
+    # istio egress capture allowlist
     # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
     # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
     # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
@@ -106,7 +106,7 @@ global:
     excludeIPRanges: ""
     excludeOutboundPorts: ""
 
-    # istio ingress capture whitelist
+    # istio ingress capture allowlist
     # examples:
     #     Redirect only selected ports:            --includeInboundPorts="80,8080"
     excludeInboundPorts: ""
diff --git a/operator/codecov.threshold b/operator/codecov.threshold
@@ -2,13 +2,13 @@
 # unexpected drop of code coverage. And this supplements the packages specified
 # in codecov.skip.
 #
-# This is useful to temporarily whitelist the packages that have either non
+# This is useful to temporarily allowlist the packages that have either non
 # deterministic code path. (E.g. test may retry on failure. Some paths may not
 # be exercised when there is no error, but are hit when there is an error
 # before the test retries.)
 #
 # Ideally this file should contain only istio.io=x as the default. All other
-# whitelisted packages or files should eventually be removed when the tests
+# allowlisted packages or files should eventually be removed when the tests
 # are made deteministic.
 #
 # Format:
@@ -18,4 +18,4 @@
 # or go file.
 
 # Istio wide default
-istio.io=5
+istio.io=5
diff --git a/tests/binary/binaries_test.go b/tests/binary/binaries_test.go
@@ -80,7 +80,7 @@ func TestVersion(t *testing.T) {
 
 var (
 	// If this flag is present, it means "testing" was imported by code that is built by the binary
-	blacklistedFlags = []string{
+	denylistedFlags = []string{
 		"--test.memprofilerate",
 	}
 )
@@ -104,8 +104,8 @@ func TestFlags(t *testing.T) {
 				t.Fatalf("--help failed with error: %v. Output: %v", err, string(out))
 			}
 
-			for _, blacklist := range blacklistedFlags {
-				if strings.Contains(string(out), blacklist) {
+			for _, denylist := range denylistedFlags {
+				if strings.Contains(string(out), denylist) {
 					t.Fatalf("binary contains unexpected flags: %v", string(out))
 				}
 			}
diff --git a/tests/integration/security/authorization_test.go b/tests/integration/security/authorization_test.go
@@ -396,15 +396,15 @@ func TestAuthorization_NegativeMatch(t *testing.T) {
 				// Test the policy with overlapped `paths` and `not_paths` on b.
 				// a and x should have the same results:
 				// - path with prefix `/prefix` should be denied explicitly.
-				// - path `/prefix/whitelist` should be excluded from the deny.
+				// - path `/prefix/allowlist` should be excluded from the deny.
 				// - path `/allow` should be allowed implicitly.
 				newTestCase(a, b, "/prefix", false),
 				newTestCase(a, b, "/prefix/other", false),
-				newTestCase(a, b, "/prefix/whitelist", true),
+				newTestCase(a, b, "/prefix/allowlist", true),
 				newTestCase(a, b, "/allow", true),
 				newTestCase(x, b, "/prefix", false),
 				newTestCase(x, b, "/prefix/other", false),
-				newTestCase(x, b, "/prefix/whitelist", true),
+				newTestCase(x, b, "/prefix/allowlist", true),
 				newTestCase(x, b, "/allow", true),
 
 				// Test the policy that denies other namespace on c.
diff --git a/tests/integration/security/testdata/authz/v1beta1-negative-match.yaml.tmpl b/tests/integration/security/testdata/authz/v1beta1-negative-match.yaml.tmpl
@@ -1,4 +1,4 @@
-# The following policy denies access to path with prefix "/prefix" except "/prefix/whitelist" to workload b
+# The following policy denies access to path with prefix "/prefix" except "/prefix/allowlist" to workload b
 
 apiVersion: "security.istio.io/v1beta1"
 kind: AuthorizationPolicy
@@ -14,7 +14,7 @@ spec:
   - to:
     - operation:
         paths: ["/prefix*"]
-        notPaths: ["/prefix/whitelist"]
+        notPaths: ["/prefix/allowlist"]
 ---
 
 # The following policy denies access from other namespaces
diff --git a/tools/istio-iptables/pkg/cmd/root.go b/tools/istio-iptables/pkg/cmd/root.go
@@ -105,7 +105,7 @@ func constructConfig() *config.Config {
 		RunValidation:           viper.GetBool(constants.RunValidation),
 	}
 
-	// TODO: Make this more configurable, maybe with a whitelist of users to be captured for output instead of a blacklist.
+	// TODO: Make this more configurable, maybe with an allowlist of users to be captured for output instead of a denylist.
 	if cfg.ProxyUID == "" {
 		usr, err := user.Lookup(envoyUserVar.Get())
 		var userID string

Original file line number	Diff line number	Diff line change
`@@ -2,13 +2,13 @@`
`2`	`2`	`# unexpected drop of code coverage. And this supplements the packages specified`
`3`	`3`	`# in codecov.skip.`
`4`	`4`	`#`
`5`		`-# This is useful to temporarily whitelist the packages that have either non`
	`5`	`+# This is useful to temporarily allowlist the packages that have either non`
`6`	`6`	`# deterministic code path. (E.g. test may retry on failure. Some paths may not`
`7`	`7`	`# be exercised when there is no error, but are hit when there is an error`
`8`	`8`	`# before the test retries.)`
`9`	`9`	`#`
`10`	`10`	`# Ideally this file should contain only istio.io=x as the default. All other`
`11`		`-# whitelisted packages or files should eventually be removed when the tests`
	`11`	`+# allowlisted packages or files should eventually be removed when the tests`
`12`	`12`	`# are made deteministic.`
`13`	`13`	`#`
`14`	`14`	`# Format:`
Original file line number	Diff line number	Diff line change
`@@ -80,7 +80,7 @@ func TestVersion(t *testing.T) {`
`80`	`80`
`81`	`81`	`var (`
`82`	`82`	`// If this flag is present, it means "testing" was imported by code that is built by the binary`
`83`		`- blacklistedFlags = []string{`
	`83`	`+ denylistedFlags = []string{`
`84`	`84`	`"--test.memprofilerate",`
`85`	`85`	`}`
`86`	`86`	`)`
`@@ -104,8 +104,8 @@ func TestFlags(t *testing.T) {`
`104`	`104`	`t.Fatalf("--help failed with error: %v. Output: %v", err, string(out))`
`105`	`105`	`}`
`106`	`106`
`107`		`- for _, blacklist := range blacklistedFlags {`
`108`		`- if strings.Contains(string(out), blacklist) {`
	`107`	`+ for _, denylist := range denylistedFlags {`
	`108`	`+ if strings.Contains(string(out), denylist) {`
`109`	`109`	`t.Fatalf("binary contains unexpected flags: %v", string(out))`
`110`	`110`	`}`
`111`	`111`	`}`
Original file line number	Diff line number	Diff line change
`@@ -105,7 +105,7 @@ func constructConfig() *config.Config {`
`105`	`105`	`RunValidation: viper.GetBool(constants.RunValidation),`
`106`	`106`	`}`
`107`	`107`
`108`		`- // TODO: Make this more configurable, maybe with a whitelist of users to be captured for output instead of a blacklist.`
	`108`	`+ // TODO: Make this more configurable, maybe with an allowlist of users to be captured for output instead of a denylist.`
`109`	`109`	`if cfg.ProxyUID == "" {`
`110`	`110`	`usr, err := user.Lookup(envoyUserVar.Get())`
`111`	`111`	`var userID string`