e6f2e2407f
* Use just the major part for the calico version for folder naming. * For any minor uprades, it will be just reference updates within manifests. * When moving to major version, then we will add a new folder with that version naming (v4) Change-Id: I1ee30af26c3030531ef719a3cb649fb999d0244c
773 lines
45 KiB
YAML
773 lines
45 KiB
YAML
apiVersion: apiextensions.k8s.io/v1
|
||
kind: CustomResourceDefinition
|
||
metadata:
|
||
annotations:
|
||
controller-gen.kubebuilder.io/version: (devel)
|
||
creationTimestamp: null
|
||
name: globalnetworkpolicies.crd.projectcalico.org
|
||
spec:
|
||
group: crd.projectcalico.org
|
||
names:
|
||
kind: GlobalNetworkPolicy
|
||
listKind: GlobalNetworkPolicyList
|
||
plural: globalnetworkpolicies
|
||
singular: globalnetworkpolicy
|
||
scope: Cluster
|
||
versions:
|
||
- name: v1
|
||
schema:
|
||
openAPIV3Schema:
|
||
properties:
|
||
apiVersion:
|
||
description: 'APIVersion defines the versioned schema of this representation
|
||
of an object. Servers should convert recognized schemas to the latest
|
||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
||
type: string
|
||
kind:
|
||
description: 'Kind is a string value representing the REST resource this
|
||
object represents. Servers may infer this from the endpoint the client
|
||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
properties:
|
||
applyOnForward:
|
||
description: ApplyOnForward indicates to apply the rules in this policy
|
||
on forward traffic.
|
||
type: boolean
|
||
doNotTrack:
|
||
description: DoNotTrack indicates whether packets matched by the rules
|
||
in this policy should go through the data plane's connection tracking,
|
||
such as Linux conntrack. If True, the rules in this policy are
|
||
applied before any data plane connection tracking, and packets allowed
|
||
by this policy are marked as not to be tracked.
|
||
type: boolean
|
||
egress:
|
||
description: The ordered set of egress rules. Each rule contains
|
||
a set of packet match criteria and a corresponding action to apply.
|
||
items:
|
||
description: "A Rule encapsulates a set of match criteria and an
|
||
action. Both selector-based security Policy and security Profiles
|
||
reference rules - separated out as a list of rules for both ingress
|
||
and egress packet matching. \n Each positive match criteria has
|
||
a negated version, prefixed with ”Not”. All the match criteria
|
||
within a rule must be satisfied for a packet to match. A single
|
||
rule can contain the positive and negative version of a match
|
||
and both must be satisfied for the rule to match."
|
||
properties:
|
||
action:
|
||
type: string
|
||
destination:
|
||
description: Destination contains the match criteria that apply
|
||
to destination entity.
|
||
properties:
|
||
namespaceSelector:
|
||
description: "NamespaceSelector is an optional field that
|
||
contains a selector expression. Only traffic that originates
|
||
from (or terminates at) endpoints within the selected
|
||
namespaces will be matched. When both NamespaceSelector
|
||
and Selector are defined on the same rule, then only workload
|
||
endpoints that are matched by both selectors will be selected
|
||
by the rule. \n For NetworkPolicy, an empty NamespaceSelector
|
||
implies that the Selector is limited to selecting only
|
||
workload endpoints in the same namespace as the NetworkPolicy.
|
||
\n For NetworkPolicy, `global()` NamespaceSelector implies
|
||
that the Selector is limited to selecting only GlobalNetworkSet
|
||
or HostEndpoint. \n For GlobalNetworkPolicy, an empty
|
||
NamespaceSelector implies the Selector applies to workload
|
||
endpoints across all namespaces."
|
||
type: string
|
||
nets:
|
||
description: Nets is an optional field that restricts the
|
||
rule to only apply to traffic that originates from (or
|
||
terminates at) IP addresses in any of the given subnets.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notNets:
|
||
description: NotNets is the negated version of the Nets
|
||
field.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notPorts:
|
||
description: NotPorts is the negated version of the Ports
|
||
field. Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to "TCP" or "UDP".
|
||
items:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
type: array
|
||
notSelector:
|
||
description: NotSelector is the negated version of the Selector
|
||
field. See Selector field for subtleties with negated
|
||
selectors.
|
||
type: string
|
||
ports:
|
||
description: "Ports is an optional field that restricts
|
||
the rule to only apply to traffic that has a source (destination)
|
||
port that matches one of these ranges/values. This value
|
||
is a list of integers or strings that represent ranges
|
||
of ports. \n Since only some protocols have ports, if
|
||
any ports are specified it requires the Protocol match
|
||
in the Rule to be set to \"TCP\" or \"UDP\"."
|
||
items:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
type: array
|
||
selector:
|
||
description: "Selector is an optional field that contains
|
||
a selector expression (see Policy for sample syntax).
|
||
\ Only traffic that originates from (terminates at) endpoints
|
||
matching the selector will be matched. \n Note that: in
|
||
addition to the negated version of the Selector (see NotSelector
|
||
below), the selector expression syntax itself supports
|
||
negation. The two types of negation are subtly different.
|
||
One negates the set of matched endpoints, the other negates
|
||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||
packets that are from other Calico-controlled \tendpoints
|
||
that do not have the label “my_label”. \n \tNotSelector
|
||
= \"has(my_label)\" matches packets that are not from
|
||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||
\n The effect is that the latter will accept packets from
|
||
non-Calico sources whereas the former is limited to packets
|
||
from Calico-controlled endpoints."
|
||
type: string
|
||
serviceAccounts:
|
||
description: ServiceAccounts is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a matching service
|
||
account.
|
||
properties:
|
||
names:
|
||
description: Names is an optional field that restricts
|
||
the rule to only apply to traffic that originates
|
||
from (or terminates at) a pod running as a service
|
||
account whose name is in the list.
|
||
items:
|
||
type: string
|
||
type: array
|
||
selector:
|
||
description: Selector is an optional field that restricts
|
||
the rule to only apply to traffic that originates
|
||
from (or terminates at) a pod running as a service
|
||
account that matches the given label selector. If
|
||
both Names and Selector are specified then they are
|
||
AND'ed.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
http:
|
||
description: HTTP contains match criteria that apply to HTTP
|
||
requests.
|
||
properties:
|
||
methods:
|
||
description: Methods is an optional field that restricts
|
||
the rule to apply only to HTTP requests that use one of
|
||
the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
|
||
methods are OR'd together.
|
||
items:
|
||
type: string
|
||
type: array
|
||
paths:
|
||
description: 'Paths is an optional field that restricts
|
||
the rule to apply to HTTP requests that use one of the
|
||
listed HTTP Paths. Multiple paths are OR''d together.
|
||
e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
|
||
ONLY specify either a `exact` or a `prefix` match. The
|
||
validator will check for it.'
|
||
items:
|
||
description: 'HTTPPath specifies an HTTP path to match.
|
||
It may be either of the form: exact: <path>: which matches
|
||
the path exactly or prefix: <path-prefix>: which matches
|
||
the path prefix'
|
||
properties:
|
||
exact:
|
||
type: string
|
||
prefix:
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
icmp:
|
||
description: ICMP is an optional field that restricts the rule
|
||
to apply to a specific type and code of ICMP traffic. This
|
||
should only be specified if the Protocol field is set to "ICMP"
|
||
or "ICMPv6".
|
||
properties:
|
||
code:
|
||
description: Match on a specific ICMP code. If specified,
|
||
the Type value must also be specified. This is a technical
|
||
limitation imposed by the kernel’s iptables firewall,
|
||
which Calico uses to enforce the rule.
|
||
type: integer
|
||
type:
|
||
description: Match on a specific ICMP type. For example
|
||
a value of 8 refers to ICMP Echo Request (i.e. pings).
|
||
type: integer
|
||
type: object
|
||
ipVersion:
|
||
description: IPVersion is an optional field that restricts the
|
||
rule to only match a specific IP version.
|
||
type: integer
|
||
metadata:
|
||
description: Metadata contains additional information for this
|
||
rule
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations is a set of key value pairs that
|
||
give extra information about the rule
|
||
type: object
|
||
type: object
|
||
notICMP:
|
||
description: NotICMP is the negated version of the ICMP field.
|
||
properties:
|
||
code:
|
||
description: Match on a specific ICMP code. If specified,
|
||
the Type value must also be specified. This is a technical
|
||
limitation imposed by the kernel’s iptables firewall,
|
||
which Calico uses to enforce the rule.
|
||
type: integer
|
||
type:
|
||
description: Match on a specific ICMP type. For example
|
||
a value of 8 refers to ICMP Echo Request (i.e. pings).
|
||
type: integer
|
||
type: object
|
||
notProtocol:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: NotProtocol is the negated version of the Protocol
|
||
field.
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
protocol:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: "Protocol is an optional field that restricts the
|
||
rule to only apply to traffic of a specific IP protocol. Required
|
||
if any of the EntityRules contain Ports (because ports only
|
||
apply to certain protocols). \n Must be one of these string
|
||
values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
|
||
\"UDPLite\" or an integer in the range 1-255."
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
source:
|
||
description: Source contains the match criteria that apply to
|
||
source entity.
|
||
properties:
|
||
namespaceSelector:
|
||
description: "NamespaceSelector is an optional field that
|
||
contains a selector expression. Only traffic that originates
|
||
from (or terminates at) endpoints within the selected
|
||
namespaces will be matched. When both NamespaceSelector
|
||
and Selector are defined on the same rule, then only workload
|
||
endpoints that are matched by both selectors will be selected
|
||
by the rule. \n For NetworkPolicy, an empty NamespaceSelector
|
||
implies that the Selector is limited to selecting only
|
||
workload endpoints in the same namespace as the NetworkPolicy.
|
||
\n For NetworkPolicy, `global()` NamespaceSelector implies
|
||
that the Selector is limited to selecting only GlobalNetworkSet
|
||
or HostEndpoint. \n For GlobalNetworkPolicy, an empty
|
||
NamespaceSelector implies the Selector applies to workload
|
||
endpoints across all namespaces."
|
||
type: string
|
||
nets:
|
||
description: Nets is an optional field that restricts the
|
||
rule to only apply to traffic that originates from (or
|
||
terminates at) IP addresses in any of the given subnets.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notNets:
|
||
description: NotNets is the negated version of the Nets
|
||
field.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notPorts:
|
||
description: NotPorts is the negated version of the Ports
|
||
field. Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to "TCP" or "UDP".
|
||
items:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
type: array
|
||
notSelector:
|
||
description: NotSelector is the negated version of the Selector
|
||
field. See Selector field for subtleties with negated
|
||
selectors.
|
||
type: string
|
||
ports:
|
||
description: "Ports is an optional field that restricts
|
||
the rule to only apply to traffic that has a source (destination)
|
||
port that matches one of these ranges/values. This value
|
||
is a list of integers or strings that represent ranges
|
||
of ports. \n Since only some protocols have ports, if
|
||
any ports are specified it requires the Protocol match
|
||
in the Rule to be set to \"TCP\" or \"UDP\"."
|
||
items:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
type: array
|
||
selector:
|
||
description: "Selector is an optional field that contains
|
||
a selector expression (see Policy for sample syntax).
|
||
\ Only traffic that originates from (terminates at) endpoints
|
||
matching the selector will be matched. \n Note that: in
|
||
addition to the negated version of the Selector (see NotSelector
|
||
below), the selector expression syntax itself supports
|
||
negation. The two types of negation are subtly different.
|
||
One negates the set of matched endpoints, the other negates
|
||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||
packets that are from other Calico-controlled \tendpoints
|
||
that do not have the label “my_label”. \n \tNotSelector
|
||
= \"has(my_label)\" matches packets that are not from
|
||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||
\n The effect is that the latter will accept packets from
|
||
non-Calico sources whereas the former is limited to packets
|
||
from Calico-controlled endpoints."
|
||
type: string
|
||
serviceAccounts:
|
||
description: ServiceAccounts is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a matching service
|
||
account.
|
||
properties:
|
||
names:
|
||
description: Names is an optional field that restricts
|
||
the rule to only apply to traffic that originates
|
||
from (or terminates at) a pod running as a service
|
||
account whose name is in the list.
|
||
items:
|
||
type: string
|
||
type: array
|
||
selector:
|
||
description: Selector is an optional field that restricts
|
||
the rule to only apply to traffic that originates
|
||
from (or terminates at) a pod running as a service
|
||
account that matches the given label selector. If
|
||
both Names and Selector are specified then they are
|
||
AND'ed.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
required:
|
||
- action
|
||
type: object
|
||
type: array
|
||
ingress:
|
||
description: The ordered set of ingress rules. Each rule contains
|
||
a set of packet match criteria and a corresponding action to apply.
|
||
items:
|
||
description: "A Rule encapsulates a set of match criteria and an
|
||
action. Both selector-based security Policy and security Profiles
|
||
reference rules - separated out as a list of rules for both ingress
|
||
and egress packet matching. \n Each positive match criteria has
|
||
a negated version, prefixed with ”Not”. All the match criteria
|
||
within a rule must be satisfied for a packet to match. A single
|
||
rule can contain the positive and negative version of a match
|
||
and both must be satisfied for the rule to match."
|
||
properties:
|
||
action:
|
||
type: string
|
||
destination:
|
||
description: Destination contains the match criteria that apply
|
||
to destination entity.
|
||
properties:
|
||
namespaceSelector:
|
||
description: "NamespaceSelector is an optional field that
|
||
contains a selector expression. Only traffic that originates
|
||
from (or terminates at) endpoints within the selected
|
||
namespaces will be matched. When both NamespaceSelector
|
||
and Selector are defined on the same rule, then only workload
|
||
endpoints that are matched by both selectors will be selected
|
||
by the rule. \n For NetworkPolicy, an empty NamespaceSelector
|
||
implies that the Selector is limited to selecting only
|
||
workload endpoints in the same namespace as the NetworkPolicy.
|
||
\n For NetworkPolicy, `global()` NamespaceSelector implies
|
||
that the Selector is limited to selecting only GlobalNetworkSet
|
||
or HostEndpoint. \n For GlobalNetworkPolicy, an empty
|
||
NamespaceSelector implies the Selector applies to workload
|
||
endpoints across all namespaces."
|
||
type: string
|
||
nets:
|
||
description: Nets is an optional field that restricts the
|
||
rule to only apply to traffic that originates from (or
|
||
terminates at) IP addresses in any of the given subnets.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notNets:
|
||
description: NotNets is the negated version of the Nets
|
||
field.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notPorts:
|
||
description: NotPorts is the negated version of the Ports
|
||
field. Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to "TCP" or "UDP".
|
||
items:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
type: array
|
||
notSelector:
|
||
description: NotSelector is the negated version of the Selector
|
||
field. See Selector field for subtleties with negated
|
||
selectors.
|
||
type: string
|
||
ports:
|
||
description: "Ports is an optional field that restricts
|
||
the rule to only apply to traffic that has a source (destination)
|
||
port that matches one of these ranges/values. This value
|
||
is a list of integers or strings that represent ranges
|
||
of ports. \n Since only some protocols have ports, if
|
||
any ports are specified it requires the Protocol match
|
||
in the Rule to be set to \"TCP\" or \"UDP\"."
|
||
items:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
type: array
|
||
selector:
|
||
description: "Selector is an optional field that contains
|
||
a selector expression (see Policy for sample syntax).
|
||
\ Only traffic that originates from (terminates at) endpoints
|
||
matching the selector will be matched. \n Note that: in
|
||
addition to the negated version of the Selector (see NotSelector
|
||
below), the selector expression syntax itself supports
|
||
negation. The two types of negation are subtly different.
|
||
One negates the set of matched endpoints, the other negates
|
||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||
packets that are from other Calico-controlled \tendpoints
|
||
that do not have the label “my_label”. \n \tNotSelector
|
||
= \"has(my_label)\" matches packets that are not from
|
||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||
\n The effect is that the latter will accept packets from
|
||
non-Calico sources whereas the former is limited to packets
|
||
from Calico-controlled endpoints."
|
||
type: string
|
||
serviceAccounts:
|
||
description: ServiceAccounts is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a matching service
|
||
account.
|
||
properties:
|
||
names:
|
||
description: Names is an optional field that restricts
|
||
the rule to only apply to traffic that originates
|
||
from (or terminates at) a pod running as a service
|
||
account whose name is in the list.
|
||
items:
|
||
type: string
|
||
type: array
|
||
selector:
|
||
description: Selector is an optional field that restricts
|
||
the rule to only apply to traffic that originates
|
||
from (or terminates at) a pod running as a service
|
||
account that matches the given label selector. If
|
||
both Names and Selector are specified then they are
|
||
AND'ed.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
http:
|
||
description: HTTP contains match criteria that apply to HTTP
|
||
requests.
|
||
properties:
|
||
methods:
|
||
description: Methods is an optional field that restricts
|
||
the rule to apply only to HTTP requests that use one of
|
||
the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
|
||
methods are OR'd together.
|
||
items:
|
||
type: string
|
||
type: array
|
||
paths:
|
||
description: 'Paths is an optional field that restricts
|
||
the rule to apply to HTTP requests that use one of the
|
||
listed HTTP Paths. Multiple paths are OR''d together.
|
||
e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
|
||
ONLY specify either a `exact` or a `prefix` match. The
|
||
validator will check for it.'
|
||
items:
|
||
description: 'HTTPPath specifies an HTTP path to match.
|
||
It may be either of the form: exact: <path>: which matches
|
||
the path exactly or prefix: <path-prefix>: which matches
|
||
the path prefix'
|
||
properties:
|
||
exact:
|
||
type: string
|
||
prefix:
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
icmp:
|
||
description: ICMP is an optional field that restricts the rule
|
||
to apply to a specific type and code of ICMP traffic. This
|
||
should only be specified if the Protocol field is set to "ICMP"
|
||
or "ICMPv6".
|
||
properties:
|
||
code:
|
||
description: Match on a specific ICMP code. If specified,
|
||
the Type value must also be specified. This is a technical
|
||
limitation imposed by the kernel’s iptables firewall,
|
||
which Calico uses to enforce the rule.
|
||
type: integer
|
||
type:
|
||
description: Match on a specific ICMP type. For example
|
||
a value of 8 refers to ICMP Echo Request (i.e. pings).
|
||
type: integer
|
||
type: object
|
||
ipVersion:
|
||
description: IPVersion is an optional field that restricts the
|
||
rule to only match a specific IP version.
|
||
type: integer
|
||
metadata:
|
||
description: Metadata contains additional information for this
|
||
rule
|
||
properties:
|
||
annotations:
|
||
additionalProperties:
|
||
type: string
|
||
description: Annotations is a set of key value pairs that
|
||
give extra information about the rule
|
||
type: object
|
||
type: object
|
||
notICMP:
|
||
description: NotICMP is the negated version of the ICMP field.
|
||
properties:
|
||
code:
|
||
description: Match on a specific ICMP code. If specified,
|
||
the Type value must also be specified. This is a technical
|
||
limitation imposed by the kernel’s iptables firewall,
|
||
which Calico uses to enforce the rule.
|
||
type: integer
|
||
type:
|
||
description: Match on a specific ICMP type. For example
|
||
a value of 8 refers to ICMP Echo Request (i.e. pings).
|
||
type: integer
|
||
type: object
|
||
notProtocol:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: NotProtocol is the negated version of the Protocol
|
||
field.
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
protocol:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
description: "Protocol is an optional field that restricts the
|
||
rule to only apply to traffic of a specific IP protocol. Required
|
||
if any of the EntityRules contain Ports (because ports only
|
||
apply to certain protocols). \n Must be one of these string
|
||
values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
|
||
\"UDPLite\" or an integer in the range 1-255."
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
source:
|
||
description: Source contains the match criteria that apply to
|
||
source entity.
|
||
properties:
|
||
namespaceSelector:
|
||
description: "NamespaceSelector is an optional field that
|
||
contains a selector expression. Only traffic that originates
|
||
from (or terminates at) endpoints within the selected
|
||
namespaces will be matched. When both NamespaceSelector
|
||
and Selector are defined on the same rule, then only workload
|
||
endpoints that are matched by both selectors will be selected
|
||
by the rule. \n For NetworkPolicy, an empty NamespaceSelector
|
||
implies that the Selector is limited to selecting only
|
||
workload endpoints in the same namespace as the NetworkPolicy.
|
||
\n For NetworkPolicy, `global()` NamespaceSelector implies
|
||
that the Selector is limited to selecting only GlobalNetworkSet
|
||
or HostEndpoint. \n For GlobalNetworkPolicy, an empty
|
||
NamespaceSelector implies the Selector applies to workload
|
||
endpoints across all namespaces."
|
||
type: string
|
||
nets:
|
||
description: Nets is an optional field that restricts the
|
||
rule to only apply to traffic that originates from (or
|
||
terminates at) IP addresses in any of the given subnets.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notNets:
|
||
description: NotNets is the negated version of the Nets
|
||
field.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notPorts:
|
||
description: NotPorts is the negated version of the Ports
|
||
field. Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to "TCP" or "UDP".
|
||
items:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
type: array
|
||
notSelector:
|
||
description: NotSelector is the negated version of the Selector
|
||
field. See Selector field for subtleties with negated
|
||
selectors.
|
||
type: string
|
||
ports:
|
||
description: "Ports is an optional field that restricts
|
||
the rule to only apply to traffic that has a source (destination)
|
||
port that matches one of these ranges/values. This value
|
||
is a list of integers or strings that represent ranges
|
||
of ports. \n Since only some protocols have ports, if
|
||
any ports are specified it requires the Protocol match
|
||
in the Rule to be set to \"TCP\" or \"UDP\"."
|
||
items:
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
pattern: ^.*
|
||
x-kubernetes-int-or-string: true
|
||
type: array
|
||
selector:
|
||
description: "Selector is an optional field that contains
|
||
a selector expression (see Policy for sample syntax).
|
||
\ Only traffic that originates from (terminates at) endpoints
|
||
matching the selector will be matched. \n Note that: in
|
||
addition to the negated version of the Selector (see NotSelector
|
||
below), the selector expression syntax itself supports
|
||
negation. The two types of negation are subtly different.
|
||
One negates the set of matched endpoints, the other negates
|
||
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
||
packets that are from other Calico-controlled \tendpoints
|
||
that do not have the label “my_label”. \n \tNotSelector
|
||
= \"has(my_label)\" matches packets that are not from
|
||
Calico-controlled \tendpoints that do have the label “my_label”.
|
||
\n The effect is that the latter will accept packets from
|
||
non-Calico sources whereas the former is limited to packets
|
||
from Calico-controlled endpoints."
|
||
type: string
|
||
serviceAccounts:
|
||
description: ServiceAccounts is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a matching service
|
||
account.
|
||
properties:
|
||
names:
|
||
description: Names is an optional field that restricts
|
||
the rule to only apply to traffic that originates
|
||
from (or terminates at) a pod running as a service
|
||
account whose name is in the list.
|
||
items:
|
||
type: string
|
||
type: array
|
||
selector:
|
||
description: Selector is an optional field that restricts
|
||
the rule to only apply to traffic that originates
|
||
from (or terminates at) a pod running as a service
|
||
account that matches the given label selector. If
|
||
both Names and Selector are specified then they are
|
||
AND'ed.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
required:
|
||
- action
|
||
type: object
|
||
type: array
|
||
namespaceSelector:
|
||
description: NamespaceSelector is an optional field for an expression
|
||
used to select a pod based on namespaces.
|
||
type: string
|
||
order:
|
||
description: Order is an optional field that specifies the order in
|
||
which the policy is applied. Policies with higher "order" are applied
|
||
after those with lower order. If the order is omitted, it may be
|
||
considered to be "infinite" - i.e. the policy will be applied last. Policies
|
||
with identical order will be applied in alphanumerical order based
|
||
on the Policy "Name".
|
||
type: number
|
||
preDNAT:
|
||
description: PreDNAT indicates to apply the rules in this policy before
|
||
any DNAT.
|
||
type: boolean
|
||
selector:
|
||
description: "The selector is an expression used to pick pick out
|
||
the endpoints that the policy should be applied to. \n Selector
|
||
expressions follow this syntax: \n \tlabel == \"string_literal\"
|
||
\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
|
||
\ -> not equal; also matches if label is not present \tlabel in
|
||
{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is
|
||
one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
|
||
... } -> true if the value of label X is not one of \"a\", \"b\",
|
||
\"c\" \thas(label_name) -> True if that label is present \t! expr
|
||
-> negation of expr \texpr && expr -> Short-circuit and \texpr
|
||
|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
|
||
or the empty selector -> matches all endpoints. \n Label names are
|
||
allowed to contain alphanumerics, -, _ and /. String literals are
|
||
more permissive but they do not support escape characters. \n Examples
|
||
(with made-up labels): \n \ttype == \"webserver\" && deployment
|
||
== \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
|
||
\"dev\" \t! has(label_name)"
|
||
type: string
|
||
serviceAccountSelector:
|
||
description: ServiceAccountSelector is an optional field for an expression
|
||
used to select a pod based on service accounts.
|
||
type: string
|
||
types:
|
||
description: "Types indicates whether this policy applies to ingress,
|
||
or to egress, or to both. When not explicitly specified (and so
|
||
the value on creation is empty or nil), Calico defaults Types according
|
||
to what Ingress and Egress rules are present in the policy. The
|
||
default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
|
||
(including the case where there are also no Ingress rules) \n
|
||
- [ PolicyTypeEgress ], if there are Egress rules but no Ingress
|
||
rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
|
||
both Ingress and Egress rules. \n When the policy is read back again,
|
||
Types will always be one of these values, never empty or nil."
|
||
items:
|
||
description: PolicyType enumerates the possible values of the PolicySpec
|
||
Types field.
|
||
type: string
|
||
type: array
|
||
type: object
|
||
type: object
|
||
served: true
|
||
storage: true
|
||
status:
|
||
acceptedNames:
|
||
kind: ""
|
||
plural: ""
|
||
conditions: []
|
||
storedVersions: []
|