825e026930
only accept validated cidr. And fix the error handle when network-isotate is diabled. And remove the useless crd. Signed-off-by: Duan Jiong <djduanjiong@gmail.com>
261 lines
13 KiB
YAML
Generated
261 lines
13 KiB
YAML
Generated
|
|
---
|
|
apiVersion: apiextensions.k8s.io/v1beta1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
annotations:
|
|
controller-gen.kubebuilder.io/version: (devel)
|
|
creationTimestamp: null
|
|
name: namespacenetworkpolicies.network.kubesphere.io
|
|
spec:
|
|
group: network.kubesphere.io
|
|
names:
|
|
categories:
|
|
- networking
|
|
kind: NamespaceNetworkPolicy
|
|
listKind: NamespaceNetworkPolicyList
|
|
plural: namespacenetworkpolicies
|
|
shortNames:
|
|
- nsnp
|
|
singular: namespacenetworkpolicy
|
|
scope: Namespaced
|
|
validation:
|
|
openAPIV3Schema:
|
|
description: NamespaceNetworkPolicy is the Schema for the namespacenetworkpolicies
|
|
API
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
description: NamespaceNetworkPolicySpec provides the specification of a
|
|
NamespaceNetworkPolicy
|
|
properties:
|
|
egress:
|
|
description: List of egress rules to be applied to the selected pods.
|
|
Outgoing traffic is allowed if there are no NetworkPolicies selecting
|
|
the pod (and cluster policy otherwise allows the traffic), OR if the
|
|
traffic matches at least one egress rule across all of the NetworkPolicy
|
|
objects whose podSelector matches the pod. If this field is empty
|
|
then this NetworkPolicy limits all outgoing traffic (and serves solely
|
|
to ensure that the pods it selects are isolated by default). This
|
|
field is beta-level in 1.8
|
|
items:
|
|
description: NetworkPolicyEgressRule describes a particular set of
|
|
traffic that is allowed out of pods matched by a NetworkPolicySpec's
|
|
podSelector. The traffic must match both ports and to. This type
|
|
is beta-level in 1.8
|
|
properties:
|
|
ports:
|
|
description: List of destination ports for outgoing traffic. Each
|
|
item in this list is combined using a logical OR. If this field
|
|
is empty or missing, this rule matches all ports (traffic not
|
|
restricted by port). If this field is present and contains at
|
|
least one item, then this rule allows traffic only if the traffic
|
|
matches at least one port in the list.
|
|
items:
|
|
description: NetworkPolicyPort describes a port to allow traffic
|
|
on
|
|
properties:
|
|
port:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: The port on the given protocol. This can either
|
|
be a numerical or named port on a pod. If this field is
|
|
not provided, this matches all port names and numbers.
|
|
x-kubernetes-int-or-string: true
|
|
protocol:
|
|
description: The protocol (TCP, UDP, or SCTP) which traffic
|
|
must match. If not specified, this field defaults to TCP.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
to:
|
|
description: List of destinations for outgoing traffic of pods
|
|
selected for this rule. Items in this list are combined using
|
|
a logical OR operation. If this field is empty or missing, this
|
|
rule matches all destinations (traffic not restricted by destination).
|
|
If this field is present and contains at least one item, this
|
|
rule allows traffic only if the traffic matches at least one
|
|
item in the to list.
|
|
items:
|
|
description: NetworkPolicyPeer describes a peer to allow traffic
|
|
from. Only certain combinations of fields are allowed
|
|
properties:
|
|
ipBlock:
|
|
description: IPBlock defines policy on a particular IPBlock.
|
|
If this field is set then neither of the other fields
|
|
can be.
|
|
properties:
|
|
cidr:
|
|
description: CIDR is a string representing the IP Block
|
|
Valid examples are "192.168.1.1/24"
|
|
type: string
|
|
pattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))$
|
|
except:
|
|
description: Except is a slice of CIDRs that should
|
|
not be included within an IP Block Valid examples
|
|
are "192.168.1.1/24" Except values will be rejected
|
|
if they are outside the CIDR range
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- cidr
|
|
type: object
|
|
namespace:
|
|
properties:
|
|
name:
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
service:
|
|
properties:
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
ingress:
|
|
description: List of ingress rules to be applied to the selected pods.
|
|
Traffic is allowed to a pod if there are no NetworkPolicies selecting
|
|
the pod (and cluster policy otherwise allows the traffic), OR if the
|
|
traffic source is the pod's local node, OR if the traffic matches
|
|
at least one ingress rule across all of the NetworkPolicy objects
|
|
whose podSelector matches the pod. If this field is empty then this
|
|
NetworkPolicy does not allow any traffic (and serves solely to ensure
|
|
that the pods it selects are isolated by default)
|
|
items:
|
|
description: NetworkPolicyIngressRule describes a particular set of
|
|
traffic that is allowed to the pods matched by a NetworkPolicySpec's
|
|
podSelector. The traffic must match both ports and from.
|
|
properties:
|
|
from:
|
|
description: List of sources which should be able to access the
|
|
pods selected for this rule. Items in this list are combined
|
|
using a logical OR operation. If this field is empty or missing,
|
|
this rule matches all sources (traffic not restricted by source).
|
|
If this field is present and contains at least one item, this
|
|
rule allows traffic only if the traffic matches at least one
|
|
item in the from list.
|
|
items:
|
|
description: NetworkPolicyPeer describes a peer to allow traffic
|
|
from. Only certain combinations of fields are allowed
|
|
properties:
|
|
ipBlock:
|
|
description: IPBlock defines policy on a particular IPBlock.
|
|
If this field is set then neither of the other fields
|
|
can be.
|
|
properties:
|
|
cidr:
|
|
description: CIDR is a string representing the IP Block
|
|
Valid examples are "192.168.1.1/24"
|
|
type: string
|
|
except:
|
|
description: Except is a slice of CIDRs that should
|
|
not be included within an IP Block Valid examples
|
|
are "192.168.1.1/24" Except values will be rejected
|
|
if they are outside the CIDR range
|
|
items:
|
|
type: string
|
|
type: array
|
|
required:
|
|
- cidr
|
|
type: object
|
|
namespace:
|
|
properties:
|
|
name:
|
|
type: string
|
|
required:
|
|
- name
|
|
type: object
|
|
service:
|
|
properties:
|
|
name:
|
|
type: string
|
|
namespace:
|
|
type: string
|
|
required:
|
|
- name
|
|
- namespace
|
|
type: object
|
|
type: object
|
|
type: array
|
|
ports:
|
|
description: List of ports which should be made accessible on
|
|
the pods selected for this rule. Each item in this list is combined
|
|
using a logical OR. If this field is empty or missing, this
|
|
rule matches all ports (traffic not restricted by port). If
|
|
this field is present and contains at least one item, then this
|
|
rule allows traffic only if the traffic matches at least one
|
|
port in the list.
|
|
items:
|
|
description: NetworkPolicyPort describes a port to allow traffic
|
|
on
|
|
properties:
|
|
port:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: The port on the given protocol. This can either
|
|
be a numerical or named port on a pod. If this field is
|
|
not provided, this matches all port names and numbers.
|
|
x-kubernetes-int-or-string: true
|
|
protocol:
|
|
description: The protocol (TCP, UDP, or SCTP) which traffic
|
|
must match. If not specified, this field defaults to TCP.
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
type: array
|
|
policyTypes:
|
|
description: List of rule types that the NetworkPolicy relates to. Valid
|
|
options are "Ingress", "Egress", or "Ingress,Egress". If this field
|
|
is not specified, it will default based on the existence of Ingress
|
|
or Egress rules; policies that contain an Egress section are assumed
|
|
to affect Egress, and all policies (whether or not they contain an
|
|
Ingress section) are assumed to affect Ingress. If you want to write
|
|
an egress-only policy, you must explicitly specify policyTypes [ "Egress"
|
|
]. Likewise, if you want to write a policy that specifies that no
|
|
egress is allowed, you must specify a policyTypes value that include
|
|
"Egress" (since such a policy would not include an Egress section
|
|
and would otherwise default to just [ "Ingress" ]). This field is
|
|
beta-level in 1.8
|
|
items:
|
|
description: Policy Type string describes the NetworkPolicy type This
|
|
type is beta-level in 1.8
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
version: v1alpha1
|
|
versions:
|
|
- name: v1alpha1
|
|
served: true
|
|
storage: true
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|