714 lines
43 KiB
YAML
714 lines
43 KiB
YAML
|
||
---
|
||
apiVersion: apiextensions.k8s.io/v1beta1
|
||
kind: CustomResourceDefinition
|
||
metadata:
|
||
creationTimestamp: null
|
||
name: namespacenetworkpolicies.network.kubesphere.io
|
||
spec:
|
||
group: network.kubesphere.io
|
||
names:
|
||
categories:
|
||
- networking
|
||
kind: NamespaceNetworkPolicy
|
||
plural: namespacenetworkpolicies
|
||
shortNames:
|
||
- nsnp
|
||
scope: Namespaced
|
||
validation:
|
||
openAPIV3Schema:
|
||
description: NamespaceNetworkPolicy is the Schema for the namespacenetworkpolicies
|
||
API
|
||
properties:
|
||
apiVersion:
|
||
description: 'APIVersion defines the versioned schema of this representation
|
||
of an object. Servers should convert recognized schemas to the latest
|
||
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
|
||
type: string
|
||
kind:
|
||
description: 'Kind is a string value representing the REST resource this
|
||
object represents. Servers may infer this from the endpoint the client
|
||
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
|
||
type: string
|
||
metadata:
|
||
type: object
|
||
spec:
|
||
description: NamespaceNetworkPolicySpec defines the desired state of NamespaceNetworkPolicy
|
||
properties:
|
||
egress:
|
||
description: The ordered set of egress rules. Each rule contains a
|
||
set of packet match criteria and a corresponding action to apply.
|
||
items:
|
||
description: "A Rule encapsulates a set of match criteria and an action.
|
||
\ Both selector-based security Policy and security Profiles reference
|
||
rules - separated out as a list of rules for both ingress and egress
|
||
packet matching. \n Each positive match criteria has a negated version,
|
||
prefixed with ”Not”. All the match criteria within a rule must be
|
||
satisfied for a packet to match. A single rule can contain the positive
|
||
and negative version of a match and both must be satisfied for the
|
||
rule to match."
|
||
properties:
|
||
action:
|
||
type: string
|
||
destination:
|
||
description: Destination contains the match criteria that apply
|
||
to destination entity.
|
||
properties:
|
||
namespaceSelector:
|
||
description: "NamespaceSelector is an optional field that
|
||
contains a selector expression. Only traffic that originates
|
||
from (or terminates at) endpoints within the selected namespaces
|
||
will be matched. When both NamespaceSelector and Selector
|
||
are defined on the same rule, then only workload endpoints
|
||
that are matched by both selectors will be selected by the
|
||
rule. \n For NetworkPolicy, an empty NamespaceSelector implies
|
||
that the Selector is limited to selecting only workload
|
||
endpoints in the same namespace as the NetworkPolicy. \n
|
||
For GlobalNetworkPolicy, an empty NamespaceSelector implies
|
||
the Selector applies to workload endpoints across all namespaces."
|
||
type: string
|
||
nets:
|
||
description: Nets is an optional field that restricts the
|
||
rule to only apply to traffic that originates from (or terminates
|
||
at) IP addresses in any of the given subnets.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notNets:
|
||
description: NotNets is the negated version of the Nets field.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notPorts:
|
||
items:
|
||
type: object
|
||
x-kubernetes-int-or-string: true
|
||
description: "Port represents either a range of numeric
|
||
ports or a named port. \n - For a named port, set
|
||
the PortName, leaving MinPort and MaxPort as 0. -
|
||
For a port range, set MinPort and MaxPort to the (inclusive)
|
||
port numbers. Set PortName to \"\". - For a
|
||
single port, set MinPort = MaxPort and PortName = \"\"."
|
||
description: NotPorts is the negated version of the Ports
|
||
field. Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to "TCP" or "UDP".
|
||
type: array
|
||
notSelector:
|
||
description: NotSelector is the negated version of the Selector
|
||
field. See Selector field for subtleties with negated selectors.
|
||
type: string
|
||
ports:
|
||
description: "Ports is an optional field that restricts the
|
||
rule to only apply to traffic that has a source (destination)
|
||
port that matches one of these ranges/values. This value
|
||
is a list of integers or strings that represent ranges of
|
||
ports. \n Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to \"TCP\" or \"UDP\"."
|
||
items:
|
||
description: "Port represents either a range of numeric
|
||
ports or a named port. \n - For a named port, set
|
||
the PortName, leaving MinPort and MaxPort as 0. -
|
||
For a port range, set MinPort and MaxPort to the (inclusive)
|
||
port numbers. Set PortName to \"\". - For a
|
||
single port, set MinPort = MaxPort and PortName = \"\"."
|
||
x-kubernetes-int-or-string: true
|
||
type: object
|
||
type: array
|
||
selector:
|
||
description: "Selector is an optional field that contains
|
||
a selector expression (see Policy for sample syntax). Only
|
||
traffic that originates from (terminates at) endpoints matching
|
||
the selector will be matched. \n Note that: in addition
|
||
to the negated version of the Selector (see NotSelector
|
||
below), the selector expression syntax itself supports negation.
|
||
\ The two types of negation are subtly different. One negates
|
||
the set of matched endpoints, the other negates the whole
|
||
match: \n \tSelector = \"!has(my_label)\" matches packets
|
||
that are from other Calico-controlled \tendpoints that do
|
||
not have the label “my_label”. \n \tNotSelector = \"has(my_label)\"
|
||
matches packets that are not from Calico-controlled \tendpoints
|
||
that do have the label “my_label”. \n The effect is that
|
||
the latter will accept packets from non-Calico sources whereas
|
||
the former is limited to packets from Calico-controlled
|
||
endpoints."
|
||
type: string
|
||
serviceAccounts:
|
||
description: ServiceAccounts is an optional field that restricts
|
||
the rule to only apply to traffic that originates from (or
|
||
terminates at) a pod running as a matching service account.
|
||
properties:
|
||
names:
|
||
description: Names is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a service account
|
||
whose name is in the list.
|
||
items:
|
||
type: string
|
||
type: array
|
||
selector:
|
||
description: Selector is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a service account
|
||
that matches the given label selector. If both Names
|
||
and Selector are specified then they are AND'ed.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
http:
|
||
description: HTTP contains match criteria that apply to HTTP requests.
|
||
properties:
|
||
methods:
|
||
description: Methods is an optional field that restricts the
|
||
rule to apply only to HTTP requests that use one of the
|
||
listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods
|
||
are OR'd together.
|
||
items:
|
||
type: string
|
||
type: array
|
||
paths:
|
||
description: 'Paths is an optional field that restricts the
|
||
rule to apply to HTTP requests that use one of the listed
|
||
HTTP Paths. Multiple paths are OR''d together. e.g: - exact:
|
||
/foo - prefix: /bar NOTE: Each entry may ONLY specify either
|
||
a `exact` or a `prefix` match. The validator will check
|
||
for it.'
|
||
items:
|
||
description: 'HTTPPath specifies an HTTP path to match.
|
||
It may be either of the form: exact: <path>: which matches
|
||
the path exactly or prefix: <path-prefix>: which matches
|
||
the path prefix'
|
||
properties:
|
||
exact:
|
||
type: string
|
||
prefix:
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
icmp:
|
||
description: ICMP is an optional field that restricts the rule
|
||
to apply to a specific type and code of ICMP traffic. This
|
||
should only be specified if the Protocol field is set to "ICMP"
|
||
or "ICMPv6".
|
||
properties:
|
||
code:
|
||
description: Match on a specific ICMP code. If specified,
|
||
the Type value must also be specified. This is a technical
|
||
limitation imposed by the kernel’s iptables firewall, which
|
||
Calico uses to enforce the rule.
|
||
type: integer
|
||
type:
|
||
description: Match on a specific ICMP type. For example a
|
||
value of 8 refers to ICMP Echo Request (i.e. pings).
|
||
type: integer
|
||
type: object
|
||
ipVersion:
|
||
description: IPVersion is an optional field that restricts the
|
||
rule to only match a specific IP version.
|
||
type: integer
|
||
notICMP:
|
||
description: NotICMP is the negated version of the ICMP field.
|
||
properties:
|
||
code:
|
||
description: Match on a specific ICMP code. If specified,
|
||
the Type value must also be specified. This is a technical
|
||
limitation imposed by the kernel’s iptables firewall, which
|
||
Calico uses to enforce the rule.
|
||
type: integer
|
||
type:
|
||
description: Match on a specific ICMP type. For example a
|
||
value of 8 refers to ICMP Echo Request (i.e. pings).
|
||
type: integer
|
||
type: object
|
||
notProtocol:
|
||
description: NotProtocol is the negated version of the Protocol
|
||
field.
|
||
type: string
|
||
protocol:
|
||
description: "Protocol is an optional field that restricts the
|
||
rule to only apply to traffic of a specific IP protocol. Required
|
||
if any of the EntityRules contain Ports (because ports only
|
||
apply to certain protocols). \n Must be one of these string
|
||
values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\"
|
||
or an integer in the range 1-255."
|
||
type: string
|
||
source:
|
||
description: Source contains the match criteria that apply to
|
||
source entity.
|
||
properties:
|
||
namespaceSelector:
|
||
description: "NamespaceSelector is an optional field that
|
||
contains a selector expression. Only traffic that originates
|
||
from (or terminates at) endpoints within the selected namespaces
|
||
will be matched. When both NamespaceSelector and Selector
|
||
are defined on the same rule, then only workload endpoints
|
||
that are matched by both selectors will be selected by the
|
||
rule. \n For NetworkPolicy, an empty NamespaceSelector implies
|
||
that the Selector is limited to selecting only workload
|
||
endpoints in the same namespace as the NetworkPolicy. \n
|
||
For GlobalNetworkPolicy, an empty NamespaceSelector implies
|
||
the Selector applies to workload endpoints across all namespaces."
|
||
type: string
|
||
nets:
|
||
description: Nets is an optional field that restricts the
|
||
rule to only apply to traffic that originates from (or terminates
|
||
at) IP addresses in any of the given subnets.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notNets:
|
||
description: NotNets is the negated version of the Nets field.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notPorts:
|
||
description: NotPorts is the negated version of the Ports
|
||
field. Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to "TCP" or "UDP".
|
||
items:
|
||
description: "Port represents either a range of numeric
|
||
ports or a named port. \n - For a named port, set
|
||
the PortName, leaving MinPort and MaxPort as 0. -
|
||
For a port range, set MinPort and MaxPort to the (inclusive)
|
||
port numbers. Set PortName to \"\". - For a
|
||
single port, set MinPort = MaxPort and PortName = \"\"."
|
||
x-kubernetes-int-or-string: true
|
||
type: object
|
||
type: array
|
||
notSelector:
|
||
description: NotSelector is the negated version of the Selector
|
||
field. See Selector field for subtleties with negated selectors.
|
||
type: string
|
||
ports:
|
||
description: "Ports is an optional field that restricts the
|
||
rule to only apply to traffic that has a source (destination)
|
||
port that matches one of these ranges/values. This value
|
||
is a list of integers or strings that represent ranges of
|
||
ports. \n Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to \"TCP\" or \"UDP\"."
|
||
items:
|
||
description: "Port represents either a range of numeric
|
||
ports or a named port. \n - For a named port, set
|
||
the PortName, leaving MinPort and MaxPort as 0. -
|
||
For a port range, set MinPort and MaxPort to the (inclusive)
|
||
port numbers. Set PortName to \"\". - For a
|
||
single port, set MinPort = MaxPort and PortName = \"\"."
|
||
x-kubernetes-int-or-string: true
|
||
type: object
|
||
type: array
|
||
selector:
|
||
description: "Selector is an optional field that contains
|
||
a selector expression (see Policy for sample syntax). Only
|
||
traffic that originates from (terminates at) endpoints matching
|
||
the selector will be matched. \n Note that: in addition
|
||
to the negated version of the Selector (see NotSelector
|
||
below), the selector expression syntax itself supports negation.
|
||
\ The two types of negation are subtly different. One negates
|
||
the set of matched endpoints, the other negates the whole
|
||
match: \n \tSelector = \"!has(my_label)\" matches packets
|
||
that are from other Calico-controlled \tendpoints that do
|
||
not have the label “my_label”. \n \tNotSelector = \"has(my_label)\"
|
||
matches packets that are not from Calico-controlled \tendpoints
|
||
that do have the label “my_label”. \n The effect is that
|
||
the latter will accept packets from non-Calico sources whereas
|
||
the former is limited to packets from Calico-controlled
|
||
endpoints."
|
||
type: string
|
||
serviceAccounts:
|
||
description: ServiceAccounts is an optional field that restricts
|
||
the rule to only apply to traffic that originates from (or
|
||
terminates at) a pod running as a matching service account.
|
||
properties:
|
||
names:
|
||
description: Names is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a service account
|
||
whose name is in the list.
|
||
items:
|
||
type: string
|
||
type: array
|
||
selector:
|
||
description: Selector is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a service account
|
||
that matches the given label selector. If both Names
|
||
and Selector are specified then they are AND'ed.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
required:
|
||
- action
|
||
type: object
|
||
type: array
|
||
ingress:
|
||
description: The ordered set of ingress rules. Each rule contains a
|
||
set of packet match criteria and a corresponding action to apply.
|
||
items:
|
||
description: "A Rule encapsulates a set of match criteria and an action.
|
||
\ Both selector-based security Policy and security Profiles reference
|
||
rules - separated out as a list of rules for both ingress and egress
|
||
packet matching. \n Each positive match criteria has a negated version,
|
||
prefixed with ”Not”. All the match criteria within a rule must be
|
||
satisfied for a packet to match. A single rule can contain the positive
|
||
and negative version of a match and both must be satisfied for the
|
||
rule to match."
|
||
properties:
|
||
action:
|
||
type: string
|
||
destination:
|
||
description: Destination contains the match criteria that apply
|
||
to destination entity.
|
||
properties:
|
||
namespaceSelector:
|
||
description: "NamespaceSelector is an optional field that
|
||
contains a selector expression. Only traffic that originates
|
||
from (or terminates at) endpoints within the selected namespaces
|
||
will be matched. When both NamespaceSelector and Selector
|
||
are defined on the same rule, then only workload endpoints
|
||
that are matched by both selectors will be selected by the
|
||
rule. \n For NetworkPolicy, an empty NamespaceSelector implies
|
||
that the Selector is limited to selecting only workload
|
||
endpoints in the same namespace as the NetworkPolicy. \n
|
||
For GlobalNetworkPolicy, an empty NamespaceSelector implies
|
||
the Selector applies to workload endpoints across all namespaces."
|
||
type: string
|
||
nets:
|
||
description: Nets is an optional field that restricts the
|
||
rule to only apply to traffic that originates from (or terminates
|
||
at) IP addresses in any of the given subnets.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notNets:
|
||
description: NotNets is the negated version of the Nets field.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notPorts:
|
||
description: NotPorts is the negated version of the Ports
|
||
field. Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to "TCP" or "UDP".
|
||
items:
|
||
description: "Port represents either a range of numeric
|
||
ports or a named port. \n - For a named port, set
|
||
the PortName, leaving MinPort and MaxPort as 0. -
|
||
For a port range, set MinPort and MaxPort to the (inclusive)
|
||
port numbers. Set PortName to \"\". - For a
|
||
single port, set MinPort = MaxPort and PortName = \"\"."
|
||
x-kubernetes-int-or-string: true
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
type: array
|
||
notSelector:
|
||
description: NotSelector is the negated version of the Selector
|
||
field. See Selector field for subtleties with negated selectors.
|
||
type: string
|
||
ports:
|
||
description: "Ports is an optional field that restricts the
|
||
rule to only apply to traffic that has a source (destination)
|
||
port that matches one of these ranges/values. This value
|
||
is a list of integers or strings that represent ranges of
|
||
ports. \n Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to \"TCP\" or \"UDP\"."
|
||
items:
|
||
description: "Port represents either a range of numeric
|
||
ports or a named port. \n - For a named port, set
|
||
the PortName, leaving MinPort and MaxPort as 0. -
|
||
For a port range, set MinPort and MaxPort to the (inclusive)
|
||
port numbers. Set PortName to \"\". - For a
|
||
single port, set MinPort = MaxPort and PortName = \"\"."
|
||
x-kubernetes-int-or-string: true
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
type: array
|
||
selector:
|
||
description: "Selector is an optional field that contains
|
||
a selector expression (see Policy for sample syntax). Only
|
||
traffic that originates from (terminates at) endpoints matching
|
||
the selector will be matched. \n Note that: in addition
|
||
to the negated version of the Selector (see NotSelector
|
||
below), the selector expression syntax itself supports negation.
|
||
\ The two types of negation are subtly different. One negates
|
||
the set of matched endpoints, the other negates the whole
|
||
match: \n \tSelector = \"!has(my_label)\" matches packets
|
||
that are from other Calico-controlled \tendpoints that do
|
||
not have the label “my_label”. \n \tNotSelector = \"has(my_label)\"
|
||
matches packets that are not from Calico-controlled \tendpoints
|
||
that do have the label “my_label”. \n The effect is that
|
||
the latter will accept packets from non-Calico sources whereas
|
||
the former is limited to packets from Calico-controlled
|
||
endpoints."
|
||
type: string
|
||
serviceAccounts:
|
||
description: ServiceAccounts is an optional field that restricts
|
||
the rule to only apply to traffic that originates from (or
|
||
terminates at) a pod running as a matching service account.
|
||
properties:
|
||
names:
|
||
description: Names is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a service account
|
||
whose name is in the list.
|
||
items:
|
||
type: string
|
||
type: array
|
||
selector:
|
||
description: Selector is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a service account
|
||
that matches the given label selector. If both Names
|
||
and Selector are specified then they are AND'ed.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
http:
|
||
description: HTTP contains match criteria that apply to HTTP requests.
|
||
properties:
|
||
methods:
|
||
description: Methods is an optional field that restricts the
|
||
rule to apply only to HTTP requests that use one of the
|
||
listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods
|
||
are OR'd together.
|
||
items:
|
||
type: string
|
||
type: array
|
||
paths:
|
||
description: 'Paths is an optional field that restricts the
|
||
rule to apply to HTTP requests that use one of the listed
|
||
HTTP Paths. Multiple paths are OR''d together. e.g: - exact:
|
||
/foo - prefix: /bar NOTE: Each entry may ONLY specify either
|
||
a `exact` or a `prefix` match. The validator will check
|
||
for it.'
|
||
items:
|
||
description: 'HTTPPath specifies an HTTP path to match.
|
||
It may be either of the form: exact: <path>: which matches
|
||
the path exactly or prefix: <path-prefix>: which matches
|
||
the path prefix'
|
||
properties:
|
||
exact:
|
||
type: string
|
||
prefix:
|
||
type: string
|
||
type: object
|
||
type: array
|
||
type: object
|
||
icmp:
|
||
description: ICMP is an optional field that restricts the rule
|
||
to apply to a specific type and code of ICMP traffic. This
|
||
should only be specified if the Protocol field is set to "ICMP"
|
||
or "ICMPv6".
|
||
properties:
|
||
code:
|
||
description: Match on a specific ICMP code. If specified,
|
||
the Type value must also be specified. This is a technical
|
||
limitation imposed by the kernel’s iptables firewall, which
|
||
Calico uses to enforce the rule.
|
||
type: integer
|
||
type:
|
||
description: Match on a specific ICMP type. For example a
|
||
value of 8 refers to ICMP Echo Request (i.e. pings).
|
||
type: integer
|
||
type: object
|
||
ipVersion:
|
||
description: IPVersion is an optional field that restricts the
|
||
rule to only match a specific IP version.
|
||
type: integer
|
||
notICMP:
|
||
description: NotICMP is the negated version of the ICMP field.
|
||
properties:
|
||
code:
|
||
description: Match on a specific ICMP code. If specified,
|
||
the Type value must also be specified. This is a technical
|
||
limitation imposed by the kernel’s iptables firewall, which
|
||
Calico uses to enforce the rule.
|
||
type: integer
|
||
type:
|
||
description: Match on a specific ICMP type. For example a
|
||
value of 8 refers to ICMP Echo Request (i.e. pings).
|
||
type: integer
|
||
type: object
|
||
notProtocol:
|
||
description: NotProtocol is the negated version of the Protocol
|
||
field.
|
||
type: string
|
||
protocol:
|
||
description: "Protocol is an optional field that restricts the
|
||
rule to only apply to traffic of a specific IP protocol. Required
|
||
if any of the EntityRules contain Ports (because ports only
|
||
apply to certain protocols). \n Must be one of these string
|
||
values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\"
|
||
or an integer in the range 1-255."
|
||
type: string
|
||
source:
|
||
description: Source contains the match criteria that apply to
|
||
source entity.
|
||
properties:
|
||
namespaceSelector:
|
||
description: "NamespaceSelector is an optional field that
|
||
contains a selector expression. Only traffic that originates
|
||
from (or terminates at) endpoints within the selected namespaces
|
||
will be matched. When both NamespaceSelector and Selector
|
||
are defined on the same rule, then only workload endpoints
|
||
that are matched by both selectors will be selected by the
|
||
rule. \n For NetworkPolicy, an empty NamespaceSelector implies
|
||
that the Selector is limited to selecting only workload
|
||
endpoints in the same namespace as the NetworkPolicy. \n
|
||
For GlobalNetworkPolicy, an empty NamespaceSelector implies
|
||
the Selector applies to workload endpoints across all namespaces."
|
||
type: string
|
||
nets:
|
||
description: Nets is an optional field that restricts the
|
||
rule to only apply to traffic that originates from (or terminates
|
||
at) IP addresses in any of the given subnets.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notNets:
|
||
description: NotNets is the negated version of the Nets field.
|
||
items:
|
||
type: string
|
||
type: array
|
||
notPorts:
|
||
description: NotPorts is the negated version of the Ports
|
||
field. Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to "TCP" or "UDP".
|
||
items:
|
||
description: "Port represents either a range of numeric
|
||
ports or a named port. \n - For a named port, set
|
||
the PortName, leaving MinPort and MaxPort as 0. -
|
||
For a port range, set MinPort and MaxPort to the (inclusive)
|
||
port numbers. Set PortName to \"\". - For a
|
||
single port, set MinPort = MaxPort and PortName = \"\"."
|
||
x-kubernetes-int-or-string: true
|
||
type: object
|
||
type: array
|
||
notSelector:
|
||
description: NotSelector is the negated version of the Selector
|
||
field. See Selector field for subtleties with negated selectors.
|
||
type: string
|
||
ports:
|
||
description: "Ports is an optional field that restricts the
|
||
rule to only apply to traffic that has a source (destination)
|
||
port that matches one of these ranges/values. This value
|
||
is a list of integers or strings that represent ranges of
|
||
ports. \n Since only some protocols have ports, if any ports
|
||
are specified it requires the Protocol match in the Rule
|
||
to be set to \"TCP\" or \"UDP\"."
|
||
items:
|
||
description: "Port represents either a range of numeric
|
||
ports or a named port. \n - For a named port, set
|
||
the PortName, leaving MinPort and MaxPort as 0. -
|
||
For a port range, set MinPort and MaxPort to the (inclusive)
|
||
port numbers. Set PortName to \"\". - For a
|
||
single port, set MinPort = MaxPort and PortName = \"\"."
|
||
x-kubernetes-int-or-string: true
|
||
anyOf:
|
||
- type: integer
|
||
- type: string
|
||
type: object
|
||
type: array
|
||
selector:
|
||
description: "Selector is an optional field that contains
|
||
a selector expression (see Policy for sample syntax). Only
|
||
traffic that originates from (terminates at) endpoints matching
|
||
the selector will be matched. \n Note that: in addition
|
||
to the negated version of the Selector (see NotSelector
|
||
below), the selector expression syntax itself supports negation.
|
||
\ The two types of negation are subtly different. One negates
|
||
the set of matched endpoints, the other negates the whole
|
||
match: \n \tSelector = \"!has(my_label)\" matches packets
|
||
that are from other Calico-controlled \tendpoints that do
|
||
not have the label “my_label”. \n \tNotSelector = \"has(my_label)\"
|
||
matches packets that are not from Calico-controlled \tendpoints
|
||
that do have the label “my_label”. \n The effect is that
|
||
the latter will accept packets from non-Calico sources whereas
|
||
the former is limited to packets from Calico-controlled
|
||
endpoints."
|
||
type: string
|
||
serviceAccounts:
|
||
description: ServiceAccounts is an optional field that restricts
|
||
the rule to only apply to traffic that originates from (or
|
||
terminates at) a pod running as a matching service account.
|
||
properties:
|
||
names:
|
||
description: Names is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a service account
|
||
whose name is in the list.
|
||
items:
|
||
type: string
|
||
type: array
|
||
selector:
|
||
description: Selector is an optional field that restricts
|
||
the rule to only apply to traffic that originates from
|
||
(or terminates at) a pod running as a service account
|
||
that matches the given label selector. If both Names
|
||
and Selector are specified then they are AND'ed.
|
||
type: string
|
||
type: object
|
||
type: object
|
||
required:
|
||
- action
|
||
type: object
|
||
type: array
|
||
order:
|
||
description: Order is an optional field that specifies the order in
|
||
which the policy is applied. Policies with higher "order" are applied
|
||
after those with lower order. If the order is omitted, it may be
|
||
considered to be "infinite" - i.e. the policy will be applied last. Policies
|
||
with identical order will be applied in alphanumerical order based
|
||
on the Policy "Name".
|
||
type: integer
|
||
selector:
|
||
description: "The selector is an expression used to pick pick out the
|
||
endpoints that the policy should be applied to. \n Selector expressions
|
||
follow this syntax: \n \tlabel == \"string_literal\" -> comparison,
|
||
e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not
|
||
equal; also matches if label is not present \tlabel in { \"a\", \"b\",
|
||
\"c\", ... } -> true if the value of label X is one of \"a\", \"b\",
|
||
\"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the
|
||
value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name)
|
||
\ -> True if that label is present \t! expr -> negation of expr \texpr
|
||
&& expr -> Short-circuit and \texpr || expr -> Short-circuit or
|
||
\t( expr ) -> parens for grouping \tall() or the empty selector ->
|
||
matches all endpoints. \n Label names are allowed to contain alphanumerics,
|
||
-, _ and /. String literals are more permissive but they do not support
|
||
escape characters. \n Examples (with made-up labels): \n \ttype ==
|
||
\"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"}
|
||
\tdeployment != \"dev\" \t! has(label_name)"
|
||
type: string
|
||
types:
|
||
description: "Types indicates whether this policy applies to ingress,
|
||
or to egress, or to both. When not explicitly specified (and so the
|
||
value on creation is empty or nil), Calico defaults Types according
|
||
to what Ingress and Egress are present in the policy. The default
|
||
is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
|
||
the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
|
||
], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
|
||
PolicyTypeEgress ], if there are both Ingress and Egress rules. \n
|
||
When the policy is read back again, Types will always be one of these
|
||
values, never empty or nil."
|
||
items:
|
||
type: string
|
||
type: array
|
||
required:
|
||
- selector
|
||
type: object
|
||
type: object
|
||
version: v1alpha1
|
||
status:
|
||
acceptedNames:
|
||
kind: ""
|
||
plural: ""
|
||
conditions: []
|
||
storedVersions: []
|