---
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: traffictargets.access.smi-spec.io
labels:
app.kubernetes.io/part-of: nginx-service-mesh
spec:
group: access.smi-spec.io
names:
kind: TrafficTarget
listKind: TrafficTargetList
plural: traffictargets
shortNames:
- tt
singular: traffictarget
scope: Namespaced
versions:
- name: v1alpha2
schema:
openAPIV3Schema:
description: TrafficTarget associates a set of traffic definitions (rules)
with a service identity which is allocated to a group of pods. Access is
controlled via referenced TrafficSpecs and by a list of source service identities.
* If a pod which holds the referenced service identity makes a call to the
destination on one of the defined routes then access will be allowed *
Any pod which attempts to connect and is not in the defined list of sources
will be denied * Any pod which is in the defined list, but attempts to connect
on a route which is not in the list of the TrafficSpecs will be denied
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TrafficTargetSpec is the specification of a TrafficTarget
properties:
destination:
description: Selector is the pod or group of pods to allow ingress
traffic
properties:
kind:
description: Kind is the type of Subject to allow ingress (ServiceAccount | Group)
type: string
name:
description: Name of the Subject, i.e. ServiceAccountName
type: string
namespace:
description: Namespace where the Subject is deployed
type: string
port:
description: Port defines a TCP port to apply the TrafficTarget to
type: integer
required:
- kind
- name
type: object
rules:
description: Rules are the traffic rules to allow (HTTPRoutes | TCPRoute)
items:
description: TrafficTargetRule is the TrafficSpec to allow for a TrafficTarget
properties:
kind:
description: Kind is the kind of TrafficSpec to allow
type: string
matches:
description: Matches is a list of TrafficSpec routes to allow traffic for
items:
type: string
type: array
name:
description: Name of the TrafficSpec to use
type: string
required:
- kind
- name
type: object
type: array
sources:
description: Sources are the pod or group of pods to allow ingress traffic
items:
description: IdentityBindingSubject is a Kubernetes objects which
should be allowed access to the TrafficTarget
properties:
kind:
description: Kind is the type of Subject to allow ingress (ServiceAccount | Group)
type: string
name:
description: Name of the Subject, i.e. ServiceAccountName
type: string
namespace:
description: Namespace where the Subject is deployed
type: string
port:
description: Port defines a TCP port to apply the TrafficTarget to
type: integer
required:
- kind
- name
type: object
type: array
required:
- destination
type: object
status:
description: TrafficTargetStatus defines the observed state of UDPRoute
type: object
required:
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []