andata
/
rke2-charts
mirror of https://git.rancher.io/rke2-charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

rke2-canal: add crds and rbac to align with upstream v3.29.0 release

pull/555/head
Thomas Ferrandiz 2024-11-05 11:16:05 +00:00
parent bb7e9b9a6d
commit 6e19edede2
3 changed files with 978 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

907
packages/rke2-canal/charts/templates/crds/adminnetworkpolicies.crd.yaml Normal file
View File

@ -0,0 +1,907 @@
# Source: calico/templates/kdd-crds.yaml
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/30
policy.networking.k8s.io/bundle-version: v0.1.1
policy.networking.k8s.io/channel: standard
creationTimestamp: null
name: adminnetworkpolicies.policy.networking.k8s.io
spec:
group: policy.networking.k8s.io
names:
kind: AdminNetworkPolicy
listKind: AdminNetworkPolicyList
plural: adminnetworkpolicies
shortNames:
- anp
singular: adminnetworkpolicy
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .spec.priority
name: Priority
type: string
- jsonPath: .metadata.creationTimestamp
name: Age
type: date
name: v1alpha1
schema:
openAPIV3Schema:
description: |-
AdminNetworkPolicy is a cluster level resource that is part of the
AdminNetworkPolicy API.
properties:
apiVersion:
description: |-
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
type: string
kind:
description: |-
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
type: string
metadata:
type: object
spec:
description: Specification of the desired behavior of AdminNetworkPolicy.
properties:
egress:
description: |-
Egress is the list of Egress rules to be applied to the selected pods.
A total of 100 rules will be allowed in each ANP instance.
The relative precedence of egress rules within a single ANP object (all of
which share the priority) will be determined by the order in which the rule
is written. Thus, a rule that appears at the top of the egress rules
would take the highest precedence.
ANPs with no egress rules do not affect egress traffic.
Support: Core
items:
description: |-
AdminNetworkPolicyEgressRule describes an action to take on a particular
set of traffic originating from pods selected by a AdminNetworkPolicy's
Subject field.
<network-policy-api:experimental:validation>
properties:
action:
description: |-
Action specifies the effect this rule will have on matching traffic.
Currently the following actions are supported:
Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy)
Deny: denies the selected traffic
Pass: instructs the selected traffic to skip any remaining ANP rules, and
then pass execution to any NetworkPolicies that select the pod.
If the pod is not selected by any NetworkPolicies then execution
is passed to any BaselineAdminNetworkPolicies that select the pod.
Support: Core
enum:
- Allow
- Deny
- Pass
type: string
name:
description: |-
Name is an identifier for this rule, that may be no more than 100 characters
in length. This field should be used by the implementation to help
improve observability, readability and error-reporting for any applied
AdminNetworkPolicies.
Support: Core
maxLength: 100
type: string
ports:
description: |-
Ports allows for matching traffic based on port and protocols.
This field is a list of destination ports for the outgoing egress traffic.
If Ports is not set then the rule does not filter traffic via port.
Support: Core
items:
description: |-
AdminNetworkPolicyPort describes how to select network ports on pod(s).
Exactly one field must be set.
maxProperties: 1
minProperties: 1
properties:
portNumber:
description: |-
Port selects a port on a pod(s) based on number.
Support: Core
properties:
port:
description: |-
Number defines a network port value.
Support: Core
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
default: TCP
description: |-
Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
match. If not specified, this field defaults to TCP.
Support: Core
type: string
required:
- port
- protocol
type: object
portRange:
description: |-
PortRange selects a port range on a pod(s) based on provided start and end
values.
Support: Core
properties:
end:
description: |-
End defines a network port that is the end of a port range, the End value
must be greater than Start.
Support: Core
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
default: TCP
description: |-
Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
match. If not specified, this field defaults to TCP.
Support: Core
type: string
start:
description: |-
Start defines a network port that is the start of a port range, the Start
value must be less than End.
Support: Core
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- end
- start
type: object
type: object
maxItems: 100
type: array
to:
description: |-
To is the List of destinations whose traffic this rule applies to.
If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
traffic then the specified action is applied.
This field must be defined and contain at least one item.
Support: Core
items:
description: |-
AdminNetworkPolicyEgressPeer defines a peer to allow traffic to.
Exactly one of the selector pointers must be set for a given peer. If a
consumer observes none of its fields are set, they must assume an unknown
option has been specified and fail closed.
maxProperties: 1
minProperties: 1
properties:
namespaces:
description: |-
Namespaces defines a way to select all pods within a set of Namespaces.
Note that host-networked pods are not included in this type of peer.
Support: Core
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
pods:
description: |-
Pods defines a way to select a set of pods in
a set of namespaces. Note that host-networked pods
are not included in this type of peer.
Support: Core
properties:
namespaceSelector:
description: |-
NamespaceSelector follows standard label selector semantics; if empty,
it selects all Namespaces.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
podSelector:
description: |-
PodSelector is used to explicitly select pods within a namespace; if empty,
it selects all Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- namespaceSelector
- podSelector
type: object
type: object
maxItems: 100
minItems: 1
type: array
required:
- action
- to
type: object
maxItems: 100
type: array
ingress:
description: |-
Ingress is the list of Ingress rules to be applied to the selected pods.
A total of 100 rules will be allowed in each ANP instance.
The relative precedence of ingress rules within a single ANP object (all of
which share the priority) will be determined by the order in which the rule
is written. Thus, a rule that appears at the top of the ingress rules
would take the highest precedence.
ANPs with no ingress rules do not affect ingress traffic.
Support: Core
items:
description: |-
AdminNetworkPolicyIngressRule describes an action to take on a particular
set of traffic destined for pods selected by an AdminNetworkPolicy's
Subject field.
properties:
action:
description: |-
Action specifies the effect this rule will have on matching traffic.
Currently the following actions are supported:
Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy)
Deny: denies the selected traffic
Pass: instructs the selected traffic to skip any remaining ANP rules, and
then pass execution to any NetworkPolicies that select the pod.
If the pod is not selected by any NetworkPolicies then execution
is passed to any BaselineAdminNetworkPolicies that select the pod.
Support: Core
enum:
- Allow
- Deny
- Pass
type: string
from:
description: |-
From is the list of sources whose traffic this rule applies to.
If any AdminNetworkPolicyIngressPeer matches the source of incoming
traffic then the specified action is applied.
This field must be defined and contain at least one item.
Support: Core
items:
description: |-
AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from.
Exactly one of the selector pointers must be set for a given peer. If a
consumer observes none of its fields are set, they must assume an unknown
option has been specified and fail closed.
maxProperties: 1
minProperties: 1
properties:
namespaces:
description: |-
Namespaces defines a way to select all pods within a set of Namespaces.
Note that host-networked pods are not included in this type of peer.
Support: Core
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
pods:
description: |-
Pods defines a way to select a set of pods in
a set of namespaces. Note that host-networked pods
are not included in this type of peer.
Support: Core
properties:
namespaceSelector:
description: |-
NamespaceSelector follows standard label selector semantics; if empty,
it selects all Namespaces.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
podSelector:
description: |-
PodSelector is used to explicitly select pods within a namespace; if empty,
it selects all Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label
selector requirements. The requirements are
ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the
selector applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- namespaceSelector
- podSelector
type: object
type: object
maxItems: 100
minItems: 1
type: array
name:
description: |-
Name is an identifier for this rule, that may be no more than 100 characters
in length. This field should be used by the implementation to help
improve observability, readability and error-reporting for any applied
AdminNetworkPolicies.
Support: Core
maxLength: 100
type: string
ports:
description: |-
Ports allows for matching traffic based on port and protocols.
This field is a list of ports which should be matched on
the pods selected for this policy i.e the subject of the policy.
So it matches on the destination port for the ingress traffic.
If Ports is not set then the rule does not filter traffic via port.
Support: Core
items:
description: |-
AdminNetworkPolicyPort describes how to select network ports on pod(s).
Exactly one field must be set.
maxProperties: 1
minProperties: 1
properties:
portNumber:
description: |-
Port selects a port on a pod(s) based on number.
Support: Core
properties:
port:
description: |-
Number defines a network port value.
Support: Core
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
default: TCP
description: |-
Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
match. If not specified, this field defaults to TCP.
Support: Core
type: string
required:
- port
- protocol
type: object
portRange:
description: |-
PortRange selects a port range on a pod(s) based on provided start and end
values.
Support: Core
properties:
end:
description: |-
End defines a network port that is the end of a port range, the End value
must be greater than Start.
Support: Core
format: int32
maximum: 65535
minimum: 1
type: integer
protocol:
default: TCP
description: |-
Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
match. If not specified, this field defaults to TCP.
Support: Core
type: string
start:
description: |-
Start defines a network port that is the start of a port range, the Start
value must be less than End.
Support: Core
format: int32
maximum: 65535
minimum: 1
type: integer
required:
- end
- start
type: object
type: object
maxItems: 100
type: array
required:
- action
- from
type: object
maxItems: 100
type: array
priority:
description: |-
Priority is a value from 0 to 1000. Rules with lower priority values have
higher precedence, and are checked before rules with higher priority values.
All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or
BaselineAdminNetworkPolicy rules
The behavior is undefined if two ANP objects have same priority.
Support: Core
format: int32
maximum: 1000
minimum: 0
type: integer
subject:
description: |-
Subject defines the pods to which this AdminNetworkPolicy applies.
Note that host-networked pods are not included in subject selection.
Support: Core
maxProperties: 1
minProperties: 1
properties:
namespaces:
description: Namespaces is used to select pods via namespace selectors.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
pods:
description: Pods is used to select pods via namespace AND pod
selectors.
properties:
namespaceSelector:
description: |-
NamespaceSelector follows standard label selector semantics; if empty,
it selects all Namespaces.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
podSelector:
description: |-
PodSelector is used to explicitly select pods within a namespace; if empty,
it selects all Pods.
properties:
matchExpressions:
description: matchExpressions is a list of label selector
requirements. The requirements are ANDed.
items:
description: |-
A label selector requirement is a selector that contains values, a key, and an operator that
relates the key and values.
properties:
key:
description: key is the label key that the selector
applies to.
type: string
operator:
description: |-
operator represents a key's relationship to a set of values.
Valid operators are In, NotIn, Exists and DoesNotExist.
type: string
values:
description: |-
values is an array of string values. If the operator is In or NotIn,
the values array must be non-empty. If the operator is Exists or DoesNotExist,
the values array must be empty. This array is replaced during a strategic
merge patch.
items:
type: string
type: array
required:
- key
- operator
type: object
type: array
matchLabels:
additionalProperties:
type: string
description: |-
matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
map is equivalent to an element of matchExpressions, whose key field is "key", the
operator is "In", and the values array contains only "value". The requirements are ANDed.
type: object
type: object
x-kubernetes-map-type: atomic
required:
- namespaceSelector
- podSelector
type: object
type: object
required:
- priority
- subject
type: object
status:
description: Status is the status to be reported by the implementation.
properties:
conditions:
items:
description: "Condition contains details for one aspect of the current
state of this API Resource.\n---\nThis struct is intended for
direct use as an array at the field path .status.conditions. For
example,\n\n\n\ttype FooStatus struct{\n\t // Represents the
observations of a foo's current state.\n\t // Known .status.conditions.type
are: \"Available\", \"Progressing\", and \"Degraded\"\n\t //
+patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t
\ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\"
patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t
\ // other fields\n\t}"
properties:
lastTransitionTime:
description: |-
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format: date-time
type: string
message:
description: |-
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength: 32768
type: string
observedGeneration:
description: |-
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format: int64
minimum: 0
type: integer
reason:
description: |-
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
maxLength: 1024
minLength: 1
pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$
type: string
status:
description: status of the condition, one of True, False, Unknown.
enum:
- "True"
- "False"
- Unknown
type: string
type:
description: |-
type of condition in CamelCase or in foo.example.com/CamelCase.
---
Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be
useful (see .node.status.conditions), the ability to deconflict is important.
The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt)
maxLength: 316
pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$
type: string
required:
- lastTransitionTime
- message
- reason
- status
- type
type: object
type: array
x-kubernetes-list-map-keys:
- type
x-kubernetes-list-type: map
required:
- conditions
type: object
required:
- metadata
- spec
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
plural: ""
conditions: null
storedVersions: null

62
packages/rke2-canal/charts/templates/crds/tiers.crd.yaml Normal file
View File

@ -0,0 +1,62 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: (devel)
creationTimestamp: null
name: tiers.crd.projectcalico.org
spec:
group: crd.projectcalico.org
names:
kind: Tier
listKind: TierList
plural: tiers
singular: tier
scope: Cluster
versions:
- name: v1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: TierSpec contains the specification for a security policy
tier resource.
properties:
defaultAction:
description: 'DefaultAction specifies the action applied to workloads
selected by a policy in the tier, but not rule matched the workload''s
traffic. [Default: Deny]'
enum:
- Pass
- Deny
type: string
order:
description: Order is an optional field that specifies the order in
which the tier is applied. Tiers with higher "order" are applied
after those with lower order. If the order is omitted, it may be
considered to be "infinite" - i.e. the tier will be applied last. Tiers
with identical order will be applied in alphanumerical order based
on the Tier "Name".
type: number
type: object
type: object
served: true
storage: true
status:
acceptedNames:
kind: ""
plural: ""
conditions: []
storedVersions: []

9
packages/rke2-canal/charts/templates/rbac.yaml
View File

@ -62,6 +62,13 @@ rules:
verbs: verbs:
- watch - watch
- list - list
# Watch for changes to Kubernetes AdminNetworkPolicies.
- apiGroups: ["policy.networking.k8s.io"]
resources:
- adminnetworkpolicies
verbs:
- watch
- list
# Used by Calico for policy information. # Used by Calico for policy information.
- apiGroups: [""] - apiGroups: [""]
resources: resources:
@ -96,6 +103,7 @@ rules:
- clusterinformations - clusterinformations
- hostendpoints - hostendpoints
- blockaffinities - blockaffinities
- tiers
verbs: verbs:
- get - get
- list - list
@ -226,6 +234,7 @@ rules:
- blockaffinities - blockaffinities
- ipamblocks - ipamblocks
- ipamhandles - ipamhandles
- tiers
verbs: verbs:
- get - get
- list - list