mirror of https://git.rancher.io/rke2-charts
857 lines
50 KiB
YAML
857 lines
50 KiB
YAML
---
|
|
# Source: calico/_includes/charts/calico/crds/kdd/crd.projectcalico.org_globalnetworkpolicies.yaml
|
|
|
|
apiVersion: apiextensions.k8s.io/v1
|
|
kind: CustomResourceDefinition
|
|
metadata:
|
|
name: globalnetworkpolicies.crd.projectcalico.org
|
|
spec:
|
|
group: crd.projectcalico.org
|
|
names:
|
|
kind: GlobalNetworkPolicy
|
|
listKind: GlobalNetworkPolicyList
|
|
plural: globalnetworkpolicies
|
|
singular: globalnetworkpolicy
|
|
scope: Cluster
|
|
versions:
|
|
- name: v1
|
|
schema:
|
|
openAPIV3Schema:
|
|
properties:
|
|
apiVersion:
|
|
description: 'APIVersion defines the versioned schema of this representation
|
|
of an object. Servers should convert recognized schemas to the latest
|
|
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
|
|
type: string
|
|
kind:
|
|
description: 'Kind is a string value representing the REST resource this
|
|
object represents. Servers may infer this from the endpoint the client
|
|
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
|
|
type: string
|
|
metadata:
|
|
type: object
|
|
spec:
|
|
properties:
|
|
applyOnForward:
|
|
description: ApplyOnForward indicates to apply the rules in this policy
|
|
on forward traffic.
|
|
type: boolean
|
|
doNotTrack:
|
|
description: DoNotTrack indicates whether packets matched by the rules
|
|
in this policy should go through the data plane's connection tracking,
|
|
such as Linux conntrack. If True, the rules in this policy are
|
|
applied before any data plane connection tracking, and packets allowed
|
|
by this policy are marked as not to be tracked.
|
|
type: boolean
|
|
egress:
|
|
description: The ordered set of egress rules. Each rule contains
|
|
a set of packet match criteria and a corresponding action to apply.
|
|
items:
|
|
description: "A Rule encapsulates a set of match criteria and an
|
|
action. Both selector-based security Policy and security Profiles
|
|
reference rules - separated out as a list of rules for both ingress
|
|
and egress packet matching. \n Each positive match criteria has
|
|
a negated version, prefixed with \"Not\". All the match criteria
|
|
within a rule must be satisfied for a packet to match. A single
|
|
rule can contain the positive and negative version of a match
|
|
and both must be satisfied for the rule to match."
|
|
properties:
|
|
action:
|
|
type: string
|
|
destination:
|
|
description: Destination contains the match criteria that apply
|
|
to destination entity.
|
|
properties:
|
|
namespaceSelector:
|
|
description: "NamespaceSelector is an optional field that
|
|
contains a selector expression. Only traffic that originates
|
|
from (or terminates at) endpoints within the selected
|
|
namespaces will be matched. When both NamespaceSelector
|
|
and another selector are defined on the same rule, then
|
|
only workload endpoints that are matched by both selectors
|
|
will be selected by the rule. \n For NetworkPolicy, an
|
|
empty NamespaceSelector implies that the Selector is limited
|
|
to selecting only workload endpoints in the same namespace
|
|
as the NetworkPolicy. \n For NetworkPolicy, `global()`
|
|
NamespaceSelector implies that the Selector is limited
|
|
to selecting only GlobalNetworkSet or HostEndpoint. \n
|
|
For GlobalNetworkPolicy, an empty NamespaceSelector implies
|
|
the Selector applies to workload endpoints across all
|
|
namespaces."
|
|
type: string
|
|
nets:
|
|
description: Nets is an optional field that restricts the
|
|
rule to only apply to traffic that originates from (or
|
|
terminates at) IP addresses in any of the given subnets.
|
|
items:
|
|
type: string
|
|
type: array
|
|
notNets:
|
|
description: NotNets is the negated version of the Nets
|
|
field.
|
|
items:
|
|
type: string
|
|
type: array
|
|
notPorts:
|
|
description: NotPorts is the negated version of the Ports
|
|
field. Since only some protocols have ports, if any ports
|
|
are specified it requires the Protocol match in the Rule
|
|
to be set to "TCP" or "UDP".
|
|
items:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
type: array
|
|
notSelector:
|
|
description: NotSelector is the negated version of the Selector
|
|
field. See Selector field for subtleties with negated
|
|
selectors.
|
|
type: string
|
|
ports:
|
|
description: "Ports is an optional field that restricts
|
|
the rule to only apply to traffic that has a source (destination)
|
|
port that matches one of these ranges/values. This value
|
|
is a list of integers or strings that represent ranges
|
|
of ports. \n Since only some protocols have ports, if
|
|
any ports are specified it requires the Protocol match
|
|
in the Rule to be set to \"TCP\" or \"UDP\"."
|
|
items:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
type: array
|
|
selector:
|
|
description: "Selector is an optional field that contains
|
|
a selector expression (see Policy for sample syntax).
|
|
\ Only traffic that originates from (terminates at) endpoints
|
|
matching the selector will be matched. \n Note that: in
|
|
addition to the negated version of the Selector (see NotSelector
|
|
below), the selector expression syntax itself supports
|
|
negation. The two types of negation are subtly different.
|
|
One negates the set of matched endpoints, the other negates
|
|
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
|
packets that are from other Calico-controlled \tendpoints
|
|
that do not have the label \"my_label\". \n \tNotSelector
|
|
= \"has(my_label)\" matches packets that are not from
|
|
Calico-controlled \tendpoints that do have the label \"my_label\".
|
|
\n The effect is that the latter will accept packets from
|
|
non-Calico sources whereas the former is limited to packets
|
|
from Calico-controlled endpoints."
|
|
type: string
|
|
serviceAccounts:
|
|
description: ServiceAccounts is an optional field that restricts
|
|
the rule to only apply to traffic that originates from
|
|
(or terminates at) a pod running as a matching service
|
|
account.
|
|
properties:
|
|
names:
|
|
description: Names is an optional field that restricts
|
|
the rule to only apply to traffic that originates
|
|
from (or terminates at) a pod running as a service
|
|
account whose name is in the list.
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: Selector is an optional field that restricts
|
|
the rule to only apply to traffic that originates
|
|
from (or terminates at) a pod running as a service
|
|
account that matches the given label selector. If
|
|
both Names and Selector are specified then they are
|
|
AND'ed.
|
|
type: string
|
|
type: object
|
|
services:
|
|
description: "Services is an optional field that contains
|
|
options for matching Kubernetes Services. If specified,
|
|
only traffic that originates from or terminates at endpoints
|
|
within the selected service(s) will be matched, and only
|
|
to/from each endpoint's port. \n Services cannot be specified
|
|
on the same rule as Selector, NotSelector, NamespaceSelector,
|
|
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
|
|
Only valid on egress rules."
|
|
properties:
|
|
name:
|
|
description: Name specifies the name of a Kubernetes
|
|
Service to match.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies the namespace of the
|
|
given Service. If left empty, the rule will match
|
|
within this policy's namespace.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
http:
|
|
description: HTTP contains match criteria that apply to HTTP
|
|
requests.
|
|
properties:
|
|
methods:
|
|
description: Methods is an optional field that restricts
|
|
the rule to apply only to HTTP requests that use one of
|
|
the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
|
|
methods are OR'd together.
|
|
items:
|
|
type: string
|
|
type: array
|
|
paths:
|
|
description: 'Paths is an optional field that restricts
|
|
the rule to apply to HTTP requests that use one of the
|
|
listed HTTP Paths. Multiple paths are OR''d together.
|
|
e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
|
|
ONLY specify either a `exact` or a `prefix` match. The
|
|
validator will check for it.'
|
|
items:
|
|
description: 'HTTPPath specifies an HTTP path to match.
|
|
It may be either of the form: exact: <path>: which matches
|
|
the path exactly or prefix: <path-prefix>: which matches
|
|
the path prefix'
|
|
properties:
|
|
exact:
|
|
type: string
|
|
prefix:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
icmp:
|
|
description: ICMP is an optional field that restricts the rule
|
|
to apply to a specific type and code of ICMP traffic. This
|
|
should only be specified if the Protocol field is set to "ICMP"
|
|
or "ICMPv6".
|
|
properties:
|
|
code:
|
|
description: Match on a specific ICMP code. If specified,
|
|
the Type value must also be specified. This is a technical
|
|
limitation imposed by the kernel's iptables firewall,
|
|
which Calico uses to enforce the rule.
|
|
type: integer
|
|
type:
|
|
description: Match on a specific ICMP type. For example
|
|
a value of 8 refers to ICMP Echo Request (i.e. pings).
|
|
type: integer
|
|
type: object
|
|
ipVersion:
|
|
description: IPVersion is an optional field that restricts the
|
|
rule to only match a specific IP version.
|
|
type: integer
|
|
metadata:
|
|
description: Metadata contains additional information for this
|
|
rule
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a set of key value pairs that
|
|
give extra information about the rule
|
|
type: object
|
|
type: object
|
|
notICMP:
|
|
description: NotICMP is the negated version of the ICMP field.
|
|
properties:
|
|
code:
|
|
description: Match on a specific ICMP code. If specified,
|
|
the Type value must also be specified. This is a technical
|
|
limitation imposed by the kernel's iptables firewall,
|
|
which Calico uses to enforce the rule.
|
|
type: integer
|
|
type:
|
|
description: Match on a specific ICMP type. For example
|
|
a value of 8 refers to ICMP Echo Request (i.e. pings).
|
|
type: integer
|
|
type: object
|
|
notProtocol:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: NotProtocol is the negated version of the Protocol
|
|
field.
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
protocol:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: "Protocol is an optional field that restricts the
|
|
rule to only apply to traffic of a specific IP protocol. Required
|
|
if any of the EntityRules contain Ports (because ports only
|
|
apply to certain protocols). \n Must be one of these string
|
|
values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
|
|
\"UDPLite\" or an integer in the range 1-255."
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
source:
|
|
description: Source contains the match criteria that apply to
|
|
source entity.
|
|
properties:
|
|
namespaceSelector:
|
|
description: "NamespaceSelector is an optional field that
|
|
contains a selector expression. Only traffic that originates
|
|
from (or terminates at) endpoints within the selected
|
|
namespaces will be matched. When both NamespaceSelector
|
|
and another selector are defined on the same rule, then
|
|
only workload endpoints that are matched by both selectors
|
|
will be selected by the rule. \n For NetworkPolicy, an
|
|
empty NamespaceSelector implies that the Selector is limited
|
|
to selecting only workload endpoints in the same namespace
|
|
as the NetworkPolicy. \n For NetworkPolicy, `global()`
|
|
NamespaceSelector implies that the Selector is limited
|
|
to selecting only GlobalNetworkSet or HostEndpoint. \n
|
|
For GlobalNetworkPolicy, an empty NamespaceSelector implies
|
|
the Selector applies to workload endpoints across all
|
|
namespaces."
|
|
type: string
|
|
nets:
|
|
description: Nets is an optional field that restricts the
|
|
rule to only apply to traffic that originates from (or
|
|
terminates at) IP addresses in any of the given subnets.
|
|
items:
|
|
type: string
|
|
type: array
|
|
notNets:
|
|
description: NotNets is the negated version of the Nets
|
|
field.
|
|
items:
|
|
type: string
|
|
type: array
|
|
notPorts:
|
|
description: NotPorts is the negated version of the Ports
|
|
field. Since only some protocols have ports, if any ports
|
|
are specified it requires the Protocol match in the Rule
|
|
to be set to "TCP" or "UDP".
|
|
items:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
type: array
|
|
notSelector:
|
|
description: NotSelector is the negated version of the Selector
|
|
field. See Selector field for subtleties with negated
|
|
selectors.
|
|
type: string
|
|
ports:
|
|
description: "Ports is an optional field that restricts
|
|
the rule to only apply to traffic that has a source (destination)
|
|
port that matches one of these ranges/values. This value
|
|
is a list of integers or strings that represent ranges
|
|
of ports. \n Since only some protocols have ports, if
|
|
any ports are specified it requires the Protocol match
|
|
in the Rule to be set to \"TCP\" or \"UDP\"."
|
|
items:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
type: array
|
|
selector:
|
|
description: "Selector is an optional field that contains
|
|
a selector expression (see Policy for sample syntax).
|
|
\ Only traffic that originates from (terminates at) endpoints
|
|
matching the selector will be matched. \n Note that: in
|
|
addition to the negated version of the Selector (see NotSelector
|
|
below), the selector expression syntax itself supports
|
|
negation. The two types of negation are subtly different.
|
|
One negates the set of matched endpoints, the other negates
|
|
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
|
packets that are from other Calico-controlled \tendpoints
|
|
that do not have the label \"my_label\". \n \tNotSelector
|
|
= \"has(my_label)\" matches packets that are not from
|
|
Calico-controlled \tendpoints that do have the label \"my_label\".
|
|
\n The effect is that the latter will accept packets from
|
|
non-Calico sources whereas the former is limited to packets
|
|
from Calico-controlled endpoints."
|
|
type: string
|
|
serviceAccounts:
|
|
description: ServiceAccounts is an optional field that restricts
|
|
the rule to only apply to traffic that originates from
|
|
(or terminates at) a pod running as a matching service
|
|
account.
|
|
properties:
|
|
names:
|
|
description: Names is an optional field that restricts
|
|
the rule to only apply to traffic that originates
|
|
from (or terminates at) a pod running as a service
|
|
account whose name is in the list.
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: Selector is an optional field that restricts
|
|
the rule to only apply to traffic that originates
|
|
from (or terminates at) a pod running as a service
|
|
account that matches the given label selector. If
|
|
both Names and Selector are specified then they are
|
|
AND'ed.
|
|
type: string
|
|
type: object
|
|
services:
|
|
description: "Services is an optional field that contains
|
|
options for matching Kubernetes Services. If specified,
|
|
only traffic that originates from or terminates at endpoints
|
|
within the selected service(s) will be matched, and only
|
|
to/from each endpoint's port. \n Services cannot be specified
|
|
on the same rule as Selector, NotSelector, NamespaceSelector,
|
|
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
|
|
Only valid on egress rules."
|
|
properties:
|
|
name:
|
|
description: Name specifies the name of a Kubernetes
|
|
Service to match.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies the namespace of the
|
|
given Service. If left empty, the rule will match
|
|
within this policy's namespace.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- action
|
|
type: object
|
|
type: array
|
|
ingress:
|
|
description: The ordered set of ingress rules. Each rule contains
|
|
a set of packet match criteria and a corresponding action to apply.
|
|
items:
|
|
description: "A Rule encapsulates a set of match criteria and an
|
|
action. Both selector-based security Policy and security Profiles
|
|
reference rules - separated out as a list of rules for both ingress
|
|
and egress packet matching. \n Each positive match criteria has
|
|
a negated version, prefixed with \"Not\". All the match criteria
|
|
within a rule must be satisfied for a packet to match. A single
|
|
rule can contain the positive and negative version of a match
|
|
and both must be satisfied for the rule to match."
|
|
properties:
|
|
action:
|
|
type: string
|
|
destination:
|
|
description: Destination contains the match criteria that apply
|
|
to destination entity.
|
|
properties:
|
|
namespaceSelector:
|
|
description: "NamespaceSelector is an optional field that
|
|
contains a selector expression. Only traffic that originates
|
|
from (or terminates at) endpoints within the selected
|
|
namespaces will be matched. When both NamespaceSelector
|
|
and another selector are defined on the same rule, then
|
|
only workload endpoints that are matched by both selectors
|
|
will be selected by the rule. \n For NetworkPolicy, an
|
|
empty NamespaceSelector implies that the Selector is limited
|
|
to selecting only workload endpoints in the same namespace
|
|
as the NetworkPolicy. \n For NetworkPolicy, `global()`
|
|
NamespaceSelector implies that the Selector is limited
|
|
to selecting only GlobalNetworkSet or HostEndpoint. \n
|
|
For GlobalNetworkPolicy, an empty NamespaceSelector implies
|
|
the Selector applies to workload endpoints across all
|
|
namespaces."
|
|
type: string
|
|
nets:
|
|
description: Nets is an optional field that restricts the
|
|
rule to only apply to traffic that originates from (or
|
|
terminates at) IP addresses in any of the given subnets.
|
|
items:
|
|
type: string
|
|
type: array
|
|
notNets:
|
|
description: NotNets is the negated version of the Nets
|
|
field.
|
|
items:
|
|
type: string
|
|
type: array
|
|
notPorts:
|
|
description: NotPorts is the negated version of the Ports
|
|
field. Since only some protocols have ports, if any ports
|
|
are specified it requires the Protocol match in the Rule
|
|
to be set to "TCP" or "UDP".
|
|
items:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
type: array
|
|
notSelector:
|
|
description: NotSelector is the negated version of the Selector
|
|
field. See Selector field for subtleties with negated
|
|
selectors.
|
|
type: string
|
|
ports:
|
|
description: "Ports is an optional field that restricts
|
|
the rule to only apply to traffic that has a source (destination)
|
|
port that matches one of these ranges/values. This value
|
|
is a list of integers or strings that represent ranges
|
|
of ports. \n Since only some protocols have ports, if
|
|
any ports are specified it requires the Protocol match
|
|
in the Rule to be set to \"TCP\" or \"UDP\"."
|
|
items:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
type: array
|
|
selector:
|
|
description: "Selector is an optional field that contains
|
|
a selector expression (see Policy for sample syntax).
|
|
\ Only traffic that originates from (terminates at) endpoints
|
|
matching the selector will be matched. \n Note that: in
|
|
addition to the negated version of the Selector (see NotSelector
|
|
below), the selector expression syntax itself supports
|
|
negation. The two types of negation are subtly different.
|
|
One negates the set of matched endpoints, the other negates
|
|
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
|
packets that are from other Calico-controlled \tendpoints
|
|
that do not have the label \"my_label\". \n \tNotSelector
|
|
= \"has(my_label)\" matches packets that are not from
|
|
Calico-controlled \tendpoints that do have the label \"my_label\".
|
|
\n The effect is that the latter will accept packets from
|
|
non-Calico sources whereas the former is limited to packets
|
|
from Calico-controlled endpoints."
|
|
type: string
|
|
serviceAccounts:
|
|
description: ServiceAccounts is an optional field that restricts
|
|
the rule to only apply to traffic that originates from
|
|
(or terminates at) a pod running as a matching service
|
|
account.
|
|
properties:
|
|
names:
|
|
description: Names is an optional field that restricts
|
|
the rule to only apply to traffic that originates
|
|
from (or terminates at) a pod running as a service
|
|
account whose name is in the list.
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: Selector is an optional field that restricts
|
|
the rule to only apply to traffic that originates
|
|
from (or terminates at) a pod running as a service
|
|
account that matches the given label selector. If
|
|
both Names and Selector are specified then they are
|
|
AND'ed.
|
|
type: string
|
|
type: object
|
|
services:
|
|
description: "Services is an optional field that contains
|
|
options for matching Kubernetes Services. If specified,
|
|
only traffic that originates from or terminates at endpoints
|
|
within the selected service(s) will be matched, and only
|
|
to/from each endpoint's port. \n Services cannot be specified
|
|
on the same rule as Selector, NotSelector, NamespaceSelector,
|
|
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
|
|
Only valid on egress rules."
|
|
properties:
|
|
name:
|
|
description: Name specifies the name of a Kubernetes
|
|
Service to match.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies the namespace of the
|
|
given Service. If left empty, the rule will match
|
|
within this policy's namespace.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
http:
|
|
description: HTTP contains match criteria that apply to HTTP
|
|
requests.
|
|
properties:
|
|
methods:
|
|
description: Methods is an optional field that restricts
|
|
the rule to apply only to HTTP requests that use one of
|
|
the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
|
|
methods are OR'd together.
|
|
items:
|
|
type: string
|
|
type: array
|
|
paths:
|
|
description: 'Paths is an optional field that restricts
|
|
the rule to apply to HTTP requests that use one of the
|
|
listed HTTP Paths. Multiple paths are OR''d together.
|
|
e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
|
|
ONLY specify either a `exact` or a `prefix` match. The
|
|
validator will check for it.'
|
|
items:
|
|
description: 'HTTPPath specifies an HTTP path to match.
|
|
It may be either of the form: exact: <path>: which matches
|
|
the path exactly or prefix: <path-prefix>: which matches
|
|
the path prefix'
|
|
properties:
|
|
exact:
|
|
type: string
|
|
prefix:
|
|
type: string
|
|
type: object
|
|
type: array
|
|
type: object
|
|
icmp:
|
|
description: ICMP is an optional field that restricts the rule
|
|
to apply to a specific type and code of ICMP traffic. This
|
|
should only be specified if the Protocol field is set to "ICMP"
|
|
or "ICMPv6".
|
|
properties:
|
|
code:
|
|
description: Match on a specific ICMP code. If specified,
|
|
the Type value must also be specified. This is a technical
|
|
limitation imposed by the kernel's iptables firewall,
|
|
which Calico uses to enforce the rule.
|
|
type: integer
|
|
type:
|
|
description: Match on a specific ICMP type. For example
|
|
a value of 8 refers to ICMP Echo Request (i.e. pings).
|
|
type: integer
|
|
type: object
|
|
ipVersion:
|
|
description: IPVersion is an optional field that restricts the
|
|
rule to only match a specific IP version.
|
|
type: integer
|
|
metadata:
|
|
description: Metadata contains additional information for this
|
|
rule
|
|
properties:
|
|
annotations:
|
|
additionalProperties:
|
|
type: string
|
|
description: Annotations is a set of key value pairs that
|
|
give extra information about the rule
|
|
type: object
|
|
type: object
|
|
notICMP:
|
|
description: NotICMP is the negated version of the ICMP field.
|
|
properties:
|
|
code:
|
|
description: Match on a specific ICMP code. If specified,
|
|
the Type value must also be specified. This is a technical
|
|
limitation imposed by the kernel's iptables firewall,
|
|
which Calico uses to enforce the rule.
|
|
type: integer
|
|
type:
|
|
description: Match on a specific ICMP type. For example
|
|
a value of 8 refers to ICMP Echo Request (i.e. pings).
|
|
type: integer
|
|
type: object
|
|
notProtocol:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: NotProtocol is the negated version of the Protocol
|
|
field.
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
protocol:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
description: "Protocol is an optional field that restricts the
|
|
rule to only apply to traffic of a specific IP protocol. Required
|
|
if any of the EntityRules contain Ports (because ports only
|
|
apply to certain protocols). \n Must be one of these string
|
|
values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
|
|
\"UDPLite\" or an integer in the range 1-255."
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
source:
|
|
description: Source contains the match criteria that apply to
|
|
source entity.
|
|
properties:
|
|
namespaceSelector:
|
|
description: "NamespaceSelector is an optional field that
|
|
contains a selector expression. Only traffic that originates
|
|
from (or terminates at) endpoints within the selected
|
|
namespaces will be matched. When both NamespaceSelector
|
|
and another selector are defined on the same rule, then
|
|
only workload endpoints that are matched by both selectors
|
|
will be selected by the rule. \n For NetworkPolicy, an
|
|
empty NamespaceSelector implies that the Selector is limited
|
|
to selecting only workload endpoints in the same namespace
|
|
as the NetworkPolicy. \n For NetworkPolicy, `global()`
|
|
NamespaceSelector implies that the Selector is limited
|
|
to selecting only GlobalNetworkSet or HostEndpoint. \n
|
|
For GlobalNetworkPolicy, an empty NamespaceSelector implies
|
|
the Selector applies to workload endpoints across all
|
|
namespaces."
|
|
type: string
|
|
nets:
|
|
description: Nets is an optional field that restricts the
|
|
rule to only apply to traffic that originates from (or
|
|
terminates at) IP addresses in any of the given subnets.
|
|
items:
|
|
type: string
|
|
type: array
|
|
notNets:
|
|
description: NotNets is the negated version of the Nets
|
|
field.
|
|
items:
|
|
type: string
|
|
type: array
|
|
notPorts:
|
|
description: NotPorts is the negated version of the Ports
|
|
field. Since only some protocols have ports, if any ports
|
|
are specified it requires the Protocol match in the Rule
|
|
to be set to "TCP" or "UDP".
|
|
items:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
type: array
|
|
notSelector:
|
|
description: NotSelector is the negated version of the Selector
|
|
field. See Selector field for subtleties with negated
|
|
selectors.
|
|
type: string
|
|
ports:
|
|
description: "Ports is an optional field that restricts
|
|
the rule to only apply to traffic that has a source (destination)
|
|
port that matches one of these ranges/values. This value
|
|
is a list of integers or strings that represent ranges
|
|
of ports. \n Since only some protocols have ports, if
|
|
any ports are specified it requires the Protocol match
|
|
in the Rule to be set to \"TCP\" or \"UDP\"."
|
|
items:
|
|
anyOf:
|
|
- type: integer
|
|
- type: string
|
|
pattern: ^.*
|
|
x-kubernetes-int-or-string: true
|
|
type: array
|
|
selector:
|
|
description: "Selector is an optional field that contains
|
|
a selector expression (see Policy for sample syntax).
|
|
\ Only traffic that originates from (terminates at) endpoints
|
|
matching the selector will be matched. \n Note that: in
|
|
addition to the negated version of the Selector (see NotSelector
|
|
below), the selector expression syntax itself supports
|
|
negation. The two types of negation are subtly different.
|
|
One negates the set of matched endpoints, the other negates
|
|
the whole match: \n \tSelector = \"!has(my_label)\" matches
|
|
packets that are from other Calico-controlled \tendpoints
|
|
that do not have the label \"my_label\". \n \tNotSelector
|
|
= \"has(my_label)\" matches packets that are not from
|
|
Calico-controlled \tendpoints that do have the label \"my_label\".
|
|
\n The effect is that the latter will accept packets from
|
|
non-Calico sources whereas the former is limited to packets
|
|
from Calico-controlled endpoints."
|
|
type: string
|
|
serviceAccounts:
|
|
description: ServiceAccounts is an optional field that restricts
|
|
the rule to only apply to traffic that originates from
|
|
(or terminates at) a pod running as a matching service
|
|
account.
|
|
properties:
|
|
names:
|
|
description: Names is an optional field that restricts
|
|
the rule to only apply to traffic that originates
|
|
from (or terminates at) a pod running as a service
|
|
account whose name is in the list.
|
|
items:
|
|
type: string
|
|
type: array
|
|
selector:
|
|
description: Selector is an optional field that restricts
|
|
the rule to only apply to traffic that originates
|
|
from (or terminates at) a pod running as a service
|
|
account that matches the given label selector. If
|
|
both Names and Selector are specified then they are
|
|
AND'ed.
|
|
type: string
|
|
type: object
|
|
services:
|
|
description: "Services is an optional field that contains
|
|
options for matching Kubernetes Services. If specified,
|
|
only traffic that originates from or terminates at endpoints
|
|
within the selected service(s) will be matched, and only
|
|
to/from each endpoint's port. \n Services cannot be specified
|
|
on the same rule as Selector, NotSelector, NamespaceSelector,
|
|
Ports, NotPorts, Nets, NotNets or ServiceAccounts. \n
|
|
Only valid on egress rules."
|
|
properties:
|
|
name:
|
|
description: Name specifies the name of a Kubernetes
|
|
Service to match.
|
|
type: string
|
|
namespace:
|
|
description: Namespace specifies the namespace of the
|
|
given Service. If left empty, the rule will match
|
|
within this policy's namespace.
|
|
type: string
|
|
type: object
|
|
type: object
|
|
required:
|
|
- action
|
|
type: object
|
|
type: array
|
|
namespaceSelector:
|
|
description: NamespaceSelector is an optional field for an expression
|
|
used to select a pod based on namespaces.
|
|
type: string
|
|
order:
|
|
description: Order is an optional field that specifies the order in
|
|
which the policy is applied. Policies with higher "order" are applied
|
|
after those with lower order. If the order is omitted, it may be
|
|
considered to be "infinite" - i.e. the policy will be applied last. Policies
|
|
with identical order will be applied in alphanumerical order based
|
|
on the Policy "Name".
|
|
type: number
|
|
preDNAT:
|
|
description: PreDNAT indicates to apply the rules in this policy before
|
|
any DNAT.
|
|
type: boolean
|
|
selector:
|
|
description: "The selector is an expression used to pick pick out
|
|
the endpoints that the policy should be applied to. \n Selector
|
|
expressions follow this syntax: \n \tlabel == \"string_literal\"
|
|
\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
|
|
\ -> not equal; also matches if label is not present \tlabel in
|
|
{ \"a\", \"b\", \"c\", ... } -> true if the value of label X is
|
|
one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
|
|
... } -> true if the value of label X is not one of \"a\", \"b\",
|
|
\"c\" \thas(label_name) -> True if that label is present \t! expr
|
|
-> negation of expr \texpr && expr -> Short-circuit and \texpr
|
|
|| expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
|
|
or the empty selector -> matches all endpoints. \n Label names are
|
|
allowed to contain alphanumerics, -, _ and /. String literals are
|
|
more permissive but they do not support escape characters. \n Examples
|
|
(with made-up labels): \n \ttype == \"webserver\" && deployment
|
|
== \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
|
|
\"dev\" \t! has(label_name)"
|
|
type: string
|
|
serviceAccountSelector:
|
|
description: ServiceAccountSelector is an optional field for an expression
|
|
used to select a pod based on service accounts.
|
|
type: string
|
|
types:
|
|
description: "Types indicates whether this policy applies to ingress,
|
|
or to egress, or to both. When not explicitly specified (and so
|
|
the value on creation is empty or nil), Calico defaults Types according
|
|
to what Ingress and Egress rules are present in the policy. The
|
|
default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
|
|
(including the case where there are also no Ingress rules) \n
|
|
- [ PolicyTypeEgress ], if there are Egress rules but no Ingress
|
|
rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
|
|
both Ingress and Egress rules. \n When the policy is read back again,
|
|
Types will always be one of these values, never empty or nil."
|
|
items:
|
|
description: PolicyType enumerates the possible values of the PolicySpec
|
|
Types field.
|
|
type: string
|
|
type: array
|
|
type: object
|
|
type: object
|
|
served: true
|
|
storage: true
|
|
status:
|
|
acceptedNames:
|
|
kind: ""
|
|
plural: ""
|
|
conditions: []
|
|
storedVersions: []
|