1---
2apiVersion: apiextensions.k8s.io/v1
3kind: CustomResourceDefinition
4metadata:
5 annotations:
6 controller-gen.kubebuilder.io/version: (unknown)
7 name: computefirewalls.compute.cnrm.cloud.google.com
8spec:
9 group: compute.cnrm.cloud.google.com
10 names:
11 kind: ComputeFirewall
12 listKind: ComputeFirewallList
13 plural: computefirewalls
14 singular: computefirewall
15 scope: Namespaced
16 versions:
17 - name: v1beta1
18 schema:
19 openAPIV3Schema:
20 description: ComputeFirewall is the Schema for the compute API
21 properties:
22 apiVersion:
23 description: |-
24 APIVersion defines the versioned schema of this representation of an object.
25 Servers should convert recognized schemas to the latest internal value, and
26 may reject unrecognized values.
27 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
28 type: string
29 kind:
30 description: |-
31 Kind is a string value representing the REST resource this object represents.
32 Servers may infer this from the endpoint the client submits requests to.
33 Cannot be updated.
34 In CamelCase.
35 More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
36 type: string
37 metadata:
38 type: object
39 spec:
40 properties:
41 allow:
42 description: |-
43 The list of ALLOW rules specified by this firewall. Each rule
44 specifies a protocol and port-range tuple that describes a permitted
45 connection.
46 items:
47 properties:
48 ports:
49 description: |-
50 An optional list of ports to which this rule applies. This field
51 is only applicable for UDP or TCP protocol. Each entry must be
52 either an integer or a range. If not specified, this rule
53 applies to connections through any port.
54
55
56 Example inputs include: ["22"], ["80","443"], and
57 ["12345-12349"].
58 items:
59 type: string
60 type: array
61 protocol:
62 description: |-
63 The IP protocol to which this rule applies. The protocol type is
64 required when creating a firewall rule. This value can either be
65 one of the following well known protocol strings (tcp, udp,
66 icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
67 type: string
68 required:
69 - protocol
70 type: object
71 type: array
72 deny:
73 description: |-
74 The list of DENY rules specified by this firewall. Each rule specifies
75 a protocol and port-range tuple that describes a denied connection.
76 items:
77 properties:
78 ports:
79 description: |-
80 An optional list of ports to which this rule applies. This field
81 is only applicable for UDP or TCP protocol. Each entry must be
82 either an integer or a range. If not specified, this rule
83 applies to connections through any port.
84
85
86 Example inputs include: ["22"], ["80","443"], and
87 ["12345-12349"].
88 items:
89 type: string
90 type: array
91 protocol:
92 description: |-
93 The IP protocol to which this rule applies. The protocol type is
94 required when creating a firewall rule. This value can either be
95 one of the following well known protocol strings (tcp, udp,
96 icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
97 type: string
98 required:
99 - protocol
100 type: object
101 type: array
102 description:
103 description: |-
104 An optional description of this resource. Provide this property when
105 you create the resource.
106 type: string
107 destinationRanges:
108 description: |-
109 If destination ranges are specified, the firewall will apply only to
110 traffic that has destination IP address in these ranges. These ranges
111 must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
112 items:
113 type: string
114 type: array
115 direction:
116 description: |-
117 Immutable. Direction of traffic to which this firewall applies; default is
118 INGRESS. Note: For INGRESS traffic, one of 'source_ranges',
119 'source_tags' or 'source_service_accounts' is required. Possible values: ["INGRESS", "EGRESS"].
120 type: string
121 disabled:
122 description: |-
123 Denotes whether the firewall rule is disabled, i.e not applied to the
124 network it is associated with. When set to true, the firewall rule is
125 not enforced and the network behaves as if it did not exist. If this
126 is unspecified, the firewall rule will be enabled.
127 type: boolean
128 enableLogging:
129 description: DEPRECATED. Deprecated in favor of log_config. This field
130 denotes whether to enable logging for a particular firewall rule.
131 If logging is enabled, logs will be exported to Stackdriver.
132 type: boolean
133 logConfig:
134 description: |-
135 This field denotes the logging options for a particular firewall rule.
136 If defined, logging is enabled, and logs will be exported to Cloud Logging.
137 properties:
138 metadata:
139 description: 'This field denotes whether to include or exclude
140 metadata for firewall logs. Possible values: ["EXCLUDE_ALL_METADATA",
141 "INCLUDE_ALL_METADATA"].'
142 type: string
143 required:
144 - metadata
145 type: object
146 networkRef:
147 description: The network to attach this firewall to.
148 properties:
149 external:
150 description: The external name of the referenced resource
151 type: string
152 kind:
153 description: Kind of the referent.
154 type: string
155 name:
156 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
157 type: string
158 namespace:
159 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
160 type: string
161 type: object
162 priority:
163 description: |-
164 Priority for this rule. This is an integer between 0 and 65535, both
165 inclusive. When not specified, the value assumed is 1000. Relative
166 priorities determine precedence of conflicting rules. Lower value of
167 priority implies higher precedence (eg, a rule with priority 0 has
168 higher precedence than a rule with priority 1). DENY rules take
169 precedence over ALLOW rules having equal priority.
170 type: integer
171 resourceID:
172 description: Immutable. Optional. The name of the resource. Used for
173 creation and acquisition. When unset, the value of `metadata.name`
174 is used as the default.
175 type: string
176 sourceRanges:
177 description: |-
178 If source ranges are specified, the firewall will apply only to
179 traffic that has source IP address in these ranges. These ranges must
180 be expressed in CIDR format. One or both of sourceRanges and
181 sourceTags may be set. If both properties are set, the firewall will
182 apply to traffic that has source IP address within sourceRanges OR the
183 source IP that belongs to a tag listed in the sourceTags property. The
184 connection does not need to match both properties for the firewall to
185 apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of
186 'source_ranges', 'source_tags' or 'source_service_accounts' is required.
187 items:
188 type: string
189 type: array
190 sourceServiceAccounts:
191 items:
192 properties:
193 external:
194 description: The external name of the referenced resource
195 type: string
196 kind:
197 description: Kind of the referent.
198 type: string
199 name:
200 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
201 type: string
202 namespace:
203 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
204 type: string
205 type: object
206 type: array
207 sourceTags:
208 description: |-
209 If source tags are specified, the firewall will apply only to traffic
210 with source IP that belongs to a tag listed in source tags. Source
211 tags cannot be used to control traffic to an instance's external IP
212 address. Because tags are associated with an instance, not an IP
213 address. One or both of sourceRanges and sourceTags may be set. If
214 both properties are set, the firewall will apply to traffic that has
215 source IP address within sourceRanges OR the source IP that belongs to
216 a tag listed in the sourceTags property. The connection does not need
217 to match both properties for the firewall to apply. For INGRESS traffic,
218 one of 'source_ranges', 'source_tags' or 'source_service_accounts' is required.
219 items:
220 type: string
221 type: array
222 targetServiceAccounts:
223 items:
224 properties:
225 external:
226 description: The external name of the referenced resource
227 type: string
228 kind:
229 description: Kind of the referent.
230 type: string
231 name:
232 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
233 type: string
234 namespace:
235 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
236 type: string
237 type: object
238 type: array
239 targetTags:
240 description: |-
241 A list of instance tags indicating sets of instances located in the
242 network that may make network connections as specified in allowed[].
243 If no targetTags are specified, the firewall rule applies to all
244 instances on the specified network.
245 items:
246 type: string
247 type: array
248 required:
249 - networkRef
250 type: object
251 status:
252 properties:
253 conditions:
254 description: |-
255 Conditions represent the latest available observations of the
256 ComputeFirewall's current state.
257 items:
258 properties:
259 lastTransitionTime:
260 description: Last time the condition transitioned from one status
261 to another.
262 type: string
263 message:
264 description: Human-readable message indicating details about
265 last transition.
266 type: string
267 reason:
268 description: |-
269 Unique, one-word, CamelCase reason for the condition's last
270 transition.
271 type: string
272 status:
273 description: Status is the status of the condition. Can be True,
274 False, Unknown.
275 type: string
276 type:
277 description: Type is the type of the condition.
278 type: string
279 type: object
280 type: array
281 creationTimestamp:
282 description: Creation timestamp in RFC3339 text format.
283 type: string
284 observedGeneration:
285 description: ObservedGeneration is the generation of the resource
286 that was most recently observed by the Config Connector controller.
287 If this is equal to metadata.generation, then that means that the
288 current reported status reflects the most recent desired state of
289 the resource.
290 type: integer
291 selfLink:
292 type: string
293 type: object
294 type: object
295 served: true
296 storage: true
View as plain text