--- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: (unknown) name: computeorganizationsecuritypolicyrules.compute.cnrm.cloud.google.com spec: group: compute.cnrm.cloud.google.com names: kind: ComputeOrganizationSecurityPolicyRule listKind: ComputeOrganizationSecurityPolicyRuleList plural: computeorganizationsecuritypolicyrules singular: computeorganizationsecuritypolicyrule scope: Namespaced versions: - name: v1alpha1 schema: openAPIV3Schema: description: ComputeOrganizationSecurityPolicyRule is the Schema for the compute API properties: apiVersion: description: |- APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: description: |- Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: properties: action: description: |- The Action to perform when the client connection triggers the rule. Can currently be either "allow", "deny" or "goto_next". type: string description: description: A description of the rule. type: string direction: description: 'The direction in which this rule applies. If unspecified an INGRESS rule is created. Possible values: ["INGRESS", "EGRESS"].' type: string enableLogging: description: |- Denotes whether to enable logging for a particular rule. If logging is enabled, logs will be exported to the configured export destination in Stackdriver. type: boolean match: description: A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced. properties: config: description: The configuration options for matching the rule. properties: destIpRanges: description: |- Destination IP address range in CIDR format. Required for EGRESS rules. items: type: string type: array layer4Config: description: Pairs of IP protocols and ports that the rule should match. items: properties: ipProtocol: description: |- The IP protocol to which this rule applies. The protocol type is required when creating a firewall rule. This value can either be one of the following well known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp), or the IP protocol number. type: string ports: description: |- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not specified, this rule applies to connections through any port. Example inputs include: ["22"], ["80","443"], and ["12345-12349"]. items: type: string type: array required: - ipProtocol type: object type: array srcIpRanges: description: |- Source IP address range in CIDR format. Required for INGRESS rules. items: type: string type: array required: - layer4Config type: object description: description: A description of the rule. type: string versionedExpr: description: |- Preconfigured versioned expression. For organization security policy rules, the only supported type is "FIREWALL". Default value: "FIREWALL" Possible values: ["FIREWALL"]. type: string required: - config type: object policyId: description: Immutable. The ID of the OrganizationSecurityPolicy this rule applies to. type: string preview: description: If set to true, the specified action is not enforced. type: boolean resourceID: description: Immutable. Optional. The priority of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default. type: string targetResources: description: |- A list of network resource URLs to which this rule applies. This field allows you to control which network's VMs get this rule. If this field is left blank, all VMs within the organization will receive the rule. items: type: string type: array targetServiceAccounts: description: |- A list of service accounts indicating the sets of instances that are applied with this rule. items: type: string type: array required: - action - match - policyId type: object status: properties: conditions: description: |- Conditions represent the latest available observations of the ComputeOrganizationSecurityPolicyRule's current state. items: properties: lastTransitionTime: description: Last time the condition transitioned from one status to another. type: string message: description: Human-readable message indicating details about last transition. type: string reason: description: |- Unique, one-word, CamelCase reason for the condition's last transition. type: string status: description: Status is the status of the condition. Can be True, False, Unknown. type: string type: description: Type is the type of the condition. type: string type: object type: array observedGeneration: description: ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource. type: integer type: object type: object served: true storage: true