1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 cnrm.cloud.google.com/version: 0.0.0-dev
6 creationTimestamp: null
7 labels:
8 cnrm.cloud.google.com/dcl2crd: "true"
9 cnrm.cloud.google.com/managed-by-kcc: "true"
10 cnrm.cloud.google.com/stability-level: stable
11 cnrm.cloud.google.com/system: "true"
12 name: computefirewallpolicyrules.compute.cnrm.cloud.google.com
13spec:
14 group: compute.cnrm.cloud.google.com
15 names:
16 categories:
17 - gcp
18 kind: ComputeFirewallPolicyRule
19 plural: computefirewallpolicyrules
20 shortNames:
21 - gcpcomputefirewallpolicyrule
22 - gcpcomputefirewallpolicyrules
23 singular: computefirewallpolicyrule
24 preserveUnknownFields: false
25 scope: Namespaced
26 versions:
27 - additionalPrinterColumns:
28 - jsonPath: .metadata.creationTimestamp
29 name: Age
30 type: date
31 - description: When 'True', the most recent reconcile of the resource succeeded
32 jsonPath: .status.conditions[?(@.type=='Ready')].status
33 name: Ready
34 type: string
35 - description: The reason for the value in 'Ready'
36 jsonPath: .status.conditions[?(@.type=='Ready')].reason
37 name: Status
38 type: string
39 - description: The last transition time for the value in 'Status'
40 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
41 name: Status Age
42 type: date
43 name: v1beta1
44 schema:
45 openAPIV3Schema:
46 properties:
47 apiVersion:
48 description: 'apiVersion defines the versioned schema of this representation
49 of an object. Servers should convert recognized schemas to the latest
50 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
51 type: string
52 kind:
53 description: 'kind is a string value representing the REST resource this
54 object represents. Servers may infer this from the endpoint the client
55 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
56 type: string
57 metadata:
58 type: object
59 spec:
60 properties:
61 action:
62 description: The Action to perform when the client connection triggers
63 the rule. Valid actions are "allow", "deny" and "goto_next".
64 type: string
65 description:
66 description: An optional description for this resource.
67 type: string
68 direction:
69 description: 'The direction in which this rule applies. Possible values:
70 INGRESS, EGRESS'
71 type: string
72 disabled:
73 description: Denotes whether the firewall policy rule is disabled.
74 When set to true, the firewall policy rule is not enforced and traffic
75 behaves as if it did not exist. If this is unspecified, the firewall
76 policy rule will be enabled.
77 type: boolean
78 enableLogging:
79 description: 'Denotes whether to enable logging for a particular rule.
80 If logging is enabled, logs will be exported to the configured export
81 destination in Stackdriver. Logs may be exported to BigQuery or
82 Pub/Sub. Note: you cannot enable logging on "goto_next" rules.'
83 type: boolean
84 firewallPolicyRef:
85 description: Immutable.
86 oneOf:
87 - not:
88 required:
89 - external
90 required:
91 - name
92 - not:
93 anyOf:
94 - required:
95 - name
96 - required:
97 - namespace
98 required:
99 - external
100 properties:
101 external:
102 description: |-
103 The firewall policy of the resource.
104
105 Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resource (format: `locations/global/firewallPolicies/{{name}}`).
106 type: string
107 name:
108 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
109 type: string
110 namespace:
111 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
112 type: string
113 type: object
114 match:
115 description: A match condition that incoming traffic is evaluated
116 against. If it evaluates to true, the corresponding 'action' is
117 enforced.
118 properties:
119 destAddressGroups:
120 description: Address groups which should be matched against the
121 traffic destination. Maximum number of destination address groups
122 is 10. Destination address groups is only supported in Egress
123 rules.
124 items:
125 type: string
126 type: array
127 destFqdns:
128 description: Domain names that will be used to match against the
129 resolved domain name of destination of traffic. Can only be
130 specified if DIRECTION is egress.
131 items:
132 type: string
133 type: array
134 destIPRanges:
135 description: CIDR IP address range. Maximum number of destination
136 CIDR IP ranges allowed is 256.
137 items:
138 type: string
139 type: array
140 destRegionCodes:
141 description: The Unicode country codes whose IP addresses will
142 be used to match against the source of traffic. Can only be
143 specified if DIRECTION is egress.
144 items:
145 type: string
146 type: array
147 destThreatIntelligences:
148 description: Name of the Google Cloud Threat Intelligence list.
149 items:
150 type: string
151 type: array
152 layer4Configs:
153 description: Pairs of IP protocols and ports that the rule should
154 match.
155 items:
156 properties:
157 ipProtocol:
158 description: The IP protocol to which this rule applies.
159 The protocol type is required when creating a firewall
160 rule. This value can either be one of the following well
161 known protocol strings (`tcp`, `udp`, `icmp`, `esp`, `ah`,
162 `ipip`, `sctp`), or the IP protocol number.
163 type: string
164 ports:
165 description: 'An optional list of ports to which this rule
166 applies. This field is only applicable for UDP or TCP
167 protocol. Each entry must be either an integer or a range.
168 If not specified, this rule applies to connections through
169 any port. Example inputs include: ``.'
170 items:
171 type: string
172 type: array
173 required:
174 - ipProtocol
175 type: object
176 type: array
177 srcAddressGroups:
178 description: Address groups which should be matched against the
179 traffic source. Maximum number of source address groups is 10.
180 Source address groups is only supported in Ingress rules.
181 items:
182 type: string
183 type: array
184 srcFqdns:
185 description: Domain names that will be used to match against the
186 resolved domain name of source of traffic. Can only be specified
187 if DIRECTION is ingress.
188 items:
189 type: string
190 type: array
191 srcIPRanges:
192 description: CIDR IP address range. Maximum number of source CIDR
193 IP ranges allowed is 256.
194 items:
195 type: string
196 type: array
197 srcRegionCodes:
198 description: The Unicode country codes whose IP addresses will
199 be used to match against the source of traffic. Can only be
200 specified if DIRECTION is ingress.
201 items:
202 type: string
203 type: array
204 srcThreatIntelligences:
205 description: Name of the Google Cloud Threat Intelligence list.
206 items:
207 type: string
208 type: array
209 required:
210 - layer4Configs
211 type: object
212 priority:
213 description: Immutable. An integer indicating the priority of a rule
214 in the list. The priority must be a positive value between 0 and
215 2147483647. Rules are evaluated from highest to lowest priority
216 where 0 is the highest priority and 2147483647 is the lowest prority.
217 format: int64
218 type: integer
219 targetResources:
220 items:
221 oneOf:
222 - not:
223 required:
224 - external
225 required:
226 - name
227 - not:
228 anyOf:
229 - required:
230 - name
231 - required:
232 - namespace
233 required:
234 - external
235 properties:
236 external:
237 description: 'Allowed value: The `selfLink` field of a `ComputeNetwork`
238 resource.'
239 type: string
240 name:
241 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
242 type: string
243 namespace:
244 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
245 type: string
246 type: object
247 type: array
248 targetServiceAccounts:
249 items:
250 oneOf:
251 - not:
252 required:
253 - external
254 required:
255 - name
256 - not:
257 anyOf:
258 - required:
259 - name
260 - required:
261 - namespace
262 required:
263 - external
264 properties:
265 external:
266 description: 'Allowed value: The Google Cloud resource name
267 of an `IAMServiceAccount` resource (format: `projects/{{project}}/serviceAccounts/{{name}}@{{project}}.iam.gserviceaccount.com`).'
268 type: string
269 name:
270 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
271 type: string
272 namespace:
273 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
274 type: string
275 type: object
276 type: array
277 required:
278 - action
279 - direction
280 - firewallPolicyRef
281 - match
282 - priority
283 type: object
284 status:
285 properties:
286 conditions:
287 description: Conditions represent the latest available observation
288 of the resource's current state.
289 items:
290 properties:
291 lastTransitionTime:
292 description: Last time the condition transitioned from one status
293 to another.
294 type: string
295 message:
296 description: Human-readable message indicating details about
297 last transition.
298 type: string
299 reason:
300 description: Unique, one-word, CamelCase reason for the condition's
301 last transition.
302 type: string
303 status:
304 description: Status is the status of the condition. Can be True,
305 False, Unknown.
306 type: string
307 type:
308 description: Type is the type of the condition.
309 type: string
310 type: object
311 type: array
312 kind:
313 description: Type of the resource. Always `compute#firewallPolicyRule`
314 for firewall policy rules
315 type: string
316 observedGeneration:
317 description: ObservedGeneration is the generation of the resource
318 that was most recently observed by the Config Connector controller.
319 If this is equal to metadata.generation, then that means that the
320 current reported status reflects the most recent desired state of
321 the resource.
322 type: integer
323 ruleTupleCount:
324 description: Calculation of the complexity of a single firewall policy
325 rule.
326 format: int64
327 type: integer
328 type: object
329 required:
330 - spec
331 type: object
332 served: true
333 storage: true
334 subresources:
335 status: {}
336status:
337 acceptedNames:
338 kind: ""
339 plural: ""
340 conditions: []
341 storedVersions: []
View as plain text