1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 annotations:
5 cnrm.cloud.google.com/version: 0.0.0-dev
6 creationTimestamp: null
7 labels:
8 cnrm.cloud.google.com/managed-by-kcc: "true"
9 cnrm.cloud.google.com/stability-level: stable
10 cnrm.cloud.google.com/system: "true"
11 cnrm.cloud.google.com/tf2crd: "true"
12 name: computefirewalls.compute.cnrm.cloud.google.com
13spec:
14 group: compute.cnrm.cloud.google.com
15 names:
16 categories:
17 - gcp
18 kind: ComputeFirewall
19 plural: computefirewalls
20 shortNames:
21 - gcpcomputefirewall
22 - gcpcomputefirewalls
23 singular: computefirewall
24 preserveUnknownFields: false
25 scope: Namespaced
26 versions:
27 - additionalPrinterColumns:
28 - jsonPath: .metadata.creationTimestamp
29 name: Age
30 type: date
31 - description: When 'True', the most recent reconcile of the resource succeeded
32 jsonPath: .status.conditions[?(@.type=='Ready')].status
33 name: Ready
34 type: string
35 - description: The reason for the value in 'Ready'
36 jsonPath: .status.conditions[?(@.type=='Ready')].reason
37 name: Status
38 type: string
39 - description: The last transition time for the value in 'Status'
40 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
41 name: Status Age
42 type: date
43 name: v1beta1
44 schema:
45 openAPIV3Schema:
46 properties:
47 apiVersion:
48 description: 'apiVersion defines the versioned schema of this representation
49 of an object. Servers should convert recognized schemas to the latest
50 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
51 type: string
52 kind:
53 description: 'kind is a string value representing the REST resource this
54 object represents. Servers may infer this from the endpoint the client
55 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
56 type: string
57 metadata:
58 type: object
59 spec:
60 properties:
61 allow:
62 description: |-
63 The list of ALLOW rules specified by this firewall. Each rule
64 specifies a protocol and port-range tuple that describes a permitted
65 connection.
66 items:
67 properties:
68 ports:
69 description: |-
70 An optional list of ports to which this rule applies. This field
71 is only applicable for UDP or TCP protocol. Each entry must be
72 either an integer or a range. If not specified, this rule
73 applies to connections through any port.
74
75 Example inputs include: ["22"], ["80","443"], and
76 ["12345-12349"].
77 items:
78 type: string
79 type: array
80 protocol:
81 description: |-
82 The IP protocol to which this rule applies. The protocol type is
83 required when creating a firewall rule. This value can either be
84 one of the following well known protocol strings (tcp, udp,
85 icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
86 type: string
87 required:
88 - protocol
89 type: object
90 type: array
91 deny:
92 description: |-
93 The list of DENY rules specified by this firewall. Each rule specifies
94 a protocol and port-range tuple that describes a denied connection.
95 items:
96 properties:
97 ports:
98 description: |-
99 An optional list of ports to which this rule applies. This field
100 is only applicable for UDP or TCP protocol. Each entry must be
101 either an integer or a range. If not specified, this rule
102 applies to connections through any port.
103
104 Example inputs include: ["22"], ["80","443"], and
105 ["12345-12349"].
106 items:
107 type: string
108 type: array
109 protocol:
110 description: |-
111 The IP protocol to which this rule applies. The protocol type is
112 required when creating a firewall rule. This value can either be
113 one of the following well known protocol strings (tcp, udp,
114 icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
115 type: string
116 required:
117 - protocol
118 type: object
119 type: array
120 description:
121 description: |-
122 An optional description of this resource. Provide this property when
123 you create the resource.
124 type: string
125 destinationRanges:
126 description: |-
127 If destination ranges are specified, the firewall will apply only to
128 traffic that has destination IP address in these ranges. These ranges
129 must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
130 items:
131 type: string
132 type: array
133 direction:
134 description: |-
135 Immutable. Direction of traffic to which this firewall applies; default is
136 INGRESS. Note: For INGRESS traffic, one of 'source_ranges',
137 'source_tags' or 'source_service_accounts' is required. Possible values: ["INGRESS", "EGRESS"].
138 type: string
139 disabled:
140 description: |-
141 Denotes whether the firewall rule is disabled, i.e not applied to the
142 network it is associated with. When set to true, the firewall rule is
143 not enforced and the network behaves as if it did not exist. If this
144 is unspecified, the firewall rule will be enabled.
145 type: boolean
146 enableLogging:
147 description: DEPRECATED. Deprecated in favor of log_config. This field
148 denotes whether to enable logging for a particular firewall rule.
149 If logging is enabled, logs will be exported to Stackdriver.
150 type: boolean
151 logConfig:
152 description: |-
153 This field denotes the logging options for a particular firewall rule.
154 If defined, logging is enabled, and logs will be exported to Cloud Logging.
155 properties:
156 metadata:
157 description: 'This field denotes whether to include or exclude
158 metadata for firewall logs. Possible values: ["EXCLUDE_ALL_METADATA",
159 "INCLUDE_ALL_METADATA"].'
160 type: string
161 required:
162 - metadata
163 type: object
164 networkRef:
165 description: The network to attach this firewall to.
166 oneOf:
167 - not:
168 required:
169 - external
170 required:
171 - name
172 - not:
173 anyOf:
174 - required:
175 - name
176 - required:
177 - namespace
178 required:
179 - external
180 properties:
181 external:
182 description: 'Allowed value: The `selfLink` field of a `ComputeNetwork`
183 resource.'
184 type: string
185 name:
186 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
187 type: string
188 namespace:
189 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
190 type: string
191 type: object
192 priority:
193 description: |-
194 Priority for this rule. This is an integer between 0 and 65535, both
195 inclusive. When not specified, the value assumed is 1000. Relative
196 priorities determine precedence of conflicting rules. Lower value of
197 priority implies higher precedence (eg, a rule with priority 0 has
198 higher precedence than a rule with priority 1). DENY rules take
199 precedence over ALLOW rules having equal priority.
200 type: integer
201 resourceID:
202 description: Immutable. Optional. The name of the resource. Used for
203 creation and acquisition. When unset, the value of `metadata.name`
204 is used as the default.
205 type: string
206 sourceRanges:
207 description: |-
208 If source ranges are specified, the firewall will apply only to
209 traffic that has source IP address in these ranges. These ranges must
210 be expressed in CIDR format. One or both of sourceRanges and
211 sourceTags may be set. If both properties are set, the firewall will
212 apply to traffic that has source IP address within sourceRanges OR the
213 source IP that belongs to a tag listed in the sourceTags property. The
214 connection does not need to match both properties for the firewall to
215 apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of
216 'source_ranges', 'source_tags' or 'source_service_accounts' is required.
217 items:
218 type: string
219 type: array
220 sourceServiceAccounts:
221 items:
222 description: |-
223 If source service accounts are specified, the firewall will apply only
224 to traffic originating from an instance with a service account in this
225 list. Source service accounts cannot be used to control traffic to an
226 instance's external IP address because service accounts are associated
227 with an instance, not an IP address. sourceRanges can be set at the
228 same time as sourceServiceAccounts. If both are set, the firewall will
229 apply to traffic that has source IP address within sourceRanges OR the
230 source IP belongs to an instance with service account listed in
231 sourceServiceAccount. The connection does not need to match both
232 properties for the firewall to apply. sourceServiceAccounts cannot be
233 used at the same time as sourceTags or targetTags.
234 oneOf:
235 - not:
236 required:
237 - external
238 required:
239 - name
240 - not:
241 anyOf:
242 - required:
243 - name
244 - required:
245 - namespace
246 required:
247 - external
248 properties:
249 external:
250 description: 'Allowed value: The `email` field of an `IAMServiceAccount`
251 resource.'
252 type: string
253 name:
254 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
255 type: string
256 namespace:
257 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
258 type: string
259 type: object
260 type: array
261 sourceTags:
262 description: |-
263 If source tags are specified, the firewall will apply only to traffic
264 with source IP that belongs to a tag listed in source tags. Source
265 tags cannot be used to control traffic to an instance's external IP
266 address. Because tags are associated with an instance, not an IP
267 address. One or both of sourceRanges and sourceTags may be set. If
268 both properties are set, the firewall will apply to traffic that has
269 source IP address within sourceRanges OR the source IP that belongs to
270 a tag listed in the sourceTags property. The connection does not need
271 to match both properties for the firewall to apply. For INGRESS traffic,
272 one of 'source_ranges', 'source_tags' or 'source_service_accounts' is required.
273 items:
274 type: string
275 type: array
276 targetServiceAccounts:
277 items:
278 description: |-
279 A list of service accounts indicating sets of instances located in the
280 network that may make network connections as specified in allowed[].
281 targetServiceAccounts cannot be used at the same time as targetTags or
282 sourceTags. If neither targetServiceAccounts nor targetTags are
283 specified, the firewall rule applies to all instances on the specified
284 network.
285 oneOf:
286 - not:
287 required:
288 - external
289 required:
290 - name
291 - not:
292 anyOf:
293 - required:
294 - name
295 - required:
296 - namespace
297 required:
298 - external
299 properties:
300 external:
301 description: 'Allowed value: The `email` field of an `IAMServiceAccount`
302 resource.'
303 type: string
304 name:
305 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
306 type: string
307 namespace:
308 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
309 type: string
310 type: object
311 type: array
312 targetTags:
313 description: |-
314 A list of instance tags indicating sets of instances located in the
315 network that may make network connections as specified in allowed[].
316 If no targetTags are specified, the firewall rule applies to all
317 instances on the specified network.
318 items:
319 type: string
320 type: array
321 required:
322 - networkRef
323 type: object
324 status:
325 properties:
326 conditions:
327 description: Conditions represent the latest available observation
328 of the resource's current state.
329 items:
330 properties:
331 lastTransitionTime:
332 description: Last time the condition transitioned from one status
333 to another.
334 type: string
335 message:
336 description: Human-readable message indicating details about
337 last transition.
338 type: string
339 reason:
340 description: Unique, one-word, CamelCase reason for the condition's
341 last transition.
342 type: string
343 status:
344 description: Status is the status of the condition. Can be True,
345 False, Unknown.
346 type: string
347 type:
348 description: Type is the type of the condition.
349 type: string
350 type: object
351 type: array
352 creationTimestamp:
353 description: Creation timestamp in RFC3339 text format.
354 type: string
355 observedGeneration:
356 description: ObservedGeneration is the generation of the resource
357 that was most recently observed by the Config Connector controller.
358 If this is equal to metadata.generation, then that means that the
359 current reported status reflects the most recent desired state of
360 the resource.
361 type: integer
362 selfLink:
363 type: string
364 type: object
365 required:
366 - spec
367 type: object
368 served: true
369 storage: true
370 subresources:
371 status: {}
372status:
373 acceptedNames:
374 kind: ""
375 plural: ""
376 conditions: []
377 storedVersions: []
View as plain text