1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/managed-by-kcc: "true"
23 cnrm.cloud.google.com/stability-level: alpha
24 cnrm.cloud.google.com/system: "true"
25 cnrm.cloud.google.com/tf2crd: "true"
26 name: computeorganizationsecuritypolicyrules.compute.cnrm.cloud.google.com
27spec:
28 group: compute.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: ComputeOrganizationSecurityPolicyRule
33 plural: computeorganizationsecuritypolicyrules
34 shortNames:
35 - gcpcomputeorganizationsecuritypolicyrule
36 - gcpcomputeorganizationsecuritypolicyrules
37 singular: computeorganizationsecuritypolicyrule
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1alpha1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 action:
75 description: |-
76 The Action to perform when the client connection triggers the rule. Can currently be either
77 "allow", "deny" or "goto_next".
78 type: string
79 description:
80 description: A description of the rule.
81 type: string
82 direction:
83 description: 'The direction in which this rule applies. If unspecified
84 an INGRESS rule is created. Possible values: ["INGRESS", "EGRESS"].'
85 type: string
86 enableLogging:
87 description: |-
88 Denotes whether to enable logging for a particular rule.
89 If logging is enabled, logs will be exported to the
90 configured export destination in Stackdriver.
91 type: boolean
92 match:
93 description: A match condition that incoming traffic is evaluated
94 against. If it evaluates to true, the corresponding 'action' is
95 enforced.
96 properties:
97 config:
98 description: The configuration options for matching the rule.
99 properties:
100 destIpRanges:
101 description: |-
102 Destination IP address range in CIDR format. Required for
103 EGRESS rules.
104 items:
105 type: string
106 type: array
107 layer4Config:
108 description: Pairs of IP protocols and ports that the rule
109 should match.
110 items:
111 properties:
112 ipProtocol:
113 description: |-
114 The IP protocol to which this rule applies. The protocol
115 type is required when creating a firewall rule.
116 This value can either be one of the following well
117 known protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp),
118 or the IP protocol number.
119 type: string
120 ports:
121 description: |-
122 An optional list of ports to which this rule applies. This field
123 is only applicable for UDP or TCP protocol. Each entry must be
124 either an integer or a range. If not specified, this rule
125 applies to connections through any port.
126
127 Example inputs include: ["22"], ["80","443"], and
128 ["12345-12349"].
129 items:
130 type: string
131 type: array
132 required:
133 - ipProtocol
134 type: object
135 type: array
136 srcIpRanges:
137 description: |-
138 Source IP address range in CIDR format. Required for
139 INGRESS rules.
140 items:
141 type: string
142 type: array
143 required:
144 - layer4Config
145 type: object
146 description:
147 description: A description of the rule.
148 type: string
149 versionedExpr:
150 description: |-
151 Preconfigured versioned expression. For organization security policy rules,
152 the only supported type is "FIREWALL". Default value: "FIREWALL" Possible values: ["FIREWALL"].
153 type: string
154 required:
155 - config
156 type: object
157 policyId:
158 description: Immutable. The ID of the OrganizationSecurityPolicy this
159 rule applies to.
160 type: string
161 preview:
162 description: If set to true, the specified action is not enforced.
163 type: boolean
164 resourceID:
165 description: Immutable. Optional. The priority of the resource. Used
166 for creation and acquisition. When unset, the value of `metadata.name`
167 is used as the default.
168 type: string
169 targetResources:
170 description: |-
171 A list of network resource URLs to which this rule applies.
172 This field allows you to control which network's VMs get
173 this rule. If this field is left blank, all VMs
174 within the organization will receive the rule.
175 items:
176 type: string
177 type: array
178 targetServiceAccounts:
179 description: |-
180 A list of service accounts indicating the sets of
181 instances that are applied with this rule.
182 items:
183 type: string
184 type: array
185 required:
186 - action
187 - match
188 - policyId
189 type: object
190 status:
191 properties:
192 conditions:
193 description: Conditions represent the latest available observation
194 of the resource's current state.
195 items:
196 properties:
197 lastTransitionTime:
198 description: Last time the condition transitioned from one status
199 to another.
200 type: string
201 message:
202 description: Human-readable message indicating details about
203 last transition.
204 type: string
205 reason:
206 description: Unique, one-word, CamelCase reason for the condition's
207 last transition.
208 type: string
209 status:
210 description: Status is the status of the condition. Can be True,
211 False, Unknown.
212 type: string
213 type:
214 description: Type is the type of the condition.
215 type: string
216 type: object
217 type: array
218 observedGeneration:
219 description: ObservedGeneration is the generation of the resource
220 that was most recently observed by the Config Connector controller.
221 If this is equal to metadata.generation, then that means that the
222 current reported status reflects the most recent desired state of
223 the resource.
224 type: integer
225 type: object
226 required:
227 - spec
228 type: object
229 served: true
230 storage: true
231 subresources:
232 status: {}
233status:
234 acceptedNames:
235 kind: ""
236 plural: ""
237 conditions: []
238 storedVersions: []
View as plain text