1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/managed-by-kcc: "true"
23 cnrm.cloud.google.com/stability-level: stable
24 cnrm.cloud.google.com/system: "true"
25 cnrm.cloud.google.com/tf2crd: "true"
26 name: computefirewalls.compute.cnrm.cloud.google.com
27spec:
28 group: compute.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: ComputeFirewall
33 plural: computefirewalls
34 shortNames:
35 - gcpcomputefirewall
36 - gcpcomputefirewalls
37 singular: computefirewall
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 allow:
75 description: |-
76 The list of ALLOW rules specified by this firewall. Each rule
77 specifies a protocol and port-range tuple that describes a permitted
78 connection.
79 items:
80 properties:
81 ports:
82 description: |-
83 An optional list of ports to which this rule applies. This field
84 is only applicable for UDP or TCP protocol. Each entry must be
85 either an integer or a range. If not specified, this rule
86 applies to connections through any port.
87
88 Example inputs include: ["22"], ["80","443"], and
89 ["12345-12349"].
90 items:
91 type: string
92 type: array
93 protocol:
94 description: |-
95 The IP protocol to which this rule applies. The protocol type is
96 required when creating a firewall rule. This value can either be
97 one of the following well known protocol strings (tcp, udp,
98 icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
99 type: string
100 required:
101 - protocol
102 type: object
103 type: array
104 deny:
105 description: |-
106 The list of DENY rules specified by this firewall. Each rule specifies
107 a protocol and port-range tuple that describes a denied connection.
108 items:
109 properties:
110 ports:
111 description: |-
112 An optional list of ports to which this rule applies. This field
113 is only applicable for UDP or TCP protocol. Each entry must be
114 either an integer or a range. If not specified, this rule
115 applies to connections through any port.
116
117 Example inputs include: ["22"], ["80","443"], and
118 ["12345-12349"].
119 items:
120 type: string
121 type: array
122 protocol:
123 description: |-
124 The IP protocol to which this rule applies. The protocol type is
125 required when creating a firewall rule. This value can either be
126 one of the following well known protocol strings (tcp, udp,
127 icmp, esp, ah, sctp, ipip, all), or the IP protocol number.
128 type: string
129 required:
130 - protocol
131 type: object
132 type: array
133 description:
134 description: |-
135 An optional description of this resource. Provide this property when
136 you create the resource.
137 type: string
138 destinationRanges:
139 description: |-
140 If destination ranges are specified, the firewall will apply only to
141 traffic that has destination IP address in these ranges. These ranges
142 must be expressed in CIDR format. IPv4 or IPv6 ranges are supported.
143 items:
144 type: string
145 type: array
146 direction:
147 description: |-
148 Immutable. Direction of traffic to which this firewall applies; default is
149 INGRESS. Note: For INGRESS traffic, one of 'source_ranges',
150 'source_tags' or 'source_service_accounts' is required. Possible values: ["INGRESS", "EGRESS"].
151 type: string
152 disabled:
153 description: |-
154 Denotes whether the firewall rule is disabled, i.e not applied to the
155 network it is associated with. When set to true, the firewall rule is
156 not enforced and the network behaves as if it did not exist. If this
157 is unspecified, the firewall rule will be enabled.
158 type: boolean
159 enableLogging:
160 description: DEPRECATED. Deprecated in favor of log_config. This field
161 denotes whether to enable logging for a particular firewall rule.
162 If logging is enabled, logs will be exported to Stackdriver.
163 type: boolean
164 logConfig:
165 description: |-
166 This field denotes the logging options for a particular firewall rule.
167 If defined, logging is enabled, and logs will be exported to Cloud Logging.
168 properties:
169 metadata:
170 description: 'This field denotes whether to include or exclude
171 metadata for firewall logs. Possible values: ["EXCLUDE_ALL_METADATA",
172 "INCLUDE_ALL_METADATA"].'
173 type: string
174 required:
175 - metadata
176 type: object
177 networkRef:
178 description: The network to attach this firewall to.
179 oneOf:
180 - not:
181 required:
182 - external
183 required:
184 - name
185 - not:
186 anyOf:
187 - required:
188 - name
189 - required:
190 - namespace
191 required:
192 - external
193 properties:
194 external:
195 description: 'Allowed value: The `selfLink` field of a `ComputeNetwork`
196 resource.'
197 type: string
198 name:
199 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
200 type: string
201 namespace:
202 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
203 type: string
204 type: object
205 priority:
206 description: |-
207 Priority for this rule. This is an integer between 0 and 65535, both
208 inclusive. When not specified, the value assumed is 1000. Relative
209 priorities determine precedence of conflicting rules. Lower value of
210 priority implies higher precedence (eg, a rule with priority 0 has
211 higher precedence than a rule with priority 1). DENY rules take
212 precedence over ALLOW rules having equal priority.
213 type: integer
214 resourceID:
215 description: Immutable. Optional. The name of the resource. Used for
216 creation and acquisition. When unset, the value of `metadata.name`
217 is used as the default.
218 type: string
219 sourceRanges:
220 description: |-
221 If source ranges are specified, the firewall will apply only to
222 traffic that has source IP address in these ranges. These ranges must
223 be expressed in CIDR format. One or both of sourceRanges and
224 sourceTags may be set. If both properties are set, the firewall will
225 apply to traffic that has source IP address within sourceRanges OR the
226 source IP that belongs to a tag listed in the sourceTags property. The
227 connection does not need to match both properties for the firewall to
228 apply. IPv4 or IPv6 ranges are supported. For INGRESS traffic, one of
229 'source_ranges', 'source_tags' or 'source_service_accounts' is required.
230 items:
231 type: string
232 type: array
233 sourceServiceAccounts:
234 items:
235 description: |-
236 If source service accounts are specified, the firewall will apply only
237 to traffic originating from an instance with a service account in this
238 list. Source service accounts cannot be used to control traffic to an
239 instance's external IP address because service accounts are associated
240 with an instance, not an IP address. sourceRanges can be set at the
241 same time as sourceServiceAccounts. If both are set, the firewall will
242 apply to traffic that has source IP address within sourceRanges OR the
243 source IP belongs to an instance with service account listed in
244 sourceServiceAccount. The connection does not need to match both
245 properties for the firewall to apply. sourceServiceAccounts cannot be
246 used at the same time as sourceTags or targetTags.
247 oneOf:
248 - not:
249 required:
250 - external
251 required:
252 - name
253 - not:
254 anyOf:
255 - required:
256 - name
257 - required:
258 - namespace
259 required:
260 - external
261 properties:
262 external:
263 description: 'Allowed value: The `email` field of an `IAMServiceAccount`
264 resource.'
265 type: string
266 name:
267 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
268 type: string
269 namespace:
270 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
271 type: string
272 type: object
273 type: array
274 sourceTags:
275 description: |-
276 If source tags are specified, the firewall will apply only to traffic
277 with source IP that belongs to a tag listed in source tags. Source
278 tags cannot be used to control traffic to an instance's external IP
279 address. Because tags are associated with an instance, not an IP
280 address. One or both of sourceRanges and sourceTags may be set. If
281 both properties are set, the firewall will apply to traffic that has
282 source IP address within sourceRanges OR the source IP that belongs to
283 a tag listed in the sourceTags property. The connection does not need
284 to match both properties for the firewall to apply. For INGRESS traffic,
285 one of 'source_ranges', 'source_tags' or 'source_service_accounts' is required.
286 items:
287 type: string
288 type: array
289 targetServiceAccounts:
290 items:
291 description: |-
292 A list of service accounts indicating sets of instances located in the
293 network that may make network connections as specified in allowed[].
294 targetServiceAccounts cannot be used at the same time as targetTags or
295 sourceTags. If neither targetServiceAccounts nor targetTags are
296 specified, the firewall rule applies to all instances on the specified
297 network.
298 oneOf:
299 - not:
300 required:
301 - external
302 required:
303 - name
304 - not:
305 anyOf:
306 - required:
307 - name
308 - required:
309 - namespace
310 required:
311 - external
312 properties:
313 external:
314 description: 'Allowed value: The `email` field of an `IAMServiceAccount`
315 resource.'
316 type: string
317 name:
318 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
319 type: string
320 namespace:
321 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
322 type: string
323 type: object
324 type: array
325 targetTags:
326 description: |-
327 A list of instance tags indicating sets of instances located in the
328 network that may make network connections as specified in allowed[].
329 If no targetTags are specified, the firewall rule applies to all
330 instances on the specified network.
331 items:
332 type: string
333 type: array
334 required:
335 - networkRef
336 type: object
337 status:
338 properties:
339 conditions:
340 description: Conditions represent the latest available observation
341 of the resource's current state.
342 items:
343 properties:
344 lastTransitionTime:
345 description: Last time the condition transitioned from one status
346 to another.
347 type: string
348 message:
349 description: Human-readable message indicating details about
350 last transition.
351 type: string
352 reason:
353 description: Unique, one-word, CamelCase reason for the condition's
354 last transition.
355 type: string
356 status:
357 description: Status is the status of the condition. Can be True,
358 False, Unknown.
359 type: string
360 type:
361 description: Type is the type of the condition.
362 type: string
363 type: object
364 type: array
365 creationTimestamp:
366 description: Creation timestamp in RFC3339 text format.
367 type: string
368 observedGeneration:
369 description: ObservedGeneration is the generation of the resource
370 that was most recently observed by the Config Connector controller.
371 If this is equal to metadata.generation, then that means that the
372 current reported status reflects the most recent desired state of
373 the resource.
374 type: integer
375 selfLink:
376 type: string
377 type: object
378 required:
379 - spec
380 type: object
381 served: true
382 storage: true
383 subresources:
384 status: {}
385status:
386 acceptedNames:
387 kind: ""
388 plural: ""
389 conditions: []
390 storedVersions: []
View as plain text