1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: computefirewallpolicyrules.compute.cnrm.cloud.google.com
27spec:
28 group: compute.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: ComputeFirewallPolicyRule
33 plural: computefirewallpolicyrules
34 shortNames:
35 - gcpcomputefirewallpolicyrule
36 - gcpcomputefirewallpolicyrules
37 singular: computefirewallpolicyrule
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 action:
75 description: The Action to perform when the client connection triggers
76 the rule. Valid actions are "allow", "deny" and "goto_next".
77 type: string
78 description:
79 description: An optional description for this resource.
80 type: string
81 direction:
82 description: 'The direction in which this rule applies. Possible values:
83 INGRESS, EGRESS'
84 type: string
85 disabled:
86 description: Denotes whether the firewall policy rule is disabled.
87 When set to true, the firewall policy rule is not enforced and traffic
88 behaves as if it did not exist. If this is unspecified, the firewall
89 policy rule will be enabled.
90 type: boolean
91 enableLogging:
92 description: 'Denotes whether to enable logging for a particular rule.
93 If logging is enabled, logs will be exported to the configured export
94 destination in Stackdriver. Logs may be exported to BigQuery or
95 Pub/Sub. Note: you cannot enable logging on "goto_next" rules.'
96 type: boolean
97 firewallPolicyRef:
98 description: Immutable.
99 oneOf:
100 - not:
101 required:
102 - external
103 required:
104 - name
105 - not:
106 anyOf:
107 - required:
108 - name
109 - required:
110 - namespace
111 required:
112 - external
113 properties:
114 external:
115 description: |-
116 The firewall policy of the resource.
117
118 Allowed value: The Google Cloud resource name of a `ComputeFirewallPolicy` resource (format: `locations/global/firewallPolicies/{{name}}`).
119 type: string
120 name:
121 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
122 type: string
123 namespace:
124 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
125 type: string
126 type: object
127 match:
128 description: A match condition that incoming traffic is evaluated
129 against. If it evaluates to true, the corresponding 'action' is
130 enforced.
131 properties:
132 destAddressGroups:
133 description: Address groups which should be matched against the
134 traffic destination. Maximum number of destination address groups
135 is 10. Destination address groups is only supported in Egress
136 rules.
137 items:
138 type: string
139 type: array
140 destFqdns:
141 description: Domain names that will be used to match against the
142 resolved domain name of destination of traffic. Can only be
143 specified if DIRECTION is egress.
144 items:
145 type: string
146 type: array
147 destIPRanges:
148 description: CIDR IP address range. Maximum number of destination
149 CIDR IP ranges allowed is 256.
150 items:
151 type: string
152 type: array
153 destRegionCodes:
154 description: The Unicode country codes whose IP addresses will
155 be used to match against the source of traffic. Can only be
156 specified if DIRECTION is egress.
157 items:
158 type: string
159 type: array
160 destThreatIntelligences:
161 description: Name of the Google Cloud Threat Intelligence list.
162 items:
163 type: string
164 type: array
165 layer4Configs:
166 description: Pairs of IP protocols and ports that the rule should
167 match.
168 items:
169 properties:
170 ipProtocol:
171 description: The IP protocol to which this rule applies.
172 The protocol type is required when creating a firewall
173 rule. This value can either be one of the following well
174 known protocol strings (`tcp`, `udp`, `icmp`, `esp`, `ah`,
175 `ipip`, `sctp`), or the IP protocol number.
176 type: string
177 ports:
178 description: 'An optional list of ports to which this rule
179 applies. This field is only applicable for UDP or TCP
180 protocol. Each entry must be either an integer or a range.
181 If not specified, this rule applies to connections through
182 any port. Example inputs include: ``.'
183 items:
184 type: string
185 type: array
186 required:
187 - ipProtocol
188 type: object
189 type: array
190 srcAddressGroups:
191 description: Address groups which should be matched against the
192 traffic source. Maximum number of source address groups is 10.
193 Source address groups is only supported in Ingress rules.
194 items:
195 type: string
196 type: array
197 srcFqdns:
198 description: Domain names that will be used to match against the
199 resolved domain name of source of traffic. Can only be specified
200 if DIRECTION is ingress.
201 items:
202 type: string
203 type: array
204 srcIPRanges:
205 description: CIDR IP address range. Maximum number of source CIDR
206 IP ranges allowed is 256.
207 items:
208 type: string
209 type: array
210 srcRegionCodes:
211 description: The Unicode country codes whose IP addresses will
212 be used to match against the source of traffic. Can only be
213 specified if DIRECTION is ingress.
214 items:
215 type: string
216 type: array
217 srcThreatIntelligences:
218 description: Name of the Google Cloud Threat Intelligence list.
219 items:
220 type: string
221 type: array
222 required:
223 - layer4Configs
224 type: object
225 priority:
226 description: Immutable. An integer indicating the priority of a rule
227 in the list. The priority must be a positive value between 0 and
228 2147483647. Rules are evaluated from highest to lowest priority
229 where 0 is the highest priority and 2147483647 is the lowest prority.
230 format: int64
231 type: integer
232 targetResources:
233 items:
234 oneOf:
235 - not:
236 required:
237 - external
238 required:
239 - name
240 - not:
241 anyOf:
242 - required:
243 - name
244 - required:
245 - namespace
246 required:
247 - external
248 properties:
249 external:
250 description: 'Allowed value: The `selfLink` field of a `ComputeNetwork`
251 resource.'
252 type: string
253 name:
254 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
255 type: string
256 namespace:
257 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
258 type: string
259 type: object
260 type: array
261 targetServiceAccounts:
262 items:
263 oneOf:
264 - not:
265 required:
266 - external
267 required:
268 - name
269 - not:
270 anyOf:
271 - required:
272 - name
273 - required:
274 - namespace
275 required:
276 - external
277 properties:
278 external:
279 description: 'Allowed value: The Google Cloud resource name
280 of an `IAMServiceAccount` resource (format: `projects/{{project}}/serviceAccounts/{{name}}@{{project}}.iam.gserviceaccount.com`).'
281 type: string
282 name:
283 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
284 type: string
285 namespace:
286 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
287 type: string
288 type: object
289 type: array
290 required:
291 - action
292 - direction
293 - firewallPolicyRef
294 - match
295 - priority
296 type: object
297 status:
298 properties:
299 conditions:
300 description: Conditions represent the latest available observation
301 of the resource's current state.
302 items:
303 properties:
304 lastTransitionTime:
305 description: Last time the condition transitioned from one status
306 to another.
307 type: string
308 message:
309 description: Human-readable message indicating details about
310 last transition.
311 type: string
312 reason:
313 description: Unique, one-word, CamelCase reason for the condition's
314 last transition.
315 type: string
316 status:
317 description: Status is the status of the condition. Can be True,
318 False, Unknown.
319 type: string
320 type:
321 description: Type is the type of the condition.
322 type: string
323 type: object
324 type: array
325 kind:
326 description: Type of the resource. Always `compute#firewallPolicyRule`
327 for firewall policy rules
328 type: string
329 observedGeneration:
330 description: ObservedGeneration is the generation of the resource
331 that was most recently observed by the Config Connector controller.
332 If this is equal to metadata.generation, then that means that the
333 current reported status reflects the most recent desired state of
334 the resource.
335 type: integer
336 ruleTupleCount:
337 description: Calculation of the complexity of a single firewall policy
338 rule.
339 format: int64
340 type: integer
341 type: object
342 required:
343 - spec
344 type: object
345 served: true
346 storage: true
347 subresources:
348 status: {}
349status:
350 acceptedNames:
351 kind: ""
352 plural: ""
353 conditions: []
354 storedVersions: []
View as plain text