1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/managed-by-kcc: "true"
23 cnrm.cloud.google.com/stability-level: stable
24 cnrm.cloud.google.com/system: "true"
25 cnrm.cloud.google.com/tf2crd: "true"
26 name: computerouternats.compute.cnrm.cloud.google.com
27spec:
28 group: compute.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: ComputeRouterNAT
33 plural: computerouternats
34 shortNames:
35 - gcpcomputerouternat
36 - gcpcomputerouternats
37 singular: computerouternat
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 drainNatIps:
75 items:
76 description: |-
77 A list of IP resources to be drained. These IPs must be valid
78 static external IPs that have been assigned to the NAT.
79 oneOf:
80 - not:
81 required:
82 - external
83 required:
84 - name
85 - not:
86 anyOf:
87 - required:
88 - name
89 - required:
90 - namespace
91 required:
92 - external
93 properties:
94 external:
95 description: 'Allowed value: The `selfLink` field of a `ComputeAddress`
96 resource.'
97 type: string
98 name:
99 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
100 type: string
101 namespace:
102 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
103 type: string
104 type: object
105 type: array
106 enableDynamicPortAllocation:
107 description: |-
108 Enable Dynamic Port Allocation.
109 If minPortsPerVm is set, minPortsPerVm must be set to a power of two greater than or equal to 32.
110 If minPortsPerVm is not set, a minimum of 32 ports will be allocated to a VM from this NAT config.
111 If maxPortsPerVm is set, maxPortsPerVm must be set to a power of two greater than minPortsPerVm.
112 If maxPortsPerVm is not set, a maximum of 65536 ports will be allocated to a VM from this NAT config.
113
114 Mutually exclusive with enableEndpointIndependentMapping.
115 type: boolean
116 enableEndpointIndependentMapping:
117 description: |-
118 Specifies if endpoint independent mapping is enabled. This is enabled by default. For more information
119 see the [official documentation](https://cloud.google.com/nat/docs/overview#specs-rfcs).
120 type: boolean
121 icmpIdleTimeoutSec:
122 description: Timeout (in seconds) for ICMP connections. Defaults to
123 30s if not set.
124 type: integer
125 logConfig:
126 description: Configuration for logging on NAT.
127 properties:
128 enable:
129 description: Indicates whether or not to export logs.
130 type: boolean
131 filter:
132 description: 'Specifies the desired filtering of logs on this
133 NAT. Possible values: ["ERRORS_ONLY", "TRANSLATIONS_ONLY", "ALL"].'
134 type: string
135 required:
136 - enable
137 - filter
138 type: object
139 maxPortsPerVm:
140 description: |-
141 Maximum number of ports allocated to a VM from this NAT.
142 This field can only be set when enableDynamicPortAllocation is enabled.
143 type: integer
144 minPortsPerVm:
145 description: Minimum number of ports allocated to a VM from this NAT.
146 type: integer
147 natIpAllocateOption:
148 description: |-
149 How external IPs should be allocated for this NAT. Valid values are
150 'AUTO_ONLY' for only allowing NAT IPs allocated by Google Cloud
151 Platform, or 'MANUAL_ONLY' for only user-allocated NAT IP addresses. Possible values: ["MANUAL_ONLY", "AUTO_ONLY"].
152 type: string
153 natIps:
154 items:
155 description: NAT IPs. Only valid if natIpAllocateOption is set to
156 MANUAL_ONLY.
157 oneOf:
158 - not:
159 required:
160 - external
161 required:
162 - name
163 - not:
164 anyOf:
165 - required:
166 - name
167 - required:
168 - namespace
169 required:
170 - external
171 properties:
172 external:
173 description: 'Allowed value: The `selfLink` field of a `ComputeAddress`
174 resource.'
175 type: string
176 name:
177 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
178 type: string
179 namespace:
180 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
181 type: string
182 type: object
183 type: array
184 region:
185 description: Immutable. Region where the router and NAT reside.
186 type: string
187 resourceID:
188 description: Immutable. Optional. The name of the resource. Used for
189 creation and acquisition. When unset, the value of `metadata.name`
190 is used as the default.
191 type: string
192 routerRef:
193 description: The Cloud Router in which this NAT will be configured.
194 oneOf:
195 - not:
196 required:
197 - external
198 required:
199 - name
200 - not:
201 anyOf:
202 - required:
203 - name
204 - required:
205 - namespace
206 required:
207 - external
208 properties:
209 external:
210 description: 'Allowed value: The `name` field of a `ComputeRouter`
211 resource.'
212 type: string
213 name:
214 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
215 type: string
216 namespace:
217 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
218 type: string
219 type: object
220 rules:
221 description: A list of rules associated with this NAT.
222 items:
223 properties:
224 action:
225 description: The action to be enforced for traffic that matches
226 this rule.
227 properties:
228 sourceNatActiveIpsRefs:
229 items:
230 description: |-
231 A list of URLs of the IP resources used for this NAT rule. These IP
232 addresses must be valid static external IP addresses assigned to the
233 project. This field is used for public NAT.
234 oneOf:
235 - not:
236 required:
237 - external
238 required:
239 - name
240 - not:
241 anyOf:
242 - required:
243 - name
244 - required:
245 - namespace
246 required:
247 - external
248 properties:
249 external:
250 description: 'Allowed value: The `selfLink` field
251 of a `ComputeAddress` resource.'
252 type: string
253 name:
254 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
255 type: string
256 namespace:
257 description: 'Namespace of the referent. More info:
258 https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
259 type: string
260 type: object
261 type: array
262 sourceNatDrainIpsRefs:
263 items:
264 description: |-
265 A list of URLs of the IP resources to be drained. These IPs must be
266 valid static external IPs that have been assigned to the NAT. These
267 IPs should be used for updating/patching a NAT rule only. This field
268 is used for public NAT.
269 oneOf:
270 - not:
271 required:
272 - external
273 required:
274 - name
275 - not:
276 anyOf:
277 - required:
278 - name
279 - required:
280 - namespace
281 required:
282 - external
283 properties:
284 external:
285 description: 'Allowed value: The `selfLink` field
286 of a `ComputeAddress` resource.'
287 type: string
288 name:
289 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
290 type: string
291 namespace:
292 description: 'Namespace of the referent. More info:
293 https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
294 type: string
295 type: object
296 type: array
297 type: object
298 description:
299 description: An optional description of this rule.
300 type: string
301 match:
302 description: |-
303 CEL expression that specifies the match condition that egress traffic from a VM is evaluated against.
304 If it evaluates to true, the corresponding action is enforced.
305
306 The following examples are valid match expressions for public NAT:
307
308 "inIpRange(destination.ip, '1.1.0.0/16') || inIpRange(destination.ip, '2.2.0.0/16')"
309
310 "destination.ip == '1.1.0.1' || destination.ip == '8.8.8.8'"
311
312 The following example is a valid match expression for private NAT:
313
314 "nexthop.hub == 'https://networkconnectivity.googleapis.com/v1alpha1/projects/my-project/global/hub/hub-1'".
315 type: string
316 ruleNumber:
317 description: |-
318 An integer uniquely identifying a rule in the list.
319 The rule number must be a positive value between 0 and 65000, and must be unique among rules within a NAT.
320 type: integer
321 required:
322 - match
323 - ruleNumber
324 type: object
325 type: array
326 sourceSubnetworkIpRangesToNat:
327 description: |-
328 How NAT should be configured per Subnetwork.
329 If 'ALL_SUBNETWORKS_ALL_IP_RANGES', all of the
330 IP ranges in every Subnetwork are allowed to Nat.
331 If 'ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES', all of the primary IP
332 ranges in every Subnetwork are allowed to Nat.
333 'LIST_OF_SUBNETWORKS': A list of Subnetworks are allowed to Nat
334 (specified in the field subnetwork below). Note that if this field
335 contains ALL_SUBNETWORKS_ALL_IP_RANGES or
336 ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES, then there should not be any
337 other RouterNat section in any Router for this network in this region. Possible values: ["ALL_SUBNETWORKS_ALL_IP_RANGES", "ALL_SUBNETWORKS_ALL_PRIMARY_IP_RANGES", "LIST_OF_SUBNETWORKS"].
338 type: string
339 subnetwork:
340 description: |-
341 One or more subnetwork NAT configurations. Only used if
342 'source_subnetwork_ip_ranges_to_nat' is set to 'LIST_OF_SUBNETWORKS'.
343 items:
344 properties:
345 secondaryIpRangeNames:
346 description: |-
347 List of the secondary ranges of the subnetwork that are allowed
348 to use NAT. This can be populated only if
349 'LIST_OF_SECONDARY_IP_RANGES' is one of the values in
350 sourceIpRangesToNat.
351 items:
352 type: string
353 type: array
354 sourceIpRangesToNat:
355 description: |-
356 List of options for which source IPs in the subnetwork
357 should have NAT enabled. Supported values include:
358 'ALL_IP_RANGES', 'LIST_OF_SECONDARY_IP_RANGES',
359 'PRIMARY_IP_RANGE'.
360 items:
361 type: string
362 type: array
363 subnetworkRef:
364 description: The subnetwork to NAT.
365 oneOf:
366 - not:
367 required:
368 - external
369 required:
370 - name
371 - not:
372 anyOf:
373 - required:
374 - name
375 - required:
376 - namespace
377 required:
378 - external
379 properties:
380 external:
381 description: 'Allowed value: The `selfLink` field of a `ComputeSubnetwork`
382 resource.'
383 type: string
384 name:
385 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
386 type: string
387 namespace:
388 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
389 type: string
390 type: object
391 required:
392 - sourceIpRangesToNat
393 - subnetworkRef
394 type: object
395 type: array
396 tcpEstablishedIdleTimeoutSec:
397 description: |-
398 Timeout (in seconds) for TCP established connections.
399 Defaults to 1200s if not set.
400 type: integer
401 tcpTimeWaitTimeoutSec:
402 description: |-
403 Timeout (in seconds) for TCP connections that are in TIME_WAIT state.
404 Defaults to 120s if not set.
405 type: integer
406 tcpTransitoryIdleTimeoutSec:
407 description: |-
408 Timeout (in seconds) for TCP transitory connections.
409 Defaults to 30s if not set.
410 type: integer
411 udpIdleTimeoutSec:
412 description: Timeout (in seconds) for UDP connections. Defaults to
413 30s if not set.
414 type: integer
415 required:
416 - natIpAllocateOption
417 - region
418 - routerRef
419 - sourceSubnetworkIpRangesToNat
420 type: object
421 status:
422 properties:
423 conditions:
424 description: Conditions represent the latest available observation
425 of the resource's current state.
426 items:
427 properties:
428 lastTransitionTime:
429 description: Last time the condition transitioned from one status
430 to another.
431 type: string
432 message:
433 description: Human-readable message indicating details about
434 last transition.
435 type: string
436 reason:
437 description: Unique, one-word, CamelCase reason for the condition's
438 last transition.
439 type: string
440 status:
441 description: Status is the status of the condition. Can be True,
442 False, Unknown.
443 type: string
444 type:
445 description: Type is the type of the condition.
446 type: string
447 type: object
448 type: array
449 observedGeneration:
450 description: ObservedGeneration is the generation of the resource
451 that was most recently observed by the Config Connector controller.
452 If this is equal to metadata.generation, then that means that the
453 current reported status reflects the most recent desired state of
454 the resource.
455 type: integer
456 type: object
457 required:
458 - spec
459 type: object
460 served: true
461 storage: true
462 subresources:
463 status: {}
464status:
465 acceptedNames:
466 kind: ""
467 plural: ""
468 conditions: []
469 storedVersions: []
View as plain text