1# Copyright 2020 Google LLC
2#
3# Licensed under the Apache License, Version 2.0 (the "License");
4# you may not use this file except in compliance with the License.
5# You may obtain a copy of the License at
6#
7# http://www.apache.org/licenses/LICENSE-2.0
8#
9# Unless required by applicable law or agreed to in writing, software
10# distributed under the License is distributed on an "AS IS" BASIS,
11# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12# See the License for the specific language governing permissions and
13# limitations under the License.
14
15apiVersion: apiextensions.k8s.io/v1
16kind: CustomResourceDefinition
17metadata:
18 annotations:
19 cnrm.cloud.google.com/version: 1.106.0
20 creationTimestamp: null
21 labels:
22 cnrm.cloud.google.com/dcl2crd: "true"
23 cnrm.cloud.google.com/managed-by-kcc: "true"
24 cnrm.cloud.google.com/stability-level: stable
25 cnrm.cloud.google.com/system: "true"
26 name: networkservicesendpointpolicies.networkservices.cnrm.cloud.google.com
27spec:
28 group: networkservices.cnrm.cloud.google.com
29 names:
30 categories:
31 - gcp
32 kind: NetworkServicesEndpointPolicy
33 plural: networkservicesendpointpolicies
34 shortNames:
35 - gcpnetworkservicesendpointpolicy
36 - gcpnetworkservicesendpointpolicies
37 singular: networkservicesendpointpolicy
38 scope: Namespaced
39 versions:
40 - additionalPrinterColumns:
41 - jsonPath: .metadata.creationTimestamp
42 name: Age
43 type: date
44 - description: When 'True', the most recent reconcile of the resource succeeded
45 jsonPath: .status.conditions[?(@.type=='Ready')].status
46 name: Ready
47 type: string
48 - description: The reason for the value in 'Ready'
49 jsonPath: .status.conditions[?(@.type=='Ready')].reason
50 name: Status
51 type: string
52 - description: The last transition time for the value in 'Status'
53 jsonPath: .status.conditions[?(@.type=='Ready')].lastTransitionTime
54 name: Status Age
55 type: date
56 name: v1beta1
57 schema:
58 openAPIV3Schema:
59 properties:
60 apiVersion:
61 description: 'apiVersion defines the versioned schema of this representation
62 of an object. Servers should convert recognized schemas to the latest
63 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources'
64 type: string
65 kind:
66 description: 'kind is a string value representing the REST resource this
67 object represents. Servers may infer this from the endpoint the client
68 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds'
69 type: string
70 metadata:
71 type: object
72 spec:
73 properties:
74 authorizationPolicyRef:
75 oneOf:
76 - not:
77 required:
78 - external
79 required:
80 - name
81 - not:
82 anyOf:
83 - required:
84 - name
85 - required:
86 - namespace
87 required:
88 - external
89 properties:
90 external:
91 description: |-
92 Optional. This field specifies the URL of AuthorizationPolicy resource that applies authorization policies to the inbound traffic at the matched endpoints. Refer to Authorization. If this field is not specified, authorization is disabled(no authz checks) for this endpoint.
93
94 Allowed value: The Google Cloud resource name of a `NetworkSecurityAuthorizationPolicy` resource (format: `projects/{{project}}/locations/{{location}}/authorizationPolicies/{{name}}`).
95 type: string
96 name:
97 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
98 type: string
99 namespace:
100 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
101 type: string
102 type: object
103 clientTlsPolicyRef:
104 oneOf:
105 - not:
106 required:
107 - external
108 required:
109 - name
110 - not:
111 anyOf:
112 - required:
113 - name
114 - required:
115 - namespace
116 required:
117 - external
118 properties:
119 external:
120 description: |-
121 Optional. A URL referring to a ClientTlsPolicy resource. ClientTlsPolicy can be set to specify the authentication for traffic from the proxy to the actual endpoints. More specifically, it is applied to the outgoing traffic from the proxy to the endpoint. This is typically used for sidecar model where the proxy identifies itself as endpoint to the control plane, with the connection between sidecar and endpoint requiring authentication. If this field is not set, authentication is disabled(open). Applicable only when EndpointPolicyType is SIDECAR_PROXY.
122
123 Allowed value: The Google Cloud resource name of a `NetworkSecurityClientTLSPolicy` resource (format: `projects/{{project}}/locations/{{location}}/clientTlsPolicies/{{name}}`).
124 type: string
125 name:
126 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
127 type: string
128 namespace:
129 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
130 type: string
131 type: object
132 description:
133 description: Optional. A free-text description of the resource. Max
134 length 1024 characters.
135 type: string
136 endpointMatcher:
137 description: Required. A matcher that selects endpoints to which the
138 policies should be applied.
139 properties:
140 metadataLabelMatcher:
141 description: The matcher is based on node metadata presented by
142 xDS clients.
143 properties:
144 metadataLabelMatchCriteria:
145 description: 'Specifies how matching should be done. Supported
146 values are: MATCH_ANY: At least one of the Labels specified
147 in the matcher should match the metadata presented by xDS
148 client. MATCH_ALL: The metadata presented by the xDS client
149 should contain all of the labels specified here. The selection
150 is determined based on the best match. For example, suppose
151 there are three EndpointPolicy resources P1, P2 and P3 and
152 if P1 has a the matcher as MATCH_ANY , P2 has MATCH_ALL
153 , and P3 has MATCH_ALL . If a client with label connects,
154 the config from P1 will be selected. If a client with label
155 connects, the config from P2 will be selected. If a client
156 with label connects, the config from P3 will be selected.
157 If there is more than one best match, (for example, if a
158 config P4 with selector exists and if a client with label
159 connects), an error will be thrown. Possible values: METADATA_LABEL_MATCH_CRITERIA_UNSPECIFIED,
160 MATCH_ANY, MATCH_ALL'
161 type: string
162 metadataLabels:
163 description: The list of label value pairs that must match
164 labels in the provided metadata based on filterMatchCriteria
165 This list can have at most 64 entries. The list can be empty
166 if the match criteria is MATCH_ANY, to specify a wildcard
167 match (i.e this matches any client).
168 items:
169 properties:
170 labelName:
171 description: Required. Label name presented as key in
172 xDS Node Metadata.
173 type: string
174 labelValue:
175 description: Required. Label value presented as value
176 corresponding to the above key, in xDS Node Metadata.
177 type: string
178 required:
179 - labelName
180 - labelValue
181 type: object
182 type: array
183 type: object
184 type: object
185 location:
186 description: Immutable. The location for the resource
187 type: string
188 projectRef:
189 description: Immutable. The Project that this resource belongs to.
190 oneOf:
191 - not:
192 required:
193 - external
194 required:
195 - name
196 - not:
197 anyOf:
198 - required:
199 - name
200 - required:
201 - namespace
202 required:
203 - external
204 properties:
205 external:
206 description: |-
207 The project for the resource
208
209 Allowed value: The Google Cloud resource name of a `Project` resource (format: `projects/{{name}}`).
210 type: string
211 name:
212 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
213 type: string
214 namespace:
215 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
216 type: string
217 type: object
218 resourceID:
219 description: Immutable. Optional. The name of the resource. Used for
220 creation and acquisition. When unset, the value of `metadata.name`
221 is used as the default.
222 type: string
223 serverTlsPolicyRef:
224 oneOf:
225 - not:
226 required:
227 - external
228 required:
229 - name
230 - not:
231 anyOf:
232 - required:
233 - name
234 - required:
235 - namespace
236 required:
237 - external
238 properties:
239 external:
240 description: |-
241 Optional. A URL referring to ServerTlsPolicy resource. ServerTlsPolicy is used to determine the authentication policy to be applied to terminate the inbound traffic at the identified backends. If this field is not set, authentication is disabled(open) for this endpoint.
242
243 Allowed value: The Google Cloud resource name of a `NetworkSecurityServerTLSPolicy` resource (format: `projects/{{project}}/locations/{{location}}/serverTlsPolicies/{{name}}`).
244 type: string
245 name:
246 description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
247 type: string
248 namespace:
249 description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
250 type: string
251 type: object
252 trafficPortSelector:
253 description: Optional. Port selector for the (matched) endpoints.
254 If no port selector is provided, the matched config is applied to
255 all ports.
256 properties:
257 ports:
258 description: Optional. A list of ports. Can be port numbers or
259 port range (example, specifies all ports from 80 to 90, including
260 80 and 90) or named ports or * to specify all ports. If the
261 list is empty, all ports are selected.
262 items:
263 type: string
264 type: array
265 type: object
266 type:
267 description: 'Required. The type of endpoint config. This is primarily
268 used to validate the configuration. Possible values: ENDPOINT_CONFIG_SELECTOR_TYPE_UNSPECIFIED,
269 SIDECAR_PROXY, GRPC_SERVER'
270 type: string
271 required:
272 - endpointMatcher
273 - location
274 - projectRef
275 - type
276 type: object
277 status:
278 properties:
279 conditions:
280 description: Conditions represent the latest available observation
281 of the resource's current state.
282 items:
283 properties:
284 lastTransitionTime:
285 description: Last time the condition transitioned from one status
286 to another.
287 type: string
288 message:
289 description: Human-readable message indicating details about
290 last transition.
291 type: string
292 reason:
293 description: Unique, one-word, CamelCase reason for the condition's
294 last transition.
295 type: string
296 status:
297 description: Status is the status of the condition. Can be True,
298 False, Unknown.
299 type: string
300 type:
301 description: Type is the type of the condition.
302 type: string
303 type: object
304 type: array
305 createTime:
306 description: Output only. The timestamp when the resource was created.
307 format: date-time
308 type: string
309 observedGeneration:
310 description: ObservedGeneration is the generation of the resource
311 that was most recently observed by the Config Connector controller.
312 If this is equal to metadata.generation, then that means that the
313 current reported status reflects the most recent desired state of
314 the resource.
315 type: integer
316 updateTime:
317 description: Output only. The timestamp when the resource was updated.
318 format: date-time
319 type: string
320 type: object
321 required:
322 - spec
323 type: object
324 served: true
325 storage: true
326 subresources:
327 status: {}
328status:
329 acceptedNames:
330 kind: ""
331 plural: ""
332 conditions: []
333 storedVersions: []
View as plain text