1 /* 2 Copyright 2017 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package v1 18 19 import ( 20 v1 "k8s.io/api/core/v1" 21 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 22 "k8s.io/apimachinery/pkg/util/intstr" 23 ) 24 25 // +genclient 26 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 27 28 // NetworkPolicy describes what network traffic is allowed for a set of Pods 29 type NetworkPolicy struct { 30 metav1.TypeMeta `json:",inline"` 31 32 // Standard object's metadata. 33 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 34 // +optional 35 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 36 37 // spec represents the specification of the desired behavior for this NetworkPolicy. 38 // +optional 39 Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 40 41 // Status is tombstoned to show why 3 is a reserved protobuf tag. 42 // This commented field should remain, so in the future if we decide to reimplement 43 // NetworkPolicyStatus a different protobuf name and tag SHOULD be used! 44 // Status NetworkPolicyStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` 45 } 46 47 // PolicyType string describes the NetworkPolicy type 48 // This type is beta-level in 1.8 49 // +enum 50 type PolicyType string 51 52 const ( 53 // PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods 54 PolicyTypeIngress PolicyType = "Ingress" 55 // PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods 56 PolicyTypeEgress PolicyType = "Egress" 57 ) 58 59 // NetworkPolicySpec provides the specification of a NetworkPolicy 60 type NetworkPolicySpec struct { 61 // podSelector selects the pods to which this NetworkPolicy object applies. 62 // The array of ingress rules is applied to any pods selected by this field. 63 // Multiple network policies can select the same set of pods. In this case, 64 // the ingress rules for each are combined additively. 65 // This field is NOT optional and follows standard label selector semantics. 66 // An empty podSelector matches all pods in this namespace. 67 PodSelector metav1.LabelSelector `json:"podSelector" protobuf:"bytes,1,opt,name=podSelector"` 68 69 // ingress is a list of ingress rules to be applied to the selected pods. 70 // Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod 71 // (and cluster policy otherwise allows the traffic), OR if the traffic source is 72 // the pod's local node, OR if the traffic matches at least one ingress rule 73 // across all of the NetworkPolicy objects whose podSelector matches the pod. If 74 // this field is empty then this NetworkPolicy does not allow any traffic (and serves 75 // solely to ensure that the pods it selects are isolated by default) 76 // +optional 77 // +listType=atomic 78 Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty" protobuf:"bytes,2,rep,name=ingress"` 79 80 // egress is a list of egress rules to be applied to the selected pods. Outgoing traffic 81 // is allowed if there are no NetworkPolicies selecting the pod (and cluster policy 82 // otherwise allows the traffic), OR if the traffic matches at least one egress rule 83 // across all of the NetworkPolicy objects whose podSelector matches the pod. If 84 // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves 85 // solely to ensure that the pods it selects are isolated by default). 86 // This field is beta-level in 1.8 87 // +optional 88 // +listType=atomic 89 Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"` 90 91 // policyTypes is a list of rule types that the NetworkPolicy relates to. 92 // Valid options are ["Ingress"], ["Egress"], or ["Ingress", "Egress"]. 93 // If this field is not specified, it will default based on the existence of ingress or egress rules; 94 // policies that contain an egress section are assumed to affect egress, and all policies 95 // (whether or not they contain an ingress section) are assumed to affect ingress. 96 // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. 97 // Likewise, if you want to write a policy that specifies that no egress is allowed, 98 // you must specify a policyTypes value that include "Egress" (since such a policy would not include 99 // an egress section and would otherwise default to just [ "Ingress" ]). 100 // This field is beta-level in 1.8 101 // +optional 102 // +listType=atomic 103 PolicyTypes []PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,4,rep,name=policyTypes,casttype=PolicyType"` 104 } 105 106 // NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods 107 // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from. 108 type NetworkPolicyIngressRule struct { 109 // ports is a list of ports which should be made accessible on the pods selected for 110 // this rule. Each item in this list is combined using a logical OR. If this field is 111 // empty or missing, this rule matches all ports (traffic not restricted by port). 112 // If this field is present and contains at least one item, then this rule allows 113 // traffic only if the traffic matches at least one port in the list. 114 // +optional 115 // +listType=atomic 116 Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"` 117 118 // from is a list of sources which should be able to access the pods selected for this rule. 119 // Items in this list are combined using a logical OR operation. If this field is 120 // empty or missing, this rule matches all sources (traffic not restricted by 121 // source). If this field is present and contains at least one item, this rule 122 // allows traffic only if the traffic matches at least one item in the from list. 123 // +optional 124 // +listType=atomic 125 From []NetworkPolicyPeer `json:"from,omitempty" protobuf:"bytes,2,rep,name=from"` 126 } 127 128 // NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods 129 // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. 130 // This type is beta-level in 1.8 131 type NetworkPolicyEgressRule struct { 132 // ports is a list of destination ports for outgoing traffic. 133 // Each item in this list is combined using a logical OR. If this field is 134 // empty or missing, this rule matches all ports (traffic not restricted by port). 135 // If this field is present and contains at least one item, then this rule allows 136 // traffic only if the traffic matches at least one port in the list. 137 // +optional 138 // +listType=atomic 139 Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"` 140 141 // to is a list of destinations for outgoing traffic of pods selected for this rule. 142 // Items in this list are combined using a logical OR operation. If this field is 143 // empty or missing, this rule matches all destinations (traffic not restricted by 144 // destination). If this field is present and contains at least one item, this rule 145 // allows traffic only if the traffic matches at least one item in the to list. 146 // +optional 147 // +listType=atomic 148 To []NetworkPolicyPeer `json:"to,omitempty" protobuf:"bytes,2,rep,name=to"` 149 } 150 151 // NetworkPolicyPort describes a port to allow traffic on 152 type NetworkPolicyPort struct { 153 // protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match. 154 // If not specified, this field defaults to TCP. 155 // +optional 156 Protocol *v1.Protocol `json:"protocol,omitempty" protobuf:"bytes,1,opt,name=protocol,casttype=k8s.io/api/core/v1.Protocol"` 157 158 // port represents the port on the given protocol. This can either be a numerical or named 159 // port on a pod. If this field is not provided, this matches all port names and 160 // numbers. 161 // If present, only traffic on the specified protocol AND port will be matched. 162 // +optional 163 Port *intstr.IntOrString `json:"port,omitempty" protobuf:"bytes,2,opt,name=port"` 164 165 // endPort indicates that the range of ports from port to endPort if set, inclusive, 166 // should be allowed by the policy. This field cannot be defined if the port field 167 // is not defined or if the port field is defined as a named (string) port. 168 // The endPort must be equal or greater than port. 169 // +optional 170 EndPort *int32 `json:"endPort,omitempty" protobuf:"bytes,3,opt,name=endPort"` 171 } 172 173 // IPBlock describes a particular CIDR (Ex. "192.168.1.0/24","2001:db8::/64") that is allowed 174 // to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs 175 // that should not be included within this rule. 176 type IPBlock struct { 177 // cidr is a string representing the IPBlock 178 // Valid examples are "192.168.1.0/24" or "2001:db8::/64" 179 CIDR string `json:"cidr" protobuf:"bytes,1,name=cidr"` 180 181 // except is a slice of CIDRs that should not be included within an IPBlock 182 // Valid examples are "192.168.1.0/24" or "2001:db8::/64" 183 // Except values will be rejected if they are outside the cidr range 184 // +optional 185 // +listType=atomic 186 Except []string `json:"except,omitempty" protobuf:"bytes,2,rep,name=except"` 187 } 188 189 // NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of 190 // fields are allowed 191 type NetworkPolicyPeer struct { 192 // podSelector is a label selector which selects pods. This field follows standard label 193 // selector semantics; if present but empty, it selects all pods. 194 // 195 // If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects 196 // the pods matching podSelector in the Namespaces selected by NamespaceSelector. 197 // Otherwise it selects the pods matching podSelector in the policy's own namespace. 198 // +optional 199 PodSelector *metav1.LabelSelector `json:"podSelector,omitempty" protobuf:"bytes,1,opt,name=podSelector"` 200 201 // namespaceSelector selects namespaces using cluster-scoped labels. This field follows 202 // standard label selector semantics; if present but empty, it selects all namespaces. 203 // 204 // If podSelector is also set, then the NetworkPolicyPeer as a whole selects 205 // the pods matching podSelector in the namespaces selected by namespaceSelector. 206 // Otherwise it selects all pods in the namespaces selected by namespaceSelector. 207 // +optional 208 NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,2,opt,name=namespaceSelector"` 209 210 // ipBlock defines policy on a particular IPBlock. If this field is set then 211 // neither of the other fields can be. 212 // +optional 213 IPBlock *IPBlock `json:"ipBlock,omitempty" protobuf:"bytes,3,rep,name=ipBlock"` 214 } 215 216 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 217 218 // NetworkPolicyList is a list of NetworkPolicy objects. 219 type NetworkPolicyList struct { 220 metav1.TypeMeta `json:",inline"` 221 222 // Standard list metadata. 223 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 224 // +optional 225 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 226 227 // items is a list of schema objects. 228 Items []NetworkPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` 229 } 230 231 // +genclient 232 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 233 234 // Ingress is a collection of rules that allow inbound connections to reach the 235 // endpoints defined by a backend. An Ingress can be configured to give services 236 // externally-reachable urls, load balance traffic, terminate SSL, offer name 237 // based virtual hosting etc. 238 type Ingress struct { 239 metav1.TypeMeta `json:",inline"` 240 241 // Standard object's metadata. 242 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 243 // +optional 244 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 245 246 // spec is the desired state of the Ingress. 247 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status 248 // +optional 249 Spec IngressSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 250 251 // status is the current state of the Ingress. 252 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status 253 // +optional 254 Status IngressStatus `json:"status,omitempty" protobuf:"bytes,3,opt,name=status"` 255 } 256 257 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 258 259 // IngressList is a collection of Ingress. 260 type IngressList struct { 261 metav1.TypeMeta `json:",inline"` 262 263 // Standard object's metadata. 264 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 265 // +optional 266 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 267 268 // items is the list of Ingress. 269 Items []Ingress `json:"items" protobuf:"bytes,2,rep,name=items"` 270 } 271 272 // IngressSpec describes the Ingress the user wishes to exist. 273 type IngressSpec struct { 274 // ingressClassName is the name of an IngressClass cluster resource. Ingress 275 // controller implementations use this field to know whether they should be 276 // serving this Ingress resource, by a transitive connection 277 // (controller -> IngressClass -> Ingress resource). Although the 278 // `kubernetes.io/ingress.class` annotation (simple constant name) was never 279 // formally defined, it was widely supported by Ingress controllers to create 280 // a direct binding between Ingress controller and Ingress resources. Newly 281 // created Ingress resources should prefer using the field. However, even 282 // though the annotation is officially deprecated, for backwards compatibility 283 // reasons, ingress controllers should still honor that annotation if present. 284 // +optional 285 IngressClassName *string `json:"ingressClassName,omitempty" protobuf:"bytes,4,opt,name=ingressClassName"` 286 287 // defaultBackend is the backend that should handle requests that don't 288 // match any rule. If Rules are not specified, DefaultBackend must be specified. 289 // If DefaultBackend is not set, the handling of requests that do not match any 290 // of the rules will be up to the Ingress controller. 291 // +optional 292 DefaultBackend *IngressBackend `json:"defaultBackend,omitempty" protobuf:"bytes,1,opt,name=defaultBackend"` 293 294 // tls represents the TLS configuration. Currently the Ingress only supports a 295 // single TLS port, 443. If multiple members of this list specify different hosts, 296 // they will be multiplexed on the same port according to the hostname specified 297 // through the SNI TLS extension, if the ingress controller fulfilling the 298 // ingress supports SNI. 299 // +listType=atomic 300 // +optional 301 TLS []IngressTLS `json:"tls,omitempty" protobuf:"bytes,2,rep,name=tls"` 302 303 // rules is a list of host rules used to configure the Ingress. If unspecified, 304 // or no rule matches, all traffic is sent to the default backend. 305 // +listType=atomic 306 // +optional 307 Rules []IngressRule `json:"rules,omitempty" protobuf:"bytes,3,rep,name=rules"` 308 } 309 310 // IngressTLS describes the transport layer security associated with an ingress. 311 type IngressTLS struct { 312 // hosts is a list of hosts included in the TLS certificate. The values in 313 // this list must match the name/s used in the tlsSecret. Defaults to the 314 // wildcard host setting for the loadbalancer controller fulfilling this 315 // Ingress, if left unspecified. 316 // +listType=atomic 317 // +optional 318 Hosts []string `json:"hosts,omitempty" protobuf:"bytes,1,rep,name=hosts"` 319 320 // secretName is the name of the secret used to terminate TLS traffic on 321 // port 443. Field is left optional to allow TLS routing based on SNI 322 // hostname alone. If the SNI host in a listener conflicts with the "Host" 323 // header field used by an IngressRule, the SNI host is used for termination 324 // and value of the "Host" header is used for routing. 325 // +optional 326 SecretName string `json:"secretName,omitempty" protobuf:"bytes,2,opt,name=secretName"` 327 } 328 329 // IngressStatus describe the current state of the Ingress. 330 type IngressStatus struct { 331 // loadBalancer contains the current status of the load-balancer. 332 // +optional 333 LoadBalancer IngressLoadBalancerStatus `json:"loadBalancer,omitempty" protobuf:"bytes,1,opt,name=loadBalancer"` 334 } 335 336 // IngressLoadBalancerStatus represents the status of a load-balancer. 337 type IngressLoadBalancerStatus struct { 338 // ingress is a list containing ingress points for the load-balancer. 339 // +optional 340 // +listType=atomic 341 Ingress []IngressLoadBalancerIngress `json:"ingress,omitempty" protobuf:"bytes,1,rep,name=ingress"` 342 } 343 344 // IngressLoadBalancerIngress represents the status of a load-balancer ingress point. 345 type IngressLoadBalancerIngress struct { 346 // ip is set for load-balancer ingress points that are IP based. 347 // +optional 348 IP string `json:"ip,omitempty" protobuf:"bytes,1,opt,name=ip"` 349 350 // hostname is set for load-balancer ingress points that are DNS based. 351 // +optional 352 Hostname string `json:"hostname,omitempty" protobuf:"bytes,2,opt,name=hostname"` 353 354 // ports provides information about the ports exposed by this LoadBalancer. 355 // +listType=atomic 356 // +optional 357 Ports []IngressPortStatus `json:"ports,omitempty" protobuf:"bytes,4,rep,name=ports"` 358 } 359 360 // IngressPortStatus represents the error condition of a service port 361 type IngressPortStatus struct { 362 // port is the port number of the ingress port. 363 Port int32 `json:"port" protobuf:"varint,1,opt,name=port"` 364 365 // protocol is the protocol of the ingress port. 366 // The supported values are: "TCP", "UDP", "SCTP" 367 Protocol v1.Protocol `json:"protocol" protobuf:"bytes,2,opt,name=protocol,casttype=Protocol"` 368 369 // error is to record the problem with the service port 370 // The format of the error shall comply with the following rules: 371 // - built-in error values shall be specified in this file and those shall use 372 // CamelCase names 373 // - cloud provider specific error values must have names that comply with the 374 // format foo.example.com/CamelCase. 375 // --- 376 // The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) 377 // +optional 378 // +kubebuilder:validation:Required 379 // +kubebuilder:validation:Pattern=`^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$` 380 // +kubebuilder:validation:MaxLength=316 381 Error *string `json:"error,omitempty" protobuf:"bytes,3,opt,name=error"` 382 } 383 384 // IngressRule represents the rules mapping the paths under a specified host to 385 // the related backend services. Incoming requests are first evaluated for a host 386 // match, then routed to the backend associated with the matching IngressRuleValue. 387 type IngressRule struct { 388 // host is the fully qualified domain name of a network host, as defined by RFC 3986. 389 // Note the following deviations from the "host" part of the 390 // URI as defined in RFC 3986: 391 // 1. IPs are not allowed. Currently an IngressRuleValue can only apply to 392 // the IP in the Spec of the parent Ingress. 393 // 2. The `:` delimiter is not respected because ports are not allowed. 394 // Currently the port of an Ingress is implicitly :80 for http and 395 // :443 for https. 396 // Both these may change in the future. 397 // Incoming requests are matched against the host before the 398 // IngressRuleValue. If the host is unspecified, the Ingress routes all 399 // traffic based on the specified IngressRuleValue. 400 // 401 // host can be "precise" which is a domain name without the terminating dot of 402 // a network host (e.g. "foo.bar.com") or "wildcard", which is a domain name 403 // prefixed with a single wildcard label (e.g. "*.foo.com"). 404 // The wildcard character '*' must appear by itself as the first DNS label and 405 // matches only a single label. You cannot have a wildcard label by itself (e.g. Host == "*"). 406 // Requests will be matched against the Host field in the following way: 407 // 1. If host is precise, the request matches this rule if the http host header is equal to Host. 408 // 2. If host is a wildcard, then the request matches this rule if the http host header 409 // is to equal to the suffix (removing the first label) of the wildcard rule. 410 // +optional 411 Host string `json:"host,omitempty" protobuf:"bytes,1,opt,name=host"` 412 // IngressRuleValue represents a rule to route requests for this IngressRule. 413 // If unspecified, the rule defaults to a http catch-all. Whether that sends 414 // just traffic matching the host to the default backend or all traffic to the 415 // default backend, is left to the controller fulfilling the Ingress. Http is 416 // currently the only supported IngressRuleValue. 417 // +optional 418 IngressRuleValue `json:",inline,omitempty" protobuf:"bytes,2,opt,name=ingressRuleValue"` 419 } 420 421 // IngressRuleValue represents a rule to apply against incoming requests. If the 422 // rule is satisfied, the request is routed to the specified backend. Currently 423 // mixing different types of rules in a single Ingress is disallowed, so exactly 424 // one of the following must be set. 425 type IngressRuleValue struct { 426 // +optional 427 HTTP *HTTPIngressRuleValue `json:"http,omitempty" protobuf:"bytes,1,opt,name=http"` 428 } 429 430 // HTTPIngressRuleValue is a list of http selectors pointing to backends. 431 // In the example: http://<host>/<path>?<searchpart> -> backend where 432 // where parts of the url correspond to RFC 3986, this resource will be used 433 // to match against everything after the last '/' and before the first '?' 434 // or '#'. 435 type HTTPIngressRuleValue struct { 436 // paths is a collection of paths that map requests to backends. 437 // +listType=atomic 438 Paths []HTTPIngressPath `json:"paths" protobuf:"bytes,1,rep,name=paths"` 439 } 440 441 // PathType represents the type of path referred to by a HTTPIngressPath. 442 // +enum 443 type PathType string 444 445 const ( 446 // PathTypeExact matches the URL path exactly and with case sensitivity. 447 PathTypeExact = PathType("Exact") 448 449 // PathTypePrefix matches based on a URL path prefix split by '/'. Matching 450 // is case sensitive and done on a path element by element basis. A path 451 // element refers to the list of labels in the path split by the '/' 452 // separator. A request is a match for path p if every p is an element-wise 453 // prefix of p of the request path. Note that if the last element of the 454 // path is a substring of the last element in request path, it is not a 455 // match (e.g. /foo/bar matches /foo/bar/baz, but does not match 456 // /foo/barbaz). If multiple matching paths exist in an Ingress spec, the 457 // longest matching path is given priority. 458 // Examples: 459 // - /foo/bar does not match requests to /foo/barbaz 460 // - /foo/bar matches request to /foo/bar and /foo/bar/baz 461 // - /foo and /foo/ both match requests to /foo and /foo/. If both paths are 462 // present in an Ingress spec, the longest matching path (/foo/) is given 463 // priority. 464 PathTypePrefix = PathType("Prefix") 465 466 // PathTypeImplementationSpecific matching is up to the IngressClass. 467 // Implementations can treat this as a separate PathType or treat it 468 // identically to Prefix or Exact path types. 469 PathTypeImplementationSpecific = PathType("ImplementationSpecific") 470 ) 471 472 // HTTPIngressPath associates a path with a backend. Incoming urls matching the 473 // path are forwarded to the backend. 474 type HTTPIngressPath struct { 475 // path is matched against the path of an incoming request. Currently it can 476 // contain characters disallowed from the conventional "path" part of a URL 477 // as defined by RFC 3986. Paths must begin with a '/' and must be present 478 // when using PathType with value "Exact" or "Prefix". 479 // +optional 480 Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"` 481 482 // pathType determines the interpretation of the path matching. PathType can 483 // be one of the following values: 484 // * Exact: Matches the URL path exactly. 485 // * Prefix: Matches based on a URL path prefix split by '/'. Matching is 486 // done on a path element by element basis. A path element refers is the 487 // list of labels in the path split by the '/' separator. A request is a 488 // match for path p if every p is an element-wise prefix of p of the 489 // request path. Note that if the last element of the path is a substring 490 // of the last element in request path, it is not a match (e.g. /foo/bar 491 // matches /foo/bar/baz, but does not match /foo/barbaz). 492 // * ImplementationSpecific: Interpretation of the Path matching is up to 493 // the IngressClass. Implementations can treat this as a separate PathType 494 // or treat it identically to Prefix or Exact path types. 495 // Implementations are required to support all path types. 496 PathType *PathType `json:"pathType" protobuf:"bytes,3,opt,name=pathType"` 497 498 // backend defines the referenced service endpoint to which the traffic 499 // will be forwarded to. 500 Backend IngressBackend `json:"backend" protobuf:"bytes,2,opt,name=backend"` 501 } 502 503 // IngressBackend describes all endpoints for a given service and port. 504 type IngressBackend struct { 505 // service references a service as a backend. 506 // This is a mutually exclusive setting with "Resource". 507 // +optional 508 Service *IngressServiceBackend `json:"service,omitempty" protobuf:"bytes,4,opt,name=service"` 509 510 // resource is an ObjectRef to another Kubernetes resource in the namespace 511 // of the Ingress object. If resource is specified, a service.Name and 512 // service.Port must not be specified. 513 // This is a mutually exclusive setting with "Service". 514 // +optional 515 Resource *v1.TypedLocalObjectReference `json:"resource,omitempty" protobuf:"bytes,3,opt,name=resource"` 516 } 517 518 // IngressServiceBackend references a Kubernetes Service as a Backend. 519 type IngressServiceBackend struct { 520 // name is the referenced service. The service must exist in 521 // the same namespace as the Ingress object. 522 Name string `json:"name" protobuf:"bytes,1,opt,name=name"` 523 524 // port of the referenced service. A port name or port number 525 // is required for a IngressServiceBackend. 526 Port ServiceBackendPort `json:"port,omitempty" protobuf:"bytes,2,opt,name=port"` 527 } 528 529 // ServiceBackendPort is the service port being referenced. 530 type ServiceBackendPort struct { 531 // name is the name of the port on the Service. 532 // This is a mutually exclusive setting with "Number". 533 // +optional 534 Name string `json:"name,omitempty" protobuf:"bytes,1,opt,name=name"` 535 536 // number is the numerical port number (e.g. 80) on the Service. 537 // This is a mutually exclusive setting with "Name". 538 // +optional 539 Number int32 `json:"number,omitempty" protobuf:"bytes,2,opt,name=number"` 540 } 541 542 // +genclient 543 // +genclient:nonNamespaced 544 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 545 546 // IngressClass represents the class of the Ingress, referenced by the Ingress 547 // Spec. The `ingressclass.kubernetes.io/is-default-class` annotation can be 548 // used to indicate that an IngressClass should be considered default. When a 549 // single IngressClass resource has this annotation set to true, new Ingress 550 // resources without a class specified will be assigned this default class. 551 type IngressClass struct { 552 metav1.TypeMeta `json:",inline"` 553 554 // Standard object's metadata. 555 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata 556 // +optional 557 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 558 559 // spec is the desired state of the IngressClass. 560 // More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status 561 // +optional 562 Spec IngressClassSpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 563 } 564 565 // IngressClassSpec provides information about the class of an Ingress. 566 type IngressClassSpec struct { 567 // controller refers to the name of the controller that should handle this 568 // class. This allows for different "flavors" that are controlled by the 569 // same controller. For example, you may have different parameters for the 570 // same implementing controller. This should be specified as a 571 // domain-prefixed path no more than 250 characters in length, e.g. 572 // "acme.io/ingress-controller". This field is immutable. 573 Controller string `json:"controller,omitempty" protobuf:"bytes,1,opt,name=controller"` 574 575 // parameters is a link to a custom resource containing additional 576 // configuration for the controller. This is optional if the controller does 577 // not require extra parameters. 578 // +optional 579 Parameters *IngressClassParametersReference `json:"parameters,omitempty" protobuf:"bytes,2,opt,name=parameters"` 580 } 581 582 const ( 583 // IngressClassParametersReferenceScopeNamespace indicates that the 584 // referenced Parameters resource is namespace-scoped. 585 IngressClassParametersReferenceScopeNamespace = "Namespace" 586 // IngressClassParametersReferenceScopeCluster indicates that the 587 // referenced Parameters resource is cluster-scoped. 588 IngressClassParametersReferenceScopeCluster = "Cluster" 589 ) 590 591 // IngressClassParametersReference identifies an API object. This can be used 592 // to specify a cluster or namespace-scoped resource. 593 type IngressClassParametersReference struct { 594 // apiGroup is the group for the resource being referenced. If APIGroup is 595 // not specified, the specified Kind must be in the core API group. For any 596 // other third-party types, APIGroup is required. 597 // +optional 598 APIGroup *string `json:"apiGroup,omitempty" protobuf:"bytes,1,opt,name=aPIGroup"` 599 600 // kind is the type of resource being referenced. 601 Kind string `json:"kind" protobuf:"bytes,2,opt,name=kind"` 602 603 // name is the name of resource being referenced. 604 Name string `json:"name" protobuf:"bytes,3,opt,name=name"` 605 606 // scope represents if this refers to a cluster or namespace scoped resource. 607 // This may be set to "Cluster" (default) or "Namespace". 608 // +optional 609 Scope *string `json:"scope" protobuf:"bytes,4,opt,name=scope"` 610 611 // namespace is the namespace of the resource being referenced. This field is 612 // required when scope is set to "Namespace" and must be unset when scope is set to 613 // "Cluster". 614 // +optional 615 Namespace *string `json:"namespace,omitempty" protobuf:"bytes,5,opt,name=namespace"` 616 } 617 618 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 619 620 // IngressClassList is a collection of IngressClasses. 621 type IngressClassList struct { 622 metav1.TypeMeta `json:",inline"` 623 624 // Standard list metadata. 625 // +optional 626 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 627 628 // items is the list of IngressClasses. 629 Items []IngressClass `json:"items" protobuf:"bytes,2,rep,name=items"` 630 } 631