1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 labels:
5 addonmanager.kubernetes.io/mode: Reconcile
6 name: globalnetworkpolicies.crd.projectcalico.org
7spec:
8 group: crd.projectcalico.org
9 names:
10 kind: GlobalNetworkPolicy
11 listKind: GlobalNetworkPolicyList
12 plural: globalnetworkpolicies
13 singular: globalnetworkpolicy
14 scope: Cluster
15 versions:
16 - name: v1
17 schema:
18 openAPIV3Schema:
19 properties:
20 apiVersion:
21 description: 'APIVersion defines the versioned schema of this representation
22 of an object. Servers should convert recognized schemas to the latest
23 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
24 type: string
25 kind:
26 description: 'Kind is a string value representing the REST resource this
27 object represents. Servers may infer this from the endpoint the client
28 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
29 type: string
30 metadata:
31 type: object
32 spec:
33 properties:
34 applyOnForward:
35 description: ApplyOnForward indicates to apply the rules in this policy
36 on forward traffic.
37 type: boolean
38 doNotTrack:
39 description: DoNotTrack indicates whether packets matched by the rules
40 in this policy should go through the data plane's connection tracking,
41 such as Linux conntrack. If True, the rules in this policy are
42 applied before any data plane connection tracking, and packets allowed
43 by this policy are marked as not to be tracked.
44 type: boolean
45 egress:
46 description: The ordered set of egress rules. Each rule contains
47 a set of packet match criteria and a corresponding action to apply.
48 items:
49 description: "A Rule encapsulates a set of match criteria and an
50 action. Both selector-based security Policy and security Profiles
51 reference rules - separated out as a list of rules for both ingress
52 and egress packet matching. \n Each positive match criteria has
53 a negated version, prefixed with ”Not”. All the match criteria
54 within a rule must be satisfied for a packet to match. A single
55 rule can contain the positive and negative version of a match
56 and both must be satisfied for the rule to match."
57 properties:
58 action:
59 type: string
60 destination:
61 description: Destination contains the match criteria that apply
62 to destination entity.
63 properties:
64 namespaceSelector:
65 description: "NamespaceSelector is an optional field that
66 contains a selector expression. Only traffic that originates
67 from (or terminates at) endpoints within the selected
68 namespaces will be matched. When both NamespaceSelector
69 and Selector are defined on the same rule, then only workload
70 endpoints that are matched by both selectors will be selected
71 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
72 implies that the Selector is limited to selecting only
73 workload endpoints in the same namespace as the NetworkPolicy.
74 \n For NetworkPolicy, `global()` NamespaceSelector implies
75 that the Selector is limited to selecting only GlobalNetworkSet
76 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
77 NamespaceSelector implies the Selector applies to workload
78 endpoints across all namespaces."
79 type: string
80 nets:
81 description: Nets is an optional field that restricts the
82 rule to only apply to traffic that originates from (or
83 terminates at) IP addresses in any of the given subnets.
84 items:
85 type: string
86 type: array
87 notNets:
88 description: NotNets is the negated version of the Nets
89 field.
90 items:
91 type: string
92 type: array
93 notPorts:
94 description: NotPorts is the negated version of the Ports
95 field. Since only some protocols have ports, if any ports
96 are specified it requires the Protocol match in the Rule
97 to be set to "TCP" or "UDP".
98 items:
99 anyOf:
100 - type: integer
101 - type: string
102 pattern: ^.*
103 x-kubernetes-int-or-string: true
104 type: array
105 notSelector:
106 description: NotSelector is the negated version of the Selector
107 field. See Selector field for subtleties with negated
108 selectors.
109 type: string
110 ports:
111 description: "Ports is an optional field that restricts
112 the rule to only apply to traffic that has a source (destination)
113 port that matches one of these ranges/values. This value
114 is a list of integers or strings that represent ranges
115 of ports. \n Since only some protocols have ports, if
116 any ports are specified it requires the Protocol match
117 in the Rule to be set to \"TCP\" or \"UDP\"."
118 items:
119 anyOf:
120 - type: integer
121 - type: string
122 pattern: ^.*
123 x-kubernetes-int-or-string: true
124 type: array
125 selector:
126 description: "Selector is an optional field that contains
127 a selector expression (see Policy for sample syntax).
128 \ Only traffic that originates from (terminates at) endpoints
129 matching the selector will be matched. \n Note that: in
130 addition to the negated version of the Selector (see NotSelector
131 below), the selector expression syntax itself supports
132 negation. The two types of negation are subtly different.
133 One negates the set of matched endpoints, the other negates
134 the whole match: \n \tSelector = \"!has(my_label)\" matches
135 packets that are from other Calico-controlled \tendpoints
136 that do not have the label “my_label”. \n \tNotSelector
137 = \"has(my_label)\" matches packets that are not from
138 Calico-controlled \tendpoints that do have the label “my_label”.
139 \n The effect is that the latter will accept packets from
140 non-Calico sources whereas the former is limited to packets
141 from Calico-controlled endpoints."
142 type: string
143 serviceAccounts:
144 description: ServiceAccounts is an optional field that restricts
145 the rule to only apply to traffic that originates from
146 (or terminates at) a pod running as a matching service
147 account.
148 properties:
149 names:
150 description: Names is an optional field that restricts
151 the rule to only apply to traffic that originates
152 from (or terminates at) a pod running as a service
153 account whose name is in the list.
154 items:
155 type: string
156 type: array
157 selector:
158 description: Selector is an optional field that restricts
159 the rule to only apply to traffic that originates
160 from (or terminates at) a pod running as a service
161 account that matches the given label selector. If
162 both Names and Selector are specified then they are
163 AND'ed.
164 type: string
165 type: object
166 type: object
167 http:
168 description: HTTP contains match criteria that apply to HTTP
169 requests.
170 properties:
171 methods:
172 description: Methods is an optional field that restricts
173 the rule to apply only to HTTP requests that use one of
174 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
175 methods are OR'd together.
176 items:
177 type: string
178 type: array
179 paths:
180 description: 'Paths is an optional field that restricts
181 the rule to apply to HTTP requests that use one of the
182 listed HTTP Paths. Multiple paths are OR''d together.
183 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
184 ONLY specify either a `exact` or a `prefix` match. The
185 validator will check for it.'
186 items:
187 description: 'HTTPPath specifies an HTTP path to match.
188 It may be either of the form: exact: <path>: which matches
189 the path exactly or prefix: <path-prefix>: which matches
190 the path prefix'
191 properties:
192 exact:
193 type: string
194 prefix:
195 type: string
196 type: object
197 type: array
198 type: object
199 icmp:
200 description: ICMP is an optional field that restricts the rule
201 to apply to a specific type and code of ICMP traffic. This
202 should only be specified if the Protocol field is set to "ICMP"
203 or "ICMPv6".
204 properties:
205 code:
206 description: Match on a specific ICMP code. If specified,
207 the Type value must also be specified. This is a technical
208 limitation imposed by the kernel’s iptables firewall,
209 which Calico uses to enforce the rule.
210 type: integer
211 type:
212 description: Match on a specific ICMP type. For example
213 a value of 8 refers to ICMP Echo Request (i.e. pings).
214 type: integer
215 type: object
216 ipVersion:
217 description: IPVersion is an optional field that restricts the
218 rule to only match a specific IP version.
219 type: integer
220 metadata:
221 description: Metadata contains additional information for this
222 rule
223 properties:
224 annotations:
225 additionalProperties:
226 type: string
227 description: Annotations is a set of key value pairs that
228 give extra information about the rule
229 type: object
230 type: object
231 notICMP:
232 description: NotICMP is the negated version of the ICMP field.
233 properties:
234 code:
235 description: Match on a specific ICMP code. If specified,
236 the Type value must also be specified. This is a technical
237 limitation imposed by the kernel’s iptables firewall,
238 which Calico uses to enforce the rule.
239 type: integer
240 type:
241 description: Match on a specific ICMP type. For example
242 a value of 8 refers to ICMP Echo Request (i.e. pings).
243 type: integer
244 type: object
245 notProtocol:
246 anyOf:
247 - type: integer
248 - type: string
249 description: NotProtocol is the negated version of the Protocol
250 field.
251 pattern: ^.*
252 x-kubernetes-int-or-string: true
253 protocol:
254 anyOf:
255 - type: integer
256 - type: string
257 description: "Protocol is an optional field that restricts the
258 rule to only apply to traffic of a specific IP protocol. Required
259 if any of the EntityRules contain Ports (because ports only
260 apply to certain protocols). \n Must be one of these string
261 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
262 \"UDPLite\" or an integer in the range 1-255."
263 pattern: ^.*
264 x-kubernetes-int-or-string: true
265 source:
266 description: Source contains the match criteria that apply to
267 source entity.
268 properties:
269 namespaceSelector:
270 description: "NamespaceSelector is an optional field that
271 contains a selector expression. Only traffic that originates
272 from (or terminates at) endpoints within the selected
273 namespaces will be matched. When both NamespaceSelector
274 and Selector are defined on the same rule, then only workload
275 endpoints that are matched by both selectors will be selected
276 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
277 implies that the Selector is limited to selecting only
278 workload endpoints in the same namespace as the NetworkPolicy.
279 \n For NetworkPolicy, `global()` NamespaceSelector implies
280 that the Selector is limited to selecting only GlobalNetworkSet
281 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
282 NamespaceSelector implies the Selector applies to workload
283 endpoints across all namespaces."
284 type: string
285 nets:
286 description: Nets is an optional field that restricts the
287 rule to only apply to traffic that originates from (or
288 terminates at) IP addresses in any of the given subnets.
289 items:
290 type: string
291 type: array
292 notNets:
293 description: NotNets is the negated version of the Nets
294 field.
295 items:
296 type: string
297 type: array
298 notPorts:
299 description: NotPorts is the negated version of the Ports
300 field. Since only some protocols have ports, if any ports
301 are specified it requires the Protocol match in the Rule
302 to be set to "TCP" or "UDP".
303 items:
304 anyOf:
305 - type: integer
306 - type: string
307 pattern: ^.*
308 x-kubernetes-int-or-string: true
309 type: array
310 notSelector:
311 description: NotSelector is the negated version of the Selector
312 field. See Selector field for subtleties with negated
313 selectors.
314 type: string
315 ports:
316 description: "Ports is an optional field that restricts
317 the rule to only apply to traffic that has a source (destination)
318 port that matches one of these ranges/values. This value
319 is a list of integers or strings that represent ranges
320 of ports. \n Since only some protocols have ports, if
321 any ports are specified it requires the Protocol match
322 in the Rule to be set to \"TCP\" or \"UDP\"."
323 items:
324 anyOf:
325 - type: integer
326 - type: string
327 pattern: ^.*
328 x-kubernetes-int-or-string: true
329 type: array
330 selector:
331 description: "Selector is an optional field that contains
332 a selector expression (see Policy for sample syntax).
333 \ Only traffic that originates from (terminates at) endpoints
334 matching the selector will be matched. \n Note that: in
335 addition to the negated version of the Selector (see NotSelector
336 below), the selector expression syntax itself supports
337 negation. The two types of negation are subtly different.
338 One negates the set of matched endpoints, the other negates
339 the whole match: \n \tSelector = \"!has(my_label)\" matches
340 packets that are from other Calico-controlled \tendpoints
341 that do not have the label “my_label”. \n \tNotSelector
342 = \"has(my_label)\" matches packets that are not from
343 Calico-controlled \tendpoints that do have the label “my_label”.
344 \n The effect is that the latter will accept packets from
345 non-Calico sources whereas the former is limited to packets
346 from Calico-controlled endpoints."
347 type: string
348 serviceAccounts:
349 description: ServiceAccounts is an optional field that restricts
350 the rule to only apply to traffic that originates from
351 (or terminates at) a pod running as a matching service
352 account.
353 properties:
354 names:
355 description: Names is an optional field that restricts
356 the rule to only apply to traffic that originates
357 from (or terminates at) a pod running as a service
358 account whose name is in the list.
359 items:
360 type: string
361 type: array
362 selector:
363 description: Selector is an optional field that restricts
364 the rule to only apply to traffic that originates
365 from (or terminates at) a pod running as a service
366 account that matches the given label selector. If
367 both Names and Selector are specified then they are
368 AND'ed.
369 type: string
370 type: object
371 type: object
372 required:
373 - action
374 type: object
375 type: array
376 ingress:
377 description: The ordered set of ingress rules. Each rule contains
378 a set of packet match criteria and a corresponding action to apply.
379 items:
380 description: "A Rule encapsulates a set of match criteria and an
381 action. Both selector-based security Policy and security Profiles
382 reference rules - separated out as a list of rules for both ingress
383 and egress packet matching. \n Each positive match criteria has
384 a negated version, prefixed with ”Not”. All the match criteria
385 within a rule must be satisfied for a packet to match. A single
386 rule can contain the positive and negative version of a match
387 and both must be satisfied for the rule to match."
388 properties:
389 action:
390 type: string
391 destination:
392 description: Destination contains the match criteria that apply
393 to destination entity.
394 properties:
395 namespaceSelector:
396 description: "NamespaceSelector is an optional field that
397 contains a selector expression. Only traffic that originates
398 from (or terminates at) endpoints within the selected
399 namespaces will be matched. When both NamespaceSelector
400 and Selector are defined on the same rule, then only workload
401 endpoints that are matched by both selectors will be selected
402 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
403 implies that the Selector is limited to selecting only
404 workload endpoints in the same namespace as the NetworkPolicy.
405 \n For NetworkPolicy, `global()` NamespaceSelector implies
406 that the Selector is limited to selecting only GlobalNetworkSet
407 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
408 NamespaceSelector implies the Selector applies to workload
409 endpoints across all namespaces."
410 type: string
411 nets:
412 description: Nets is an optional field that restricts the
413 rule to only apply to traffic that originates from (or
414 terminates at) IP addresses in any of the given subnets.
415 items:
416 type: string
417 type: array
418 notNets:
419 description: NotNets is the negated version of the Nets
420 field.
421 items:
422 type: string
423 type: array
424 notPorts:
425 description: NotPorts is the negated version of the Ports
426 field. Since only some protocols have ports, if any ports
427 are specified it requires the Protocol match in the Rule
428 to be set to "TCP" or "UDP".
429 items:
430 anyOf:
431 - type: integer
432 - type: string
433 pattern: ^.*
434 x-kubernetes-int-or-string: true
435 type: array
436 notSelector:
437 description: NotSelector is the negated version of the Selector
438 field. See Selector field for subtleties with negated
439 selectors.
440 type: string
441 ports:
442 description: "Ports is an optional field that restricts
443 the rule to only apply to traffic that has a source (destination)
444 port that matches one of these ranges/values. This value
445 is a list of integers or strings that represent ranges
446 of ports. \n Since only some protocols have ports, if
447 any ports are specified it requires the Protocol match
448 in the Rule to be set to \"TCP\" or \"UDP\"."
449 items:
450 anyOf:
451 - type: integer
452 - type: string
453 pattern: ^.*
454 x-kubernetes-int-or-string: true
455 type: array
456 selector:
457 description: "Selector is an optional field that contains
458 a selector expression (see Policy for sample syntax).
459 \ Only traffic that originates from (terminates at) endpoints
460 matching the selector will be matched. \n Note that: in
461 addition to the negated version of the Selector (see NotSelector
462 below), the selector expression syntax itself supports
463 negation. The two types of negation are subtly different.
464 One negates the set of matched endpoints, the other negates
465 the whole match: \n \tSelector = \"!has(my_label)\" matches
466 packets that are from other Calico-controlled \tendpoints
467 that do not have the label “my_label”. \n \tNotSelector
468 = \"has(my_label)\" matches packets that are not from
469 Calico-controlled \tendpoints that do have the label “my_label”.
470 \n The effect is that the latter will accept packets from
471 non-Calico sources whereas the former is limited to packets
472 from Calico-controlled endpoints."
473 type: string
474 serviceAccounts:
475 description: ServiceAccounts is an optional field that restricts
476 the rule to only apply to traffic that originates from
477 (or terminates at) a pod running as a matching service
478 account.
479 properties:
480 names:
481 description: Names is an optional field that restricts
482 the rule to only apply to traffic that originates
483 from (or terminates at) a pod running as a service
484 account whose name is in the list.
485 items:
486 type: string
487 type: array
488 selector:
489 description: Selector is an optional field that restricts
490 the rule to only apply to traffic that originates
491 from (or terminates at) a pod running as a service
492 account that matches the given label selector. If
493 both Names and Selector are specified then they are
494 AND'ed.
495 type: string
496 type: object
497 type: object
498 http:
499 description: HTTP contains match criteria that apply to HTTP
500 requests.
501 properties:
502 methods:
503 description: Methods is an optional field that restricts
504 the rule to apply only to HTTP requests that use one of
505 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
506 methods are OR'd together.
507 items:
508 type: string
509 type: array
510 paths:
511 description: 'Paths is an optional field that restricts
512 the rule to apply to HTTP requests that use one of the
513 listed HTTP Paths. Multiple paths are OR''d together.
514 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
515 ONLY specify either a `exact` or a `prefix` match. The
516 validator will check for it.'
517 items:
518 description: 'HTTPPath specifies an HTTP path to match.
519 It may be either of the form: exact: <path>: which matches
520 the path exactly or prefix: <path-prefix>: which matches
521 the path prefix'
522 properties:
523 exact:
524 type: string
525 prefix:
526 type: string
527 type: object
528 type: array
529 type: object
530 icmp:
531 description: ICMP is an optional field that restricts the rule
532 to apply to a specific type and code of ICMP traffic. This
533 should only be specified if the Protocol field is set to "ICMP"
534 or "ICMPv6".
535 properties:
536 code:
537 description: Match on a specific ICMP code. If specified,
538 the Type value must also be specified. This is a technical
539 limitation imposed by the kernel’s iptables firewall,
540 which Calico uses to enforce the rule.
541 type: integer
542 type:
543 description: Match on a specific ICMP type. For example
544 a value of 8 refers to ICMP Echo Request (i.e. pings).
545 type: integer
546 type: object
547 ipVersion:
548 description: IPVersion is an optional field that restricts the
549 rule to only match a specific IP version.
550 type: integer
551 metadata:
552 description: Metadata contains additional information for this
553 rule
554 properties:
555 annotations:
556 additionalProperties:
557 type: string
558 description: Annotations is a set of key value pairs that
559 give extra information about the rule
560 type: object
561 type: object
562 notICMP:
563 description: NotICMP is the negated version of the ICMP field.
564 properties:
565 code:
566 description: Match on a specific ICMP code. If specified,
567 the Type value must also be specified. This is a technical
568 limitation imposed by the kernel’s iptables firewall,
569 which Calico uses to enforce the rule.
570 type: integer
571 type:
572 description: Match on a specific ICMP type. For example
573 a value of 8 refers to ICMP Echo Request (i.e. pings).
574 type: integer
575 type: object
576 notProtocol:
577 anyOf:
578 - type: integer
579 - type: string
580 description: NotProtocol is the negated version of the Protocol
581 field.
582 pattern: ^.*
583 x-kubernetes-int-or-string: true
584 protocol:
585 anyOf:
586 - type: integer
587 - type: string
588 description: "Protocol is an optional field that restricts the
589 rule to only apply to traffic of a specific IP protocol. Required
590 if any of the EntityRules contain Ports (because ports only
591 apply to certain protocols). \n Must be one of these string
592 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
593 \"UDPLite\" or an integer in the range 1-255."
594 pattern: ^.*
595 x-kubernetes-int-or-string: true
596 source:
597 description: Source contains the match criteria that apply to
598 source entity.
599 properties:
600 namespaceSelector:
601 description: "NamespaceSelector is an optional field that
602 contains a selector expression. Only traffic that originates
603 from (or terminates at) endpoints within the selected
604 namespaces will be matched. When both NamespaceSelector
605 and Selector are defined on the same rule, then only workload
606 endpoints that are matched by both selectors will be selected
607 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
608 implies that the Selector is limited to selecting only
609 workload endpoints in the same namespace as the NetworkPolicy.
610 \n For NetworkPolicy, `global()` NamespaceSelector implies
611 that the Selector is limited to selecting only GlobalNetworkSet
612 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
613 NamespaceSelector implies the Selector applies to workload
614 endpoints across all namespaces."
615 type: string
616 nets:
617 description: Nets is an optional field that restricts the
618 rule to only apply to traffic that originates from (or
619 terminates at) IP addresses in any of the given subnets.
620 items:
621 type: string
622 type: array
623 notNets:
624 description: NotNets is the negated version of the Nets
625 field.
626 items:
627 type: string
628 type: array
629 notPorts:
630 description: NotPorts is the negated version of the Ports
631 field. Since only some protocols have ports, if any ports
632 are specified it requires the Protocol match in the Rule
633 to be set to "TCP" or "UDP".
634 items:
635 anyOf:
636 - type: integer
637 - type: string
638 pattern: ^.*
639 x-kubernetes-int-or-string: true
640 type: array
641 notSelector:
642 description: NotSelector is the negated version of the Selector
643 field. See Selector field for subtleties with negated
644 selectors.
645 type: string
646 ports:
647 description: "Ports is an optional field that restricts
648 the rule to only apply to traffic that has a source (destination)
649 port that matches one of these ranges/values. This value
650 is a list of integers or strings that represent ranges
651 of ports. \n Since only some protocols have ports, if
652 any ports are specified it requires the Protocol match
653 in the Rule to be set to \"TCP\" or \"UDP\"."
654 items:
655 anyOf:
656 - type: integer
657 - type: string
658 pattern: ^.*
659 x-kubernetes-int-or-string: true
660 type: array
661 selector:
662 description: "Selector is an optional field that contains
663 a selector expression (see Policy for sample syntax).
664 \ Only traffic that originates from (terminates at) endpoints
665 matching the selector will be matched. \n Note that: in
666 addition to the negated version of the Selector (see NotSelector
667 below), the selector expression syntax itself supports
668 negation. The two types of negation are subtly different.
669 One negates the set of matched endpoints, the other negates
670 the whole match: \n \tSelector = \"!has(my_label)\" matches
671 packets that are from other Calico-controlled \tendpoints
672 that do not have the label “my_label”. \n \tNotSelector
673 = \"has(my_label)\" matches packets that are not from
674 Calico-controlled \tendpoints that do have the label “my_label”.
675 \n The effect is that the latter will accept packets from
676 non-Calico sources whereas the former is limited to packets
677 from Calico-controlled endpoints."
678 type: string
679 serviceAccounts:
680 description: ServiceAccounts is an optional field that restricts
681 the rule to only apply to traffic that originates from
682 (or terminates at) a pod running as a matching service
683 account.
684 properties:
685 names:
686 description: Names is an optional field that restricts
687 the rule to only apply to traffic that originates
688 from (or terminates at) a pod running as a service
689 account whose name is in the list.
690 items:
691 type: string
692 type: array
693 selector:
694 description: Selector is an optional field that restricts
695 the rule to only apply to traffic that originates
696 from (or terminates at) a pod running as a service
697 account that matches the given label selector. If
698 both Names and Selector are specified then they are
699 AND'ed.
700 type: string
701 type: object
702 type: object
703 required:
704 - action
705 type: object
706 type: array
707 namespaceSelector:
708 description: NamespaceSelector is an optional field for an expression
709 used to select a pod based on namespaces.
710 type: string
711 order:
712 description: Order is an optional field that specifies the order in
713 which the policy is applied. Policies with higher "order" are applied
714 after those with lower order. If the order is omitted, it may be
715 considered to be "infinite" - i.e. the policy will be applied last. Policies
716 with identical order will be applied in alphanumerical order based
717 on the Policy "Name".
718 type: number
719 preDNAT:
720 description: PreDNAT indicates to apply the rules in this policy before
721 any DNAT.
722 type: boolean
723 selector:
724 description: "The selector is an expression used to pick pick out
725 the endpoints that the policy should be applied to. \n Selector
726 expressions follow this syntax: \n \tlabel == \"string_literal\"
727 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
728 \ -> not equal; also matches if label is not present \tlabel in
729 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
730 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
731 ... } -> true if the value of label X is not one of \"a\", \"b\",
732 \"c\" \thas(label_name) -> True if that label is present \t! expr
733 -> negation of expr \texpr && expr -> Short-circuit and \texpr
734 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
735 or the empty selector -> matches all endpoints. \n Label names are
736 allowed to contain alphanumerics, -, _ and /. String literals are
737 more permissive but they do not support escape characters. \n Examples
738 (with made-up labels): \n \ttype == \"webserver\" && deployment
739 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
740 \"dev\" \t! has(label_name)"
741 type: string
742 serviceAccountSelector:
743 description: ServiceAccountSelector is an optional field for an expression
744 used to select a pod based on service accounts.
745 type: string
746 types:
747 description: "Types indicates whether this policy applies to ingress,
748 or to egress, or to both. When not explicitly specified (and so
749 the value on creation is empty or nil), Calico defaults Types according
750 to what Ingress and Egress rules are present in the policy. The
751 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
752 (including the case where there are also no Ingress rules) \n
753 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
754 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
755 both Ingress and Egress rules. \n When the policy is read back again,
756 Types will always be one of these values, never empty or nil."
757 items:
758 description: PolicyType enumerates the possible values of the PolicySpec
759 Types field.
760 type: string
761 type: array
762 type: object
763 type: object
764 served: true
765 storage: true
766status:
767 acceptedNames:
768 kind: ""
769 plural: ""
770 conditions: []
771 storedVersions: []
View as plain text