...

Text file src/k8s.io/kubernetes/cluster/addons/calico-policy-controller/globalnetworkpolicy-crd.yaml

Documentation: k8s.io/kubernetes/cluster/addons/calico-policy-controller

     1apiVersion: apiextensions.k8s.io/v1
     2kind: CustomResourceDefinition
     3metadata:
     4  labels:
     5    addonmanager.kubernetes.io/mode: Reconcile
     6  name: globalnetworkpolicies.crd.projectcalico.org
     7spec:
     8  group: crd.projectcalico.org
     9  names:
    10    kind: GlobalNetworkPolicy
    11    listKind: GlobalNetworkPolicyList
    12    plural: globalnetworkpolicies
    13    singular: globalnetworkpolicy
    14  scope: Cluster
    15  versions:
    16  - name: v1
    17    schema:
    18      openAPIV3Schema:
    19        properties:
    20          apiVersion:
    21            description: 'APIVersion defines the versioned schema of this representation
    22              of an object. Servers should convert recognized schemas to the latest
    23              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    24            type: string
    25          kind:
    26            description: 'Kind is a string value representing the REST resource this
    27              object represents. Servers may infer this from the endpoint the client
    28              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    29            type: string
    30          metadata:
    31            type: object
    32          spec:
    33            properties:
    34              applyOnForward:
    35                description: ApplyOnForward indicates to apply the rules in this policy
    36                  on forward traffic.
    37                type: boolean
    38              doNotTrack:
    39                description: DoNotTrack indicates whether packets matched by the rules
    40                  in this policy should go through the data plane's connection tracking,
    41                  such as Linux conntrack.  If True, the rules in this policy are
    42                  applied before any data plane connection tracking, and packets allowed
    43                  by this policy are marked as not to be tracked.
    44                type: boolean
    45              egress:
    46                description: The ordered set of egress rules.  Each rule contains
    47                  a set of packet match criteria and a corresponding action to apply.
    48                items:
    49                  description: "A Rule encapsulates a set of match criteria and an
    50                    action.  Both selector-based security Policy and security Profiles
    51                    reference rules - separated out as a list of rules for both ingress
    52                    and egress packet matching. \n Each positive match criteria has
    53                    a negated version, prefixed with ”Not”. All the match criteria
    54                    within a rule must be satisfied for a packet to match. A single
    55                    rule can contain the positive and negative version of a match
    56                    and both must be satisfied for the rule to match."
    57                  properties:
    58                    action:
    59                      type: string
    60                    destination:
    61                      description: Destination contains the match criteria that apply
    62                        to destination entity.
    63                      properties:
    64                        namespaceSelector:
    65                          description: "NamespaceSelector is an optional field that
    66                            contains a selector expression. Only traffic that originates
    67                            from (or terminates at) endpoints within the selected
    68                            namespaces will be matched. When both NamespaceSelector
    69                            and Selector are defined on the same rule, then only workload
    70                            endpoints that are matched by both selectors will be selected
    71                            by the rule. \n For NetworkPolicy, an empty NamespaceSelector
    72                            implies that the Selector is limited to selecting only
    73                            workload endpoints in the same namespace as the NetworkPolicy.
    74                            \n For NetworkPolicy, `global()` NamespaceSelector implies
    75                            that the Selector is limited to selecting only GlobalNetworkSet
    76                            or HostEndpoint. \n For GlobalNetworkPolicy, an empty
    77                            NamespaceSelector implies the Selector applies to workload
    78                            endpoints across all namespaces."
    79                          type: string
    80                        nets:
    81                          description: Nets is an optional field that restricts the
    82                            rule to only apply to traffic that originates from (or
    83                            terminates at) IP addresses in any of the given subnets.
    84                          items:
    85                            type: string
    86                          type: array
    87                        notNets:
    88                          description: NotNets is the negated version of the Nets
    89                            field.
    90                          items:
    91                            type: string
    92                          type: array
    93                        notPorts:
    94                          description: NotPorts is the negated version of the Ports
    95                            field. Since only some protocols have ports, if any ports
    96                            are specified it requires the Protocol match in the Rule
    97                            to be set to "TCP" or "UDP".
    98                          items:
    99                            anyOf:
   100                            - type: integer
   101                            - type: string
   102                            pattern: ^.*
   103                            x-kubernetes-int-or-string: true
   104                          type: array
   105                        notSelector:
   106                          description: NotSelector is the negated version of the Selector
   107                            field.  See Selector field for subtleties with negated
   108                            selectors.
   109                          type: string
   110                        ports:
   111                          description: "Ports is an optional field that restricts
   112                            the rule to only apply to traffic that has a source (destination)
   113                            port that matches one of these ranges/values. This value
   114                            is a list of integers or strings that represent ranges
   115                            of ports. \n Since only some protocols have ports, if
   116                            any ports are specified it requires the Protocol match
   117                            in the Rule to be set to \"TCP\" or \"UDP\"."
   118                          items:
   119                            anyOf:
   120                            - type: integer
   121                            - type: string
   122                            pattern: ^.*
   123                            x-kubernetes-int-or-string: true
   124                          type: array
   125                        selector:
   126                          description: "Selector is an optional field that contains
   127                            a selector expression (see Policy for sample syntax).
   128                            \ Only traffic that originates from (terminates at) endpoints
   129                            matching the selector will be matched. \n Note that: in
   130                            addition to the negated version of the Selector (see NotSelector
   131                            below), the selector expression syntax itself supports
   132                            negation.  The two types of negation are subtly different.
   133                            One negates the set of matched endpoints, the other negates
   134                            the whole match: \n \tSelector = \"!has(my_label)\" matches
   135                            packets that are from other Calico-controlled \tendpoints
   136                            that do not have the label “my_label”. \n \tNotSelector
   137                            = \"has(my_label)\" matches packets that are not from
   138                            Calico-controlled \tendpoints that do have the label “my_label”.
   139                            \n The effect is that the latter will accept packets from
   140                            non-Calico sources whereas the former is limited to packets
   141                            from Calico-controlled endpoints."
   142                          type: string
   143                        serviceAccounts:
   144                          description: ServiceAccounts is an optional field that restricts
   145                            the rule to only apply to traffic that originates from
   146                            (or terminates at) a pod running as a matching service
   147                            account.
   148                          properties:
   149                            names:
   150                              description: Names is an optional field that restricts
   151                                the rule to only apply to traffic that originates
   152                                from (or terminates at) a pod running as a service
   153                                account whose name is in the list.
   154                              items:
   155                                type: string
   156                              type: array
   157                            selector:
   158                              description: Selector is an optional field that restricts
   159                                the rule to only apply to traffic that originates
   160                                from (or terminates at) a pod running as a service
   161                                account that matches the given label selector. If
   162                                both Names and Selector are specified then they are
   163                                AND'ed.
   164                              type: string
   165                          type: object
   166                      type: object
   167                    http:
   168                      description: HTTP contains match criteria that apply to HTTP
   169                        requests.
   170                      properties:
   171                        methods:
   172                          description: Methods is an optional field that restricts
   173                            the rule to apply only to HTTP requests that use one of
   174                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
   175                            methods are OR'd together.
   176                          items:
   177                            type: string
   178                          type: array
   179                        paths:
   180                          description: 'Paths is an optional field that restricts
   181                            the rule to apply to HTTP requests that use one of the
   182                            listed HTTP Paths. Multiple paths are OR''d together.
   183                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
   184                            ONLY specify either a `exact` or a `prefix` match. The
   185                            validator will check for it.'
   186                          items:
   187                            description: 'HTTPPath specifies an HTTP path to match.
   188                              It may be either of the form: exact: <path>: which matches
   189                              the path exactly or prefix: <path-prefix>: which matches
   190                              the path prefix'
   191                            properties:
   192                              exact:
   193                                type: string
   194                              prefix:
   195                                type: string
   196                            type: object
   197                          type: array
   198                      type: object
   199                    icmp:
   200                      description: ICMP is an optional field that restricts the rule
   201                        to apply to a specific type and code of ICMP traffic.  This
   202                        should only be specified if the Protocol field is set to "ICMP"
   203                        or "ICMPv6".
   204                      properties:
   205                        code:
   206                          description: Match on a specific ICMP code.  If specified,
   207                            the Type value must also be specified. This is a technical
   208                            limitation imposed by the kernel’s iptables firewall,
   209                            which Calico uses to enforce the rule.
   210                          type: integer
   211                        type:
   212                          description: Match on a specific ICMP type.  For example
   213                            a value of 8 refers to ICMP Echo Request (i.e. pings).
   214                          type: integer
   215                      type: object
   216                    ipVersion:
   217                      description: IPVersion is an optional field that restricts the
   218                        rule to only match a specific IP version.
   219                      type: integer
   220                    metadata:
   221                      description: Metadata contains additional information for this
   222                        rule
   223                      properties:
   224                        annotations:
   225                          additionalProperties:
   226                            type: string
   227                          description: Annotations is a set of key value pairs that
   228                            give extra information about the rule
   229                          type: object
   230                      type: object
   231                    notICMP:
   232                      description: NotICMP is the negated version of the ICMP field.
   233                      properties:
   234                        code:
   235                          description: Match on a specific ICMP code.  If specified,
   236                            the Type value must also be specified. This is a technical
   237                            limitation imposed by the kernel’s iptables firewall,
   238                            which Calico uses to enforce the rule.
   239                          type: integer
   240                        type:
   241                          description: Match on a specific ICMP type.  For example
   242                            a value of 8 refers to ICMP Echo Request (i.e. pings).
   243                          type: integer
   244                      type: object
   245                    notProtocol:
   246                      anyOf:
   247                      - type: integer
   248                      - type: string
   249                      description: NotProtocol is the negated version of the Protocol
   250                        field.
   251                      pattern: ^.*
   252                      x-kubernetes-int-or-string: true
   253                    protocol:
   254                      anyOf:
   255                      - type: integer
   256                      - type: string
   257                      description: "Protocol is an optional field that restricts the
   258                        rule to only apply to traffic of a specific IP protocol. Required
   259                        if any of the EntityRules contain Ports (because ports only
   260                        apply to certain protocols). \n Must be one of these string
   261                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
   262                        \"UDPLite\" or an integer in the range 1-255."
   263                      pattern: ^.*
   264                      x-kubernetes-int-or-string: true
   265                    source:
   266                      description: Source contains the match criteria that apply to
   267                        source entity.
   268                      properties:
   269                        namespaceSelector:
   270                          description: "NamespaceSelector is an optional field that
   271                            contains a selector expression. Only traffic that originates
   272                            from (or terminates at) endpoints within the selected
   273                            namespaces will be matched. When both NamespaceSelector
   274                            and Selector are defined on the same rule, then only workload
   275                            endpoints that are matched by both selectors will be selected
   276                            by the rule. \n For NetworkPolicy, an empty NamespaceSelector
   277                            implies that the Selector is limited to selecting only
   278                            workload endpoints in the same namespace as the NetworkPolicy.
   279                            \n For NetworkPolicy, `global()` NamespaceSelector implies
   280                            that the Selector is limited to selecting only GlobalNetworkSet
   281                            or HostEndpoint. \n For GlobalNetworkPolicy, an empty
   282                            NamespaceSelector implies the Selector applies to workload
   283                            endpoints across all namespaces."
   284                          type: string
   285                        nets:
   286                          description: Nets is an optional field that restricts the
   287                            rule to only apply to traffic that originates from (or
   288                            terminates at) IP addresses in any of the given subnets.
   289                          items:
   290                            type: string
   291                          type: array
   292                        notNets:
   293                          description: NotNets is the negated version of the Nets
   294                            field.
   295                          items:
   296                            type: string
   297                          type: array
   298                        notPorts:
   299                          description: NotPorts is the negated version of the Ports
   300                            field. Since only some protocols have ports, if any ports
   301                            are specified it requires the Protocol match in the Rule
   302                            to be set to "TCP" or "UDP".
   303                          items:
   304                            anyOf:
   305                            - type: integer
   306                            - type: string
   307                            pattern: ^.*
   308                            x-kubernetes-int-or-string: true
   309                          type: array
   310                        notSelector:
   311                          description: NotSelector is the negated version of the Selector
   312                            field.  See Selector field for subtleties with negated
   313                            selectors.
   314                          type: string
   315                        ports:
   316                          description: "Ports is an optional field that restricts
   317                            the rule to only apply to traffic that has a source (destination)
   318                            port that matches one of these ranges/values. This value
   319                            is a list of integers or strings that represent ranges
   320                            of ports. \n Since only some protocols have ports, if
   321                            any ports are specified it requires the Protocol match
   322                            in the Rule to be set to \"TCP\" or \"UDP\"."
   323                          items:
   324                            anyOf:
   325                            - type: integer
   326                            - type: string
   327                            pattern: ^.*
   328                            x-kubernetes-int-or-string: true
   329                          type: array
   330                        selector:
   331                          description: "Selector is an optional field that contains
   332                            a selector expression (see Policy for sample syntax).
   333                            \ Only traffic that originates from (terminates at) endpoints
   334                            matching the selector will be matched. \n Note that: in
   335                            addition to the negated version of the Selector (see NotSelector
   336                            below), the selector expression syntax itself supports
   337                            negation.  The two types of negation are subtly different.
   338                            One negates the set of matched endpoints, the other negates
   339                            the whole match: \n \tSelector = \"!has(my_label)\" matches
   340                            packets that are from other Calico-controlled \tendpoints
   341                            that do not have the label “my_label”. \n \tNotSelector
   342                            = \"has(my_label)\" matches packets that are not from
   343                            Calico-controlled \tendpoints that do have the label “my_label”.
   344                            \n The effect is that the latter will accept packets from
   345                            non-Calico sources whereas the former is limited to packets
   346                            from Calico-controlled endpoints."
   347                          type: string
   348                        serviceAccounts:
   349                          description: ServiceAccounts is an optional field that restricts
   350                            the rule to only apply to traffic that originates from
   351                            (or terminates at) a pod running as a matching service
   352                            account.
   353                          properties:
   354                            names:
   355                              description: Names is an optional field that restricts
   356                                the rule to only apply to traffic that originates
   357                                from (or terminates at) a pod running as a service
   358                                account whose name is in the list.
   359                              items:
   360                                type: string
   361                              type: array
   362                            selector:
   363                              description: Selector is an optional field that restricts
   364                                the rule to only apply to traffic that originates
   365                                from (or terminates at) a pod running as a service
   366                                account that matches the given label selector. If
   367                                both Names and Selector are specified then they are
   368                                AND'ed.
   369                              type: string
   370                          type: object
   371                      type: object
   372                  required:
   373                  - action
   374                  type: object
   375                type: array
   376              ingress:
   377                description: The ordered set of ingress rules.  Each rule contains
   378                  a set of packet match criteria and a corresponding action to apply.
   379                items:
   380                  description: "A Rule encapsulates a set of match criteria and an
   381                    action.  Both selector-based security Policy and security Profiles
   382                    reference rules - separated out as a list of rules for both ingress
   383                    and egress packet matching. \n Each positive match criteria has
   384                    a negated version, prefixed with ”Not”. All the match criteria
   385                    within a rule must be satisfied for a packet to match. A single
   386                    rule can contain the positive and negative version of a match
   387                    and both must be satisfied for the rule to match."
   388                  properties:
   389                    action:
   390                      type: string
   391                    destination:
   392                      description: Destination contains the match criteria that apply
   393                        to destination entity.
   394                      properties:
   395                        namespaceSelector:
   396                          description: "NamespaceSelector is an optional field that
   397                            contains a selector expression. Only traffic that originates
   398                            from (or terminates at) endpoints within the selected
   399                            namespaces will be matched. When both NamespaceSelector
   400                            and Selector are defined on the same rule, then only workload
   401                            endpoints that are matched by both selectors will be selected
   402                            by the rule. \n For NetworkPolicy, an empty NamespaceSelector
   403                            implies that the Selector is limited to selecting only
   404                            workload endpoints in the same namespace as the NetworkPolicy.
   405                            \n For NetworkPolicy, `global()` NamespaceSelector implies
   406                            that the Selector is limited to selecting only GlobalNetworkSet
   407                            or HostEndpoint. \n For GlobalNetworkPolicy, an empty
   408                            NamespaceSelector implies the Selector applies to workload
   409                            endpoints across all namespaces."
   410                          type: string
   411                        nets:
   412                          description: Nets is an optional field that restricts the
   413                            rule to only apply to traffic that originates from (or
   414                            terminates at) IP addresses in any of the given subnets.
   415                          items:
   416                            type: string
   417                          type: array
   418                        notNets:
   419                          description: NotNets is the negated version of the Nets
   420                            field.
   421                          items:
   422                            type: string
   423                          type: array
   424                        notPorts:
   425                          description: NotPorts is the negated version of the Ports
   426                            field. Since only some protocols have ports, if any ports
   427                            are specified it requires the Protocol match in the Rule
   428                            to be set to "TCP" or "UDP".
   429                          items:
   430                            anyOf:
   431                            - type: integer
   432                            - type: string
   433                            pattern: ^.*
   434                            x-kubernetes-int-or-string: true
   435                          type: array
   436                        notSelector:
   437                          description: NotSelector is the negated version of the Selector
   438                            field.  See Selector field for subtleties with negated
   439                            selectors.
   440                          type: string
   441                        ports:
   442                          description: "Ports is an optional field that restricts
   443                            the rule to only apply to traffic that has a source (destination)
   444                            port that matches one of these ranges/values. This value
   445                            is a list of integers or strings that represent ranges
   446                            of ports. \n Since only some protocols have ports, if
   447                            any ports are specified it requires the Protocol match
   448                            in the Rule to be set to \"TCP\" or \"UDP\"."
   449                          items:
   450                            anyOf:
   451                            - type: integer
   452                            - type: string
   453                            pattern: ^.*
   454                            x-kubernetes-int-or-string: true
   455                          type: array
   456                        selector:
   457                          description: "Selector is an optional field that contains
   458                            a selector expression (see Policy for sample syntax).
   459                            \ Only traffic that originates from (terminates at) endpoints
   460                            matching the selector will be matched. \n Note that: in
   461                            addition to the negated version of the Selector (see NotSelector
   462                            below), the selector expression syntax itself supports
   463                            negation.  The two types of negation are subtly different.
   464                            One negates the set of matched endpoints, the other negates
   465                            the whole match: \n \tSelector = \"!has(my_label)\" matches
   466                            packets that are from other Calico-controlled \tendpoints
   467                            that do not have the label “my_label”. \n \tNotSelector
   468                            = \"has(my_label)\" matches packets that are not from
   469                            Calico-controlled \tendpoints that do have the label “my_label”.
   470                            \n The effect is that the latter will accept packets from
   471                            non-Calico sources whereas the former is limited to packets
   472                            from Calico-controlled endpoints."
   473                          type: string
   474                        serviceAccounts:
   475                          description: ServiceAccounts is an optional field that restricts
   476                            the rule to only apply to traffic that originates from
   477                            (or terminates at) a pod running as a matching service
   478                            account.
   479                          properties:
   480                            names:
   481                              description: Names is an optional field that restricts
   482                                the rule to only apply to traffic that originates
   483                                from (or terminates at) a pod running as a service
   484                                account whose name is in the list.
   485                              items:
   486                                type: string
   487                              type: array
   488                            selector:
   489                              description: Selector is an optional field that restricts
   490                                the rule to only apply to traffic that originates
   491                                from (or terminates at) a pod running as a service
   492                                account that matches the given label selector. If
   493                                both Names and Selector are specified then they are
   494                                AND'ed.
   495                              type: string
   496                          type: object
   497                      type: object
   498                    http:
   499                      description: HTTP contains match criteria that apply to HTTP
   500                        requests.
   501                      properties:
   502                        methods:
   503                          description: Methods is an optional field that restricts
   504                            the rule to apply only to HTTP requests that use one of
   505                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
   506                            methods are OR'd together.
   507                          items:
   508                            type: string
   509                          type: array
   510                        paths:
   511                          description: 'Paths is an optional field that restricts
   512                            the rule to apply to HTTP requests that use one of the
   513                            listed HTTP Paths. Multiple paths are OR''d together.
   514                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
   515                            ONLY specify either a `exact` or a `prefix` match. The
   516                            validator will check for it.'
   517                          items:
   518                            description: 'HTTPPath specifies an HTTP path to match.
   519                              It may be either of the form: exact: <path>: which matches
   520                              the path exactly or prefix: <path-prefix>: which matches
   521                              the path prefix'
   522                            properties:
   523                              exact:
   524                                type: string
   525                              prefix:
   526                                type: string
   527                            type: object
   528                          type: array
   529                      type: object
   530                    icmp:
   531                      description: ICMP is an optional field that restricts the rule
   532                        to apply to a specific type and code of ICMP traffic.  This
   533                        should only be specified if the Protocol field is set to "ICMP"
   534                        or "ICMPv6".
   535                      properties:
   536                        code:
   537                          description: Match on a specific ICMP code.  If specified,
   538                            the Type value must also be specified. This is a technical
   539                            limitation imposed by the kernel’s iptables firewall,
   540                            which Calico uses to enforce the rule.
   541                          type: integer
   542                        type:
   543                          description: Match on a specific ICMP type.  For example
   544                            a value of 8 refers to ICMP Echo Request (i.e. pings).
   545                          type: integer
   546                      type: object
   547                    ipVersion:
   548                      description: IPVersion is an optional field that restricts the
   549                        rule to only match a specific IP version.
   550                      type: integer
   551                    metadata:
   552                      description: Metadata contains additional information for this
   553                        rule
   554                      properties:
   555                        annotations:
   556                          additionalProperties:
   557                            type: string
   558                          description: Annotations is a set of key value pairs that
   559                            give extra information about the rule
   560                          type: object
   561                      type: object
   562                    notICMP:
   563                      description: NotICMP is the negated version of the ICMP field.
   564                      properties:
   565                        code:
   566                          description: Match on a specific ICMP code.  If specified,
   567                            the Type value must also be specified. This is a technical
   568                            limitation imposed by the kernel’s iptables firewall,
   569                            which Calico uses to enforce the rule.
   570                          type: integer
   571                        type:
   572                          description: Match on a specific ICMP type.  For example
   573                            a value of 8 refers to ICMP Echo Request (i.e. pings).
   574                          type: integer
   575                      type: object
   576                    notProtocol:
   577                      anyOf:
   578                      - type: integer
   579                      - type: string
   580                      description: NotProtocol is the negated version of the Protocol
   581                        field.
   582                      pattern: ^.*
   583                      x-kubernetes-int-or-string: true
   584                    protocol:
   585                      anyOf:
   586                      - type: integer
   587                      - type: string
   588                      description: "Protocol is an optional field that restricts the
   589                        rule to only apply to traffic of a specific IP protocol. Required
   590                        if any of the EntityRules contain Ports (because ports only
   591                        apply to certain protocols). \n Must be one of these string
   592                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
   593                        \"UDPLite\" or an integer in the range 1-255."
   594                      pattern: ^.*
   595                      x-kubernetes-int-or-string: true
   596                    source:
   597                      description: Source contains the match criteria that apply to
   598                        source entity.
   599                      properties:
   600                        namespaceSelector:
   601                          description: "NamespaceSelector is an optional field that
   602                            contains a selector expression. Only traffic that originates
   603                            from (or terminates at) endpoints within the selected
   604                            namespaces will be matched. When both NamespaceSelector
   605                            and Selector are defined on the same rule, then only workload
   606                            endpoints that are matched by both selectors will be selected
   607                            by the rule. \n For NetworkPolicy, an empty NamespaceSelector
   608                            implies that the Selector is limited to selecting only
   609                            workload endpoints in the same namespace as the NetworkPolicy.
   610                            \n For NetworkPolicy, `global()` NamespaceSelector implies
   611                            that the Selector is limited to selecting only GlobalNetworkSet
   612                            or HostEndpoint. \n For GlobalNetworkPolicy, an empty
   613                            NamespaceSelector implies the Selector applies to workload
   614                            endpoints across all namespaces."
   615                          type: string
   616                        nets:
   617                          description: Nets is an optional field that restricts the
   618                            rule to only apply to traffic that originates from (or
   619                            terminates at) IP addresses in any of the given subnets.
   620                          items:
   621                            type: string
   622                          type: array
   623                        notNets:
   624                          description: NotNets is the negated version of the Nets
   625                            field.
   626                          items:
   627                            type: string
   628                          type: array
   629                        notPorts:
   630                          description: NotPorts is the negated version of the Ports
   631                            field. Since only some protocols have ports, if any ports
   632                            are specified it requires the Protocol match in the Rule
   633                            to be set to "TCP" or "UDP".
   634                          items:
   635                            anyOf:
   636                            - type: integer
   637                            - type: string
   638                            pattern: ^.*
   639                            x-kubernetes-int-or-string: true
   640                          type: array
   641                        notSelector:
   642                          description: NotSelector is the negated version of the Selector
   643                            field.  See Selector field for subtleties with negated
   644                            selectors.
   645                          type: string
   646                        ports:
   647                          description: "Ports is an optional field that restricts
   648                            the rule to only apply to traffic that has a source (destination)
   649                            port that matches one of these ranges/values. This value
   650                            is a list of integers or strings that represent ranges
   651                            of ports. \n Since only some protocols have ports, if
   652                            any ports are specified it requires the Protocol match
   653                            in the Rule to be set to \"TCP\" or \"UDP\"."
   654                          items:
   655                            anyOf:
   656                            - type: integer
   657                            - type: string
   658                            pattern: ^.*
   659                            x-kubernetes-int-or-string: true
   660                          type: array
   661                        selector:
   662                          description: "Selector is an optional field that contains
   663                            a selector expression (see Policy for sample syntax).
   664                            \ Only traffic that originates from (terminates at) endpoints
   665                            matching the selector will be matched. \n Note that: in
   666                            addition to the negated version of the Selector (see NotSelector
   667                            below), the selector expression syntax itself supports
   668                            negation.  The two types of negation are subtly different.
   669                            One negates the set of matched endpoints, the other negates
   670                            the whole match: \n \tSelector = \"!has(my_label)\" matches
   671                            packets that are from other Calico-controlled \tendpoints
   672                            that do not have the label “my_label”. \n \tNotSelector
   673                            = \"has(my_label)\" matches packets that are not from
   674                            Calico-controlled \tendpoints that do have the label “my_label”.
   675                            \n The effect is that the latter will accept packets from
   676                            non-Calico sources whereas the former is limited to packets
   677                            from Calico-controlled endpoints."
   678                          type: string
   679                        serviceAccounts:
   680                          description: ServiceAccounts is an optional field that restricts
   681                            the rule to only apply to traffic that originates from
   682                            (or terminates at) a pod running as a matching service
   683                            account.
   684                          properties:
   685                            names:
   686                              description: Names is an optional field that restricts
   687                                the rule to only apply to traffic that originates
   688                                from (or terminates at) a pod running as a service
   689                                account whose name is in the list.
   690                              items:
   691                                type: string
   692                              type: array
   693                            selector:
   694                              description: Selector is an optional field that restricts
   695                                the rule to only apply to traffic that originates
   696                                from (or terminates at) a pod running as a service
   697                                account that matches the given label selector. If
   698                                both Names and Selector are specified then they are
   699                                AND'ed.
   700                              type: string
   701                          type: object
   702                      type: object
   703                  required:
   704                  - action
   705                  type: object
   706                type: array
   707              namespaceSelector:
   708                description: NamespaceSelector is an optional field for an expression
   709                  used to select a pod based on namespaces.
   710                type: string
   711              order:
   712                description: Order is an optional field that specifies the order in
   713                  which the policy is applied. Policies with higher "order" are applied
   714                  after those with lower order.  If the order is omitted, it may be
   715                  considered to be "infinite" - i.e. the policy will be applied last.  Policies
   716                  with identical order will be applied in alphanumerical order based
   717                  on the Policy "Name".
   718                type: number
   719              preDNAT:
   720                description: PreDNAT indicates to apply the rules in this policy before
   721                  any DNAT.
   722                type: boolean
   723              selector:
   724                description: "The selector is an expression used to pick pick out
   725                  the endpoints that the policy should be applied to. \n Selector
   726                  expressions follow this syntax: \n \tlabel == \"string_literal\"
   727                  \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
   728                  \  ->  not equal; also matches if label is not present \tlabel in
   729                  { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
   730                  one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
   731                  ... }  ->  true if the value of label X is not one of \"a\", \"b\",
   732                  \"c\" \thas(label_name)  -> True if that label is present \t! expr
   733                  -> negation of expr \texpr && expr  -> Short-circuit and \texpr
   734                  || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
   735                  or the empty selector -> matches all endpoints. \n Label names are
   736                  allowed to contain alphanumerics, -, _ and /. String literals are
   737                  more permissive but they do not support escape characters. \n Examples
   738                  (with made-up labels): \n \ttype == \"webserver\" && deployment
   739                  == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
   740                  \"dev\" \t! has(label_name)"
   741                type: string
   742              serviceAccountSelector:
   743                description: ServiceAccountSelector is an optional field for an expression
   744                  used to select a pod based on service accounts.
   745                type: string
   746              types:
   747                description: "Types indicates whether this policy applies to ingress,
   748                  or to egress, or to both.  When not explicitly specified (and so
   749                  the value on creation is empty or nil), Calico defaults Types according
   750                  to what Ingress and Egress rules are present in the policy.  The
   751                  default is: \n - [ PolicyTypeIngress ], if there are no Egress rules
   752                  (including the case where there are   also no Ingress rules) \n
   753                  - [ PolicyTypeEgress ], if there are Egress rules but no Ingress
   754                  rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are
   755                  both Ingress and Egress rules. \n When the policy is read back again,
   756                  Types will always be one of these values, never empty or nil."
   757                items:
   758                  description: PolicyType enumerates the possible values of the PolicySpec
   759                    Types field.
   760                  type: string
   761                type: array
   762            type: object
   763        type: object
   764    served: true
   765    storage: true
   766status:
   767  acceptedNames:
   768    kind: ""
   769    plural: ""
   770  conditions: []
   771  storedVersions: []

View as plain text