1apiVersion: apiextensions.k8s.io/v1
2kind: CustomResourceDefinition
3metadata:
4 labels:
5 addonmanager.kubernetes.io/mode: Reconcile
6 name: networkpolicies.crd.projectcalico.org
7spec:
8 group: crd.projectcalico.org
9 names:
10 kind: NetworkPolicy
11 listKind: NetworkPolicyList
12 plural: networkpolicies
13 singular: networkpolicy
14 scope: Namespaced
15 versions:
16 - name: v1
17 schema:
18 openAPIV3Schema:
19 properties:
20 apiVersion:
21 description: 'APIVersion defines the versioned schema of this representation
22 of an object. Servers should convert recognized schemas to the latest
23 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
24 type: string
25 kind:
26 description: 'Kind is a string value representing the REST resource this
27 object represents. Servers may infer this from the endpoint the client
28 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
29 type: string
30 metadata:
31 type: object
32 spec:
33 properties:
34 egress:
35 description: The ordered set of egress rules. Each rule contains
36 a set of packet match criteria and a corresponding action to apply.
37 items:
38 description: "A Rule encapsulates a set of match criteria and an
39 action. Both selector-based security Policy and security Profiles
40 reference rules - separated out as a list of rules for both ingress
41 and egress packet matching. \n Each positive match criteria has
42 a negated version, prefixed with ”Not”. All the match criteria
43 within a rule must be satisfied for a packet to match. A single
44 rule can contain the positive and negative version of a match
45 and both must be satisfied for the rule to match."
46 properties:
47 action:
48 type: string
49 destination:
50 description: Destination contains the match criteria that apply
51 to destination entity.
52 properties:
53 namespaceSelector:
54 description: "NamespaceSelector is an optional field that
55 contains a selector expression. Only traffic that originates
56 from (or terminates at) endpoints within the selected
57 namespaces will be matched. When both NamespaceSelector
58 and Selector are defined on the same rule, then only workload
59 endpoints that are matched by both selectors will be selected
60 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
61 implies that the Selector is limited to selecting only
62 workload endpoints in the same namespace as the NetworkPolicy.
63 \n For NetworkPolicy, `global()` NamespaceSelector implies
64 that the Selector is limited to selecting only GlobalNetworkSet
65 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
66 NamespaceSelector implies the Selector applies to workload
67 endpoints across all namespaces."
68 type: string
69 nets:
70 description: Nets is an optional field that restricts the
71 rule to only apply to traffic that originates from (or
72 terminates at) IP addresses in any of the given subnets.
73 items:
74 type: string
75 type: array
76 notNets:
77 description: NotNets is the negated version of the Nets
78 field.
79 items:
80 type: string
81 type: array
82 notPorts:
83 description: NotPorts is the negated version of the Ports
84 field. Since only some protocols have ports, if any ports
85 are specified it requires the Protocol match in the Rule
86 to be set to "TCP" or "UDP".
87 items:
88 anyOf:
89 - type: integer
90 - type: string
91 pattern: ^.*
92 x-kubernetes-int-or-string: true
93 type: array
94 notSelector:
95 description: NotSelector is the negated version of the Selector
96 field. See Selector field for subtleties with negated
97 selectors.
98 type: string
99 ports:
100 description: "Ports is an optional field that restricts
101 the rule to only apply to traffic that has a source (destination)
102 port that matches one of these ranges/values. This value
103 is a list of integers or strings that represent ranges
104 of ports. \n Since only some protocols have ports, if
105 any ports are specified it requires the Protocol match
106 in the Rule to be set to \"TCP\" or \"UDP\"."
107 items:
108 anyOf:
109 - type: integer
110 - type: string
111 pattern: ^.*
112 x-kubernetes-int-or-string: true
113 type: array
114 selector:
115 description: "Selector is an optional field that contains
116 a selector expression (see Policy for sample syntax).
117 \ Only traffic that originates from (terminates at) endpoints
118 matching the selector will be matched. \n Note that: in
119 addition to the negated version of the Selector (see NotSelector
120 below), the selector expression syntax itself supports
121 negation. The two types of negation are subtly different.
122 One negates the set of matched endpoints, the other negates
123 the whole match: \n \tSelector = \"!has(my_label)\" matches
124 packets that are from other Calico-controlled \tendpoints
125 that do not have the label “my_label”. \n \tNotSelector
126 = \"has(my_label)\" matches packets that are not from
127 Calico-controlled \tendpoints that do have the label “my_label”.
128 \n The effect is that the latter will accept packets from
129 non-Calico sources whereas the former is limited to packets
130 from Calico-controlled endpoints."
131 type: string
132 serviceAccounts:
133 description: ServiceAccounts is an optional field that restricts
134 the rule to only apply to traffic that originates from
135 (or terminates at) a pod running as a matching service
136 account.
137 properties:
138 names:
139 description: Names is an optional field that restricts
140 the rule to only apply to traffic that originates
141 from (or terminates at) a pod running as a service
142 account whose name is in the list.
143 items:
144 type: string
145 type: array
146 selector:
147 description: Selector is an optional field that restricts
148 the rule to only apply to traffic that originates
149 from (or terminates at) a pod running as a service
150 account that matches the given label selector. If
151 both Names and Selector are specified then they are
152 AND'ed.
153 type: string
154 type: object
155 type: object
156 http:
157 description: HTTP contains match criteria that apply to HTTP
158 requests.
159 properties:
160 methods:
161 description: Methods is an optional field that restricts
162 the rule to apply only to HTTP requests that use one of
163 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
164 methods are OR'd together.
165 items:
166 type: string
167 type: array
168 paths:
169 description: 'Paths is an optional field that restricts
170 the rule to apply to HTTP requests that use one of the
171 listed HTTP Paths. Multiple paths are OR''d together.
172 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
173 ONLY specify either a `exact` or a `prefix` match. The
174 validator will check for it.'
175 items:
176 description: 'HTTPPath specifies an HTTP path to match.
177 It may be either of the form: exact: <path>: which matches
178 the path exactly or prefix: <path-prefix>: which matches
179 the path prefix'
180 properties:
181 exact:
182 type: string
183 prefix:
184 type: string
185 type: object
186 type: array
187 type: object
188 icmp:
189 description: ICMP is an optional field that restricts the rule
190 to apply to a specific type and code of ICMP traffic. This
191 should only be specified if the Protocol field is set to "ICMP"
192 or "ICMPv6".
193 properties:
194 code:
195 description: Match on a specific ICMP code. If specified,
196 the Type value must also be specified. This is a technical
197 limitation imposed by the kernel’s iptables firewall,
198 which Calico uses to enforce the rule.
199 type: integer
200 type:
201 description: Match on a specific ICMP type. For example
202 a value of 8 refers to ICMP Echo Request (i.e. pings).
203 type: integer
204 type: object
205 ipVersion:
206 description: IPVersion is an optional field that restricts the
207 rule to only match a specific IP version.
208 type: integer
209 metadata:
210 description: Metadata contains additional information for this
211 rule
212 properties:
213 annotations:
214 additionalProperties:
215 type: string
216 description: Annotations is a set of key value pairs that
217 give extra information about the rule
218 type: object
219 type: object
220 notICMP:
221 description: NotICMP is the negated version of the ICMP field.
222 properties:
223 code:
224 description: Match on a specific ICMP code. If specified,
225 the Type value must also be specified. This is a technical
226 limitation imposed by the kernel’s iptables firewall,
227 which Calico uses to enforce the rule.
228 type: integer
229 type:
230 description: Match on a specific ICMP type. For example
231 a value of 8 refers to ICMP Echo Request (i.e. pings).
232 type: integer
233 type: object
234 notProtocol:
235 anyOf:
236 - type: integer
237 - type: string
238 description: NotProtocol is the negated version of the Protocol
239 field.
240 pattern: ^.*
241 x-kubernetes-int-or-string: true
242 protocol:
243 anyOf:
244 - type: integer
245 - type: string
246 description: "Protocol is an optional field that restricts the
247 rule to only apply to traffic of a specific IP protocol. Required
248 if any of the EntityRules contain Ports (because ports only
249 apply to certain protocols). \n Must be one of these string
250 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
251 \"UDPLite\" or an integer in the range 1-255."
252 pattern: ^.*
253 x-kubernetes-int-or-string: true
254 source:
255 description: Source contains the match criteria that apply to
256 source entity.
257 properties:
258 namespaceSelector:
259 description: "NamespaceSelector is an optional field that
260 contains a selector expression. Only traffic that originates
261 from (or terminates at) endpoints within the selected
262 namespaces will be matched. When both NamespaceSelector
263 and Selector are defined on the same rule, then only workload
264 endpoints that are matched by both selectors will be selected
265 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
266 implies that the Selector is limited to selecting only
267 workload endpoints in the same namespace as the NetworkPolicy.
268 \n For NetworkPolicy, `global()` NamespaceSelector implies
269 that the Selector is limited to selecting only GlobalNetworkSet
270 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
271 NamespaceSelector implies the Selector applies to workload
272 endpoints across all namespaces."
273 type: string
274 nets:
275 description: Nets is an optional field that restricts the
276 rule to only apply to traffic that originates from (or
277 terminates at) IP addresses in any of the given subnets.
278 items:
279 type: string
280 type: array
281 notNets:
282 description: NotNets is the negated version of the Nets
283 field.
284 items:
285 type: string
286 type: array
287 notPorts:
288 description: NotPorts is the negated version of the Ports
289 field. Since only some protocols have ports, if any ports
290 are specified it requires the Protocol match in the Rule
291 to be set to "TCP" or "UDP".
292 items:
293 anyOf:
294 - type: integer
295 - type: string
296 pattern: ^.*
297 x-kubernetes-int-or-string: true
298 type: array
299 notSelector:
300 description: NotSelector is the negated version of the Selector
301 field. See Selector field for subtleties with negated
302 selectors.
303 type: string
304 ports:
305 description: "Ports is an optional field that restricts
306 the rule to only apply to traffic that has a source (destination)
307 port that matches one of these ranges/values. This value
308 is a list of integers or strings that represent ranges
309 of ports. \n Since only some protocols have ports, if
310 any ports are specified it requires the Protocol match
311 in the Rule to be set to \"TCP\" or \"UDP\"."
312 items:
313 anyOf:
314 - type: integer
315 - type: string
316 pattern: ^.*
317 x-kubernetes-int-or-string: true
318 type: array
319 selector:
320 description: "Selector is an optional field that contains
321 a selector expression (see Policy for sample syntax).
322 \ Only traffic that originates from (terminates at) endpoints
323 matching the selector will be matched. \n Note that: in
324 addition to the negated version of the Selector (see NotSelector
325 below), the selector expression syntax itself supports
326 negation. The two types of negation are subtly different.
327 One negates the set of matched endpoints, the other negates
328 the whole match: \n \tSelector = \"!has(my_label)\" matches
329 packets that are from other Calico-controlled \tendpoints
330 that do not have the label “my_label”. \n \tNotSelector
331 = \"has(my_label)\" matches packets that are not from
332 Calico-controlled \tendpoints that do have the label “my_label”.
333 \n The effect is that the latter will accept packets from
334 non-Calico sources whereas the former is limited to packets
335 from Calico-controlled endpoints."
336 type: string
337 serviceAccounts:
338 description: ServiceAccounts is an optional field that restricts
339 the rule to only apply to traffic that originates from
340 (or terminates at) a pod running as a matching service
341 account.
342 properties:
343 names:
344 description: Names is an optional field that restricts
345 the rule to only apply to traffic that originates
346 from (or terminates at) a pod running as a service
347 account whose name is in the list.
348 items:
349 type: string
350 type: array
351 selector:
352 description: Selector is an optional field that restricts
353 the rule to only apply to traffic that originates
354 from (or terminates at) a pod running as a service
355 account that matches the given label selector. If
356 both Names and Selector are specified then they are
357 AND'ed.
358 type: string
359 type: object
360 type: object
361 required:
362 - action
363 type: object
364 type: array
365 ingress:
366 description: The ordered set of ingress rules. Each rule contains
367 a set of packet match criteria and a corresponding action to apply.
368 items:
369 description: "A Rule encapsulates a set of match criteria and an
370 action. Both selector-based security Policy and security Profiles
371 reference rules - separated out as a list of rules for both ingress
372 and egress packet matching. \n Each positive match criteria has
373 a negated version, prefixed with ”Not”. All the match criteria
374 within a rule must be satisfied for a packet to match. A single
375 rule can contain the positive and negative version of a match
376 and both must be satisfied for the rule to match."
377 properties:
378 action:
379 type: string
380 destination:
381 description: Destination contains the match criteria that apply
382 to destination entity.
383 properties:
384 namespaceSelector:
385 description: "NamespaceSelector is an optional field that
386 contains a selector expression. Only traffic that originates
387 from (or terminates at) endpoints within the selected
388 namespaces will be matched. When both NamespaceSelector
389 and Selector are defined on the same rule, then only workload
390 endpoints that are matched by both selectors will be selected
391 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
392 implies that the Selector is limited to selecting only
393 workload endpoints in the same namespace as the NetworkPolicy.
394 \n For NetworkPolicy, `global()` NamespaceSelector implies
395 that the Selector is limited to selecting only GlobalNetworkSet
396 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
397 NamespaceSelector implies the Selector applies to workload
398 endpoints across all namespaces."
399 type: string
400 nets:
401 description: Nets is an optional field that restricts the
402 rule to only apply to traffic that originates from (or
403 terminates at) IP addresses in any of the given subnets.
404 items:
405 type: string
406 type: array
407 notNets:
408 description: NotNets is the negated version of the Nets
409 field.
410 items:
411 type: string
412 type: array
413 notPorts:
414 description: NotPorts is the negated version of the Ports
415 field. Since only some protocols have ports, if any ports
416 are specified it requires the Protocol match in the Rule
417 to be set to "TCP" or "UDP".
418 items:
419 anyOf:
420 - type: integer
421 - type: string
422 pattern: ^.*
423 x-kubernetes-int-or-string: true
424 type: array
425 notSelector:
426 description: NotSelector is the negated version of the Selector
427 field. See Selector field for subtleties with negated
428 selectors.
429 type: string
430 ports:
431 description: "Ports is an optional field that restricts
432 the rule to only apply to traffic that has a source (destination)
433 port that matches one of these ranges/values. This value
434 is a list of integers or strings that represent ranges
435 of ports. \n Since only some protocols have ports, if
436 any ports are specified it requires the Protocol match
437 in the Rule to be set to \"TCP\" or \"UDP\"."
438 items:
439 anyOf:
440 - type: integer
441 - type: string
442 pattern: ^.*
443 x-kubernetes-int-or-string: true
444 type: array
445 selector:
446 description: "Selector is an optional field that contains
447 a selector expression (see Policy for sample syntax).
448 \ Only traffic that originates from (terminates at) endpoints
449 matching the selector will be matched. \n Note that: in
450 addition to the negated version of the Selector (see NotSelector
451 below), the selector expression syntax itself supports
452 negation. The two types of negation are subtly different.
453 One negates the set of matched endpoints, the other negates
454 the whole match: \n \tSelector = \"!has(my_label)\" matches
455 packets that are from other Calico-controlled \tendpoints
456 that do not have the label “my_label”. \n \tNotSelector
457 = \"has(my_label)\" matches packets that are not from
458 Calico-controlled \tendpoints that do have the label “my_label”.
459 \n The effect is that the latter will accept packets from
460 non-Calico sources whereas the former is limited to packets
461 from Calico-controlled endpoints."
462 type: string
463 serviceAccounts:
464 description: ServiceAccounts is an optional field that restricts
465 the rule to only apply to traffic that originates from
466 (or terminates at) a pod running as a matching service
467 account.
468 properties:
469 names:
470 description: Names is an optional field that restricts
471 the rule to only apply to traffic that originates
472 from (or terminates at) a pod running as a service
473 account whose name is in the list.
474 items:
475 type: string
476 type: array
477 selector:
478 description: Selector is an optional field that restricts
479 the rule to only apply to traffic that originates
480 from (or terminates at) a pod running as a service
481 account that matches the given label selector. If
482 both Names and Selector are specified then they are
483 AND'ed.
484 type: string
485 type: object
486 type: object
487 http:
488 description: HTTP contains match criteria that apply to HTTP
489 requests.
490 properties:
491 methods:
492 description: Methods is an optional field that restricts
493 the rule to apply only to HTTP requests that use one of
494 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
495 methods are OR'd together.
496 items:
497 type: string
498 type: array
499 paths:
500 description: 'Paths is an optional field that restricts
501 the rule to apply to HTTP requests that use one of the
502 listed HTTP Paths. Multiple paths are OR''d together.
503 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
504 ONLY specify either a `exact` or a `prefix` match. The
505 validator will check for it.'
506 items:
507 description: 'HTTPPath specifies an HTTP path to match.
508 It may be either of the form: exact: <path>: which matches
509 the path exactly or prefix: <path-prefix>: which matches
510 the path prefix'
511 properties:
512 exact:
513 type: string
514 prefix:
515 type: string
516 type: object
517 type: array
518 type: object
519 icmp:
520 description: ICMP is an optional field that restricts the rule
521 to apply to a specific type and code of ICMP traffic. This
522 should only be specified if the Protocol field is set to "ICMP"
523 or "ICMPv6".
524 properties:
525 code:
526 description: Match on a specific ICMP code. If specified,
527 the Type value must also be specified. This is a technical
528 limitation imposed by the kernel’s iptables firewall,
529 which Calico uses to enforce the rule.
530 type: integer
531 type:
532 description: Match on a specific ICMP type. For example
533 a value of 8 refers to ICMP Echo Request (i.e. pings).
534 type: integer
535 type: object
536 ipVersion:
537 description: IPVersion is an optional field that restricts the
538 rule to only match a specific IP version.
539 type: integer
540 metadata:
541 description: Metadata contains additional information for this
542 rule
543 properties:
544 annotations:
545 additionalProperties:
546 type: string
547 description: Annotations is a set of key value pairs that
548 give extra information about the rule
549 type: object
550 type: object
551 notICMP:
552 description: NotICMP is the negated version of the ICMP field.
553 properties:
554 code:
555 description: Match on a specific ICMP code. If specified,
556 the Type value must also be specified. This is a technical
557 limitation imposed by the kernel’s iptables firewall,
558 which Calico uses to enforce the rule.
559 type: integer
560 type:
561 description: Match on a specific ICMP type. For example
562 a value of 8 refers to ICMP Echo Request (i.e. pings).
563 type: integer
564 type: object
565 notProtocol:
566 anyOf:
567 - type: integer
568 - type: string
569 description: NotProtocol is the negated version of the Protocol
570 field.
571 pattern: ^.*
572 x-kubernetes-int-or-string: true
573 protocol:
574 anyOf:
575 - type: integer
576 - type: string
577 description: "Protocol is an optional field that restricts the
578 rule to only apply to traffic of a specific IP protocol. Required
579 if any of the EntityRules contain Ports (because ports only
580 apply to certain protocols). \n Must be one of these string
581 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
582 \"UDPLite\" or an integer in the range 1-255."
583 pattern: ^.*
584 x-kubernetes-int-or-string: true
585 source:
586 description: Source contains the match criteria that apply to
587 source entity.
588 properties:
589 namespaceSelector:
590 description: "NamespaceSelector is an optional field that
591 contains a selector expression. Only traffic that originates
592 from (or terminates at) endpoints within the selected
593 namespaces will be matched. When both NamespaceSelector
594 and Selector are defined on the same rule, then only workload
595 endpoints that are matched by both selectors will be selected
596 by the rule. \n For NetworkPolicy, an empty NamespaceSelector
597 implies that the Selector is limited to selecting only
598 workload endpoints in the same namespace as the NetworkPolicy.
599 \n For NetworkPolicy, `global()` NamespaceSelector implies
600 that the Selector is limited to selecting only GlobalNetworkSet
601 or HostEndpoint. \n For GlobalNetworkPolicy, an empty
602 NamespaceSelector implies the Selector applies to workload
603 endpoints across all namespaces."
604 type: string
605 nets:
606 description: Nets is an optional field that restricts the
607 rule to only apply to traffic that originates from (or
608 terminates at) IP addresses in any of the given subnets.
609 items:
610 type: string
611 type: array
612 notNets:
613 description: NotNets is the negated version of the Nets
614 field.
615 items:
616 type: string
617 type: array
618 notPorts:
619 description: NotPorts is the negated version of the Ports
620 field. Since only some protocols have ports, if any ports
621 are specified it requires the Protocol match in the Rule
622 to be set to "TCP" or "UDP".
623 items:
624 anyOf:
625 - type: integer
626 - type: string
627 pattern: ^.*
628 x-kubernetes-int-or-string: true
629 type: array
630 notSelector:
631 description: NotSelector is the negated version of the Selector
632 field. See Selector field for subtleties with negated
633 selectors.
634 type: string
635 ports:
636 description: "Ports is an optional field that restricts
637 the rule to only apply to traffic that has a source (destination)
638 port that matches one of these ranges/values. This value
639 is a list of integers or strings that represent ranges
640 of ports. \n Since only some protocols have ports, if
641 any ports are specified it requires the Protocol match
642 in the Rule to be set to \"TCP\" or \"UDP\"."
643 items:
644 anyOf:
645 - type: integer
646 - type: string
647 pattern: ^.*
648 x-kubernetes-int-or-string: true
649 type: array
650 selector:
651 description: "Selector is an optional field that contains
652 a selector expression (see Policy for sample syntax).
653 \ Only traffic that originates from (terminates at) endpoints
654 matching the selector will be matched. \n Note that: in
655 addition to the negated version of the Selector (see NotSelector
656 below), the selector expression syntax itself supports
657 negation. The two types of negation are subtly different.
658 One negates the set of matched endpoints, the other negates
659 the whole match: \n \tSelector = \"!has(my_label)\" matches
660 packets that are from other Calico-controlled \tendpoints
661 that do not have the label “my_label”. \n \tNotSelector
662 = \"has(my_label)\" matches packets that are not from
663 Calico-controlled \tendpoints that do have the label “my_label”.
664 \n The effect is that the latter will accept packets from
665 non-Calico sources whereas the former is limited to packets
666 from Calico-controlled endpoints."
667 type: string
668 serviceAccounts:
669 description: ServiceAccounts is an optional field that restricts
670 the rule to only apply to traffic that originates from
671 (or terminates at) a pod running as a matching service
672 account.
673 properties:
674 names:
675 description: Names is an optional field that restricts
676 the rule to only apply to traffic that originates
677 from (or terminates at) a pod running as a service
678 account whose name is in the list.
679 items:
680 type: string
681 type: array
682 selector:
683 description: Selector is an optional field that restricts
684 the rule to only apply to traffic that originates
685 from (or terminates at) a pod running as a service
686 account that matches the given label selector. If
687 both Names and Selector are specified then they are
688 AND'ed.
689 type: string
690 type: object
691 type: object
692 required:
693 - action
694 type: object
695 type: array
696 order:
697 description: Order is an optional field that specifies the order in
698 which the policy is applied. Policies with higher "order" are applied
699 after those with lower order. If the order is omitted, it may be
700 considered to be "infinite" - i.e. the policy will be applied last. Policies
701 with identical order will be applied in alphanumerical order based
702 on the Policy "Name".
703 type: number
704 selector:
705 description: "The selector is an expression used to pick pick out
706 the endpoints that the policy should be applied to. \n Selector
707 expressions follow this syntax: \n \tlabel == \"string_literal\"
708 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
709 \ -> not equal; also matches if label is not present \tlabel in
710 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is
711 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
712 ... } -> true if the value of label X is not one of \"a\", \"b\",
713 \"c\" \thas(label_name) -> True if that label is present \t! expr
714 -> negation of expr \texpr && expr -> Short-circuit and \texpr
715 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall()
716 or the empty selector -> matches all endpoints. \n Label names are
717 allowed to contain alphanumerics, -, _ and /. String literals are
718 more permissive but they do not support escape characters. \n Examples
719 (with made-up labels): \n \ttype == \"webserver\" && deployment
720 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
721 \"dev\" \t! has(label_name)"
722 type: string
723 serviceAccountSelector:
724 description: ServiceAccountSelector is an optional field for an expression
725 used to select a pod based on service accounts.
726 type: string
727 types:
728 description: "Types indicates whether this policy applies to ingress,
729 or to egress, or to both. When not explicitly specified (and so
730 the value on creation is empty or nil), Calico defaults Types according
731 to what Ingress and Egress are present in the policy. The default
732 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
733 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress
734 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
735 PolicyTypeEgress ], if there are both Ingress and Egress rules.
736 \n When the policy is read back again, Types will always be one
737 of these values, never empty or nil."
738 items:
739 description: PolicyType enumerates the possible values of the PolicySpec
740 Types field.
741 type: string
742 type: array
743 type: object
744 type: object
745 served: true
746 storage: true
747status:
748 acceptedNames:
749 kind: ""
750 plural: ""
751 conditions: []
752 storedVersions: []
View as plain text