...

Text file src/k8s.io/kubernetes/cluster/addons/calico-policy-controller/networkpolicies-crd.yaml

Documentation: k8s.io/kubernetes/cluster/addons/calico-policy-controller

     1apiVersion: apiextensions.k8s.io/v1
     2kind: CustomResourceDefinition
     3metadata:
     4  labels:
     5    addonmanager.kubernetes.io/mode: Reconcile
     6  name: networkpolicies.crd.projectcalico.org
     7spec:
     8  group: crd.projectcalico.org
     9  names:
    10    kind: NetworkPolicy
    11    listKind: NetworkPolicyList
    12    plural: networkpolicies
    13    singular: networkpolicy
    14  scope: Namespaced
    15  versions:
    16  - name: v1
    17    schema:
    18      openAPIV3Schema:
    19        properties:
    20          apiVersion:
    21            description: 'APIVersion defines the versioned schema of this representation
    22              of an object. Servers should convert recognized schemas to the latest
    23              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
    24            type: string
    25          kind:
    26            description: 'Kind is a string value representing the REST resource this
    27              object represents. Servers may infer this from the endpoint the client
    28              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
    29            type: string
    30          metadata:
    31            type: object
    32          spec:
    33            properties:
    34              egress:
    35                description: The ordered set of egress rules.  Each rule contains
    36                  a set of packet match criteria and a corresponding action to apply.
    37                items:
    38                  description: "A Rule encapsulates a set of match criteria and an
    39                    action.  Both selector-based security Policy and security Profiles
    40                    reference rules - separated out as a list of rules for both ingress
    41                    and egress packet matching. \n Each positive match criteria has
    42                    a negated version, prefixed with ”Not”. All the match criteria
    43                    within a rule must be satisfied for a packet to match. A single
    44                    rule can contain the positive and negative version of a match
    45                    and both must be satisfied for the rule to match."
    46                  properties:
    47                    action:
    48                      type: string
    49                    destination:
    50                      description: Destination contains the match criteria that apply
    51                        to destination entity.
    52                      properties:
    53                        namespaceSelector:
    54                          description: "NamespaceSelector is an optional field that
    55                            contains a selector expression. Only traffic that originates
    56                            from (or terminates at) endpoints within the selected
    57                            namespaces will be matched. When both NamespaceSelector
    58                            and Selector are defined on the same rule, then only workload
    59                            endpoints that are matched by both selectors will be selected
    60                            by the rule. \n For NetworkPolicy, an empty NamespaceSelector
    61                            implies that the Selector is limited to selecting only
    62                            workload endpoints in the same namespace as the NetworkPolicy.
    63                            \n For NetworkPolicy, `global()` NamespaceSelector implies
    64                            that the Selector is limited to selecting only GlobalNetworkSet
    65                            or HostEndpoint. \n For GlobalNetworkPolicy, an empty
    66                            NamespaceSelector implies the Selector applies to workload
    67                            endpoints across all namespaces."
    68                          type: string
    69                        nets:
    70                          description: Nets is an optional field that restricts the
    71                            rule to only apply to traffic that originates from (or
    72                            terminates at) IP addresses in any of the given subnets.
    73                          items:
    74                            type: string
    75                          type: array
    76                        notNets:
    77                          description: NotNets is the negated version of the Nets
    78                            field.
    79                          items:
    80                            type: string
    81                          type: array
    82                        notPorts:
    83                          description: NotPorts is the negated version of the Ports
    84                            field. Since only some protocols have ports, if any ports
    85                            are specified it requires the Protocol match in the Rule
    86                            to be set to "TCP" or "UDP".
    87                          items:
    88                            anyOf:
    89                            - type: integer
    90                            - type: string
    91                            pattern: ^.*
    92                            x-kubernetes-int-or-string: true
    93                          type: array
    94                        notSelector:
    95                          description: NotSelector is the negated version of the Selector
    96                            field.  See Selector field for subtleties with negated
    97                            selectors.
    98                          type: string
    99                        ports:
   100                          description: "Ports is an optional field that restricts
   101                            the rule to only apply to traffic that has a source (destination)
   102                            port that matches one of these ranges/values. This value
   103                            is a list of integers or strings that represent ranges
   104                            of ports. \n Since only some protocols have ports, if
   105                            any ports are specified it requires the Protocol match
   106                            in the Rule to be set to \"TCP\" or \"UDP\"."
   107                          items:
   108                            anyOf:
   109                            - type: integer
   110                            - type: string
   111                            pattern: ^.*
   112                            x-kubernetes-int-or-string: true
   113                          type: array
   114                        selector:
   115                          description: "Selector is an optional field that contains
   116                            a selector expression (see Policy for sample syntax).
   117                            \ Only traffic that originates from (terminates at) endpoints
   118                            matching the selector will be matched. \n Note that: in
   119                            addition to the negated version of the Selector (see NotSelector
   120                            below), the selector expression syntax itself supports
   121                            negation.  The two types of negation are subtly different.
   122                            One negates the set of matched endpoints, the other negates
   123                            the whole match: \n \tSelector = \"!has(my_label)\" matches
   124                            packets that are from other Calico-controlled \tendpoints
   125                            that do not have the label “my_label”. \n \tNotSelector
   126                            = \"has(my_label)\" matches packets that are not from
   127                            Calico-controlled \tendpoints that do have the label “my_label”.
   128                            \n The effect is that the latter will accept packets from
   129                            non-Calico sources whereas the former is limited to packets
   130                            from Calico-controlled endpoints."
   131                          type: string
   132                        serviceAccounts:
   133                          description: ServiceAccounts is an optional field that restricts
   134                            the rule to only apply to traffic that originates from
   135                            (or terminates at) a pod running as a matching service
   136                            account.
   137                          properties:
   138                            names:
   139                              description: Names is an optional field that restricts
   140                                the rule to only apply to traffic that originates
   141                                from (or terminates at) a pod running as a service
   142                                account whose name is in the list.
   143                              items:
   144                                type: string
   145                              type: array
   146                            selector:
   147                              description: Selector is an optional field that restricts
   148                                the rule to only apply to traffic that originates
   149                                from (or terminates at) a pod running as a service
   150                                account that matches the given label selector. If
   151                                both Names and Selector are specified then they are
   152                                AND'ed.
   153                              type: string
   154                          type: object
   155                      type: object
   156                    http:
   157                      description: HTTP contains match criteria that apply to HTTP
   158                        requests.
   159                      properties:
   160                        methods:
   161                          description: Methods is an optional field that restricts
   162                            the rule to apply only to HTTP requests that use one of
   163                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
   164                            methods are OR'd together.
   165                          items:
   166                            type: string
   167                          type: array
   168                        paths:
   169                          description: 'Paths is an optional field that restricts
   170                            the rule to apply to HTTP requests that use one of the
   171                            listed HTTP Paths. Multiple paths are OR''d together.
   172                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
   173                            ONLY specify either a `exact` or a `prefix` match. The
   174                            validator will check for it.'
   175                          items:
   176                            description: 'HTTPPath specifies an HTTP path to match.
   177                              It may be either of the form: exact: <path>: which matches
   178                              the path exactly or prefix: <path-prefix>: which matches
   179                              the path prefix'
   180                            properties:
   181                              exact:
   182                                type: string
   183                              prefix:
   184                                type: string
   185                            type: object
   186                          type: array
   187                      type: object
   188                    icmp:
   189                      description: ICMP is an optional field that restricts the rule
   190                        to apply to a specific type and code of ICMP traffic.  This
   191                        should only be specified if the Protocol field is set to "ICMP"
   192                        or "ICMPv6".
   193                      properties:
   194                        code:
   195                          description: Match on a specific ICMP code.  If specified,
   196                            the Type value must also be specified. This is a technical
   197                            limitation imposed by the kernel’s iptables firewall,
   198                            which Calico uses to enforce the rule.
   199                          type: integer
   200                        type:
   201                          description: Match on a specific ICMP type.  For example
   202                            a value of 8 refers to ICMP Echo Request (i.e. pings).
   203                          type: integer
   204                      type: object
   205                    ipVersion:
   206                      description: IPVersion is an optional field that restricts the
   207                        rule to only match a specific IP version.
   208                      type: integer
   209                    metadata:
   210                      description: Metadata contains additional information for this
   211                        rule
   212                      properties:
   213                        annotations:
   214                          additionalProperties:
   215                            type: string
   216                          description: Annotations is a set of key value pairs that
   217                            give extra information about the rule
   218                          type: object
   219                      type: object
   220                    notICMP:
   221                      description: NotICMP is the negated version of the ICMP field.
   222                      properties:
   223                        code:
   224                          description: Match on a specific ICMP code.  If specified,
   225                            the Type value must also be specified. This is a technical
   226                            limitation imposed by the kernel’s iptables firewall,
   227                            which Calico uses to enforce the rule.
   228                          type: integer
   229                        type:
   230                          description: Match on a specific ICMP type.  For example
   231                            a value of 8 refers to ICMP Echo Request (i.e. pings).
   232                          type: integer
   233                      type: object
   234                    notProtocol:
   235                      anyOf:
   236                      - type: integer
   237                      - type: string
   238                      description: NotProtocol is the negated version of the Protocol
   239                        field.
   240                      pattern: ^.*
   241                      x-kubernetes-int-or-string: true
   242                    protocol:
   243                      anyOf:
   244                      - type: integer
   245                      - type: string
   246                      description: "Protocol is an optional field that restricts the
   247                        rule to only apply to traffic of a specific IP protocol. Required
   248                        if any of the EntityRules contain Ports (because ports only
   249                        apply to certain protocols). \n Must be one of these string
   250                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
   251                        \"UDPLite\" or an integer in the range 1-255."
   252                      pattern: ^.*
   253                      x-kubernetes-int-or-string: true
   254                    source:
   255                      description: Source contains the match criteria that apply to
   256                        source entity.
   257                      properties:
   258                        namespaceSelector:
   259                          description: "NamespaceSelector is an optional field that
   260                            contains a selector expression. Only traffic that originates
   261                            from (or terminates at) endpoints within the selected
   262                            namespaces will be matched. When both NamespaceSelector
   263                            and Selector are defined on the same rule, then only workload
   264                            endpoints that are matched by both selectors will be selected
   265                            by the rule. \n For NetworkPolicy, an empty NamespaceSelector
   266                            implies that the Selector is limited to selecting only
   267                            workload endpoints in the same namespace as the NetworkPolicy.
   268                            \n For NetworkPolicy, `global()` NamespaceSelector implies
   269                            that the Selector is limited to selecting only GlobalNetworkSet
   270                            or HostEndpoint. \n For GlobalNetworkPolicy, an empty
   271                            NamespaceSelector implies the Selector applies to workload
   272                            endpoints across all namespaces."
   273                          type: string
   274                        nets:
   275                          description: Nets is an optional field that restricts the
   276                            rule to only apply to traffic that originates from (or
   277                            terminates at) IP addresses in any of the given subnets.
   278                          items:
   279                            type: string
   280                          type: array
   281                        notNets:
   282                          description: NotNets is the negated version of the Nets
   283                            field.
   284                          items:
   285                            type: string
   286                          type: array
   287                        notPorts:
   288                          description: NotPorts is the negated version of the Ports
   289                            field. Since only some protocols have ports, if any ports
   290                            are specified it requires the Protocol match in the Rule
   291                            to be set to "TCP" or "UDP".
   292                          items:
   293                            anyOf:
   294                            - type: integer
   295                            - type: string
   296                            pattern: ^.*
   297                            x-kubernetes-int-or-string: true
   298                          type: array
   299                        notSelector:
   300                          description: NotSelector is the negated version of the Selector
   301                            field.  See Selector field for subtleties with negated
   302                            selectors.
   303                          type: string
   304                        ports:
   305                          description: "Ports is an optional field that restricts
   306                            the rule to only apply to traffic that has a source (destination)
   307                            port that matches one of these ranges/values. This value
   308                            is a list of integers or strings that represent ranges
   309                            of ports. \n Since only some protocols have ports, if
   310                            any ports are specified it requires the Protocol match
   311                            in the Rule to be set to \"TCP\" or \"UDP\"."
   312                          items:
   313                            anyOf:
   314                            - type: integer
   315                            - type: string
   316                            pattern: ^.*
   317                            x-kubernetes-int-or-string: true
   318                          type: array
   319                        selector:
   320                          description: "Selector is an optional field that contains
   321                            a selector expression (see Policy for sample syntax).
   322                            \ Only traffic that originates from (terminates at) endpoints
   323                            matching the selector will be matched. \n Note that: in
   324                            addition to the negated version of the Selector (see NotSelector
   325                            below), the selector expression syntax itself supports
   326                            negation.  The two types of negation are subtly different.
   327                            One negates the set of matched endpoints, the other negates
   328                            the whole match: \n \tSelector = \"!has(my_label)\" matches
   329                            packets that are from other Calico-controlled \tendpoints
   330                            that do not have the label “my_label”. \n \tNotSelector
   331                            = \"has(my_label)\" matches packets that are not from
   332                            Calico-controlled \tendpoints that do have the label “my_label”.
   333                            \n The effect is that the latter will accept packets from
   334                            non-Calico sources whereas the former is limited to packets
   335                            from Calico-controlled endpoints."
   336                          type: string
   337                        serviceAccounts:
   338                          description: ServiceAccounts is an optional field that restricts
   339                            the rule to only apply to traffic that originates from
   340                            (or terminates at) a pod running as a matching service
   341                            account.
   342                          properties:
   343                            names:
   344                              description: Names is an optional field that restricts
   345                                the rule to only apply to traffic that originates
   346                                from (or terminates at) a pod running as a service
   347                                account whose name is in the list.
   348                              items:
   349                                type: string
   350                              type: array
   351                            selector:
   352                              description: Selector is an optional field that restricts
   353                                the rule to only apply to traffic that originates
   354                                from (or terminates at) a pod running as a service
   355                                account that matches the given label selector. If
   356                                both Names and Selector are specified then they are
   357                                AND'ed.
   358                              type: string
   359                          type: object
   360                      type: object
   361                  required:
   362                  - action
   363                  type: object
   364                type: array
   365              ingress:
   366                description: The ordered set of ingress rules.  Each rule contains
   367                  a set of packet match criteria and a corresponding action to apply.
   368                items:
   369                  description: "A Rule encapsulates a set of match criteria and an
   370                    action.  Both selector-based security Policy and security Profiles
   371                    reference rules - separated out as a list of rules for both ingress
   372                    and egress packet matching. \n Each positive match criteria has
   373                    a negated version, prefixed with ”Not”. All the match criteria
   374                    within a rule must be satisfied for a packet to match. A single
   375                    rule can contain the positive and negative version of a match
   376                    and both must be satisfied for the rule to match."
   377                  properties:
   378                    action:
   379                      type: string
   380                    destination:
   381                      description: Destination contains the match criteria that apply
   382                        to destination entity.
   383                      properties:
   384                        namespaceSelector:
   385                          description: "NamespaceSelector is an optional field that
   386                            contains a selector expression. Only traffic that originates
   387                            from (or terminates at) endpoints within the selected
   388                            namespaces will be matched. When both NamespaceSelector
   389                            and Selector are defined on the same rule, then only workload
   390                            endpoints that are matched by both selectors will be selected
   391                            by the rule. \n For NetworkPolicy, an empty NamespaceSelector
   392                            implies that the Selector is limited to selecting only
   393                            workload endpoints in the same namespace as the NetworkPolicy.
   394                            \n For NetworkPolicy, `global()` NamespaceSelector implies
   395                            that the Selector is limited to selecting only GlobalNetworkSet
   396                            or HostEndpoint. \n For GlobalNetworkPolicy, an empty
   397                            NamespaceSelector implies the Selector applies to workload
   398                            endpoints across all namespaces."
   399                          type: string
   400                        nets:
   401                          description: Nets is an optional field that restricts the
   402                            rule to only apply to traffic that originates from (or
   403                            terminates at) IP addresses in any of the given subnets.
   404                          items:
   405                            type: string
   406                          type: array
   407                        notNets:
   408                          description: NotNets is the negated version of the Nets
   409                            field.
   410                          items:
   411                            type: string
   412                          type: array
   413                        notPorts:
   414                          description: NotPorts is the negated version of the Ports
   415                            field. Since only some protocols have ports, if any ports
   416                            are specified it requires the Protocol match in the Rule
   417                            to be set to "TCP" or "UDP".
   418                          items:
   419                            anyOf:
   420                            - type: integer
   421                            - type: string
   422                            pattern: ^.*
   423                            x-kubernetes-int-or-string: true
   424                          type: array
   425                        notSelector:
   426                          description: NotSelector is the negated version of the Selector
   427                            field.  See Selector field for subtleties with negated
   428                            selectors.
   429                          type: string
   430                        ports:
   431                          description: "Ports is an optional field that restricts
   432                            the rule to only apply to traffic that has a source (destination)
   433                            port that matches one of these ranges/values. This value
   434                            is a list of integers or strings that represent ranges
   435                            of ports. \n Since only some protocols have ports, if
   436                            any ports are specified it requires the Protocol match
   437                            in the Rule to be set to \"TCP\" or \"UDP\"."
   438                          items:
   439                            anyOf:
   440                            - type: integer
   441                            - type: string
   442                            pattern: ^.*
   443                            x-kubernetes-int-or-string: true
   444                          type: array
   445                        selector:
   446                          description: "Selector is an optional field that contains
   447                            a selector expression (see Policy for sample syntax).
   448                            \ Only traffic that originates from (terminates at) endpoints
   449                            matching the selector will be matched. \n Note that: in
   450                            addition to the negated version of the Selector (see NotSelector
   451                            below), the selector expression syntax itself supports
   452                            negation.  The two types of negation are subtly different.
   453                            One negates the set of matched endpoints, the other negates
   454                            the whole match: \n \tSelector = \"!has(my_label)\" matches
   455                            packets that are from other Calico-controlled \tendpoints
   456                            that do not have the label “my_label”. \n \tNotSelector
   457                            = \"has(my_label)\" matches packets that are not from
   458                            Calico-controlled \tendpoints that do have the label “my_label”.
   459                            \n The effect is that the latter will accept packets from
   460                            non-Calico sources whereas the former is limited to packets
   461                            from Calico-controlled endpoints."
   462                          type: string
   463                        serviceAccounts:
   464                          description: ServiceAccounts is an optional field that restricts
   465                            the rule to only apply to traffic that originates from
   466                            (or terminates at) a pod running as a matching service
   467                            account.
   468                          properties:
   469                            names:
   470                              description: Names is an optional field that restricts
   471                                the rule to only apply to traffic that originates
   472                                from (or terminates at) a pod running as a service
   473                                account whose name is in the list.
   474                              items:
   475                                type: string
   476                              type: array
   477                            selector:
   478                              description: Selector is an optional field that restricts
   479                                the rule to only apply to traffic that originates
   480                                from (or terminates at) a pod running as a service
   481                                account that matches the given label selector. If
   482                                both Names and Selector are specified then they are
   483                                AND'ed.
   484                              type: string
   485                          type: object
   486                      type: object
   487                    http:
   488                      description: HTTP contains match criteria that apply to HTTP
   489                        requests.
   490                      properties:
   491                        methods:
   492                          description: Methods is an optional field that restricts
   493                            the rule to apply only to HTTP requests that use one of
   494                            the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
   495                            methods are OR'd together.
   496                          items:
   497                            type: string
   498                          type: array
   499                        paths:
   500                          description: 'Paths is an optional field that restricts
   501                            the rule to apply to HTTP requests that use one of the
   502                            listed HTTP Paths. Multiple paths are OR''d together.
   503                            e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
   504                            ONLY specify either a `exact` or a `prefix` match. The
   505                            validator will check for it.'
   506                          items:
   507                            description: 'HTTPPath specifies an HTTP path to match.
   508                              It may be either of the form: exact: <path>: which matches
   509                              the path exactly or prefix: <path-prefix>: which matches
   510                              the path prefix'
   511                            properties:
   512                              exact:
   513                                type: string
   514                              prefix:
   515                                type: string
   516                            type: object
   517                          type: array
   518                      type: object
   519                    icmp:
   520                      description: ICMP is an optional field that restricts the rule
   521                        to apply to a specific type and code of ICMP traffic.  This
   522                        should only be specified if the Protocol field is set to "ICMP"
   523                        or "ICMPv6".
   524                      properties:
   525                        code:
   526                          description: Match on a specific ICMP code.  If specified,
   527                            the Type value must also be specified. This is a technical
   528                            limitation imposed by the kernel’s iptables firewall,
   529                            which Calico uses to enforce the rule.
   530                          type: integer
   531                        type:
   532                          description: Match on a specific ICMP type.  For example
   533                            a value of 8 refers to ICMP Echo Request (i.e. pings).
   534                          type: integer
   535                      type: object
   536                    ipVersion:
   537                      description: IPVersion is an optional field that restricts the
   538                        rule to only match a specific IP version.
   539                      type: integer
   540                    metadata:
   541                      description: Metadata contains additional information for this
   542                        rule
   543                      properties:
   544                        annotations:
   545                          additionalProperties:
   546                            type: string
   547                          description: Annotations is a set of key value pairs that
   548                            give extra information about the rule
   549                          type: object
   550                      type: object
   551                    notICMP:
   552                      description: NotICMP is the negated version of the ICMP field.
   553                      properties:
   554                        code:
   555                          description: Match on a specific ICMP code.  If specified,
   556                            the Type value must also be specified. This is a technical
   557                            limitation imposed by the kernel’s iptables firewall,
   558                            which Calico uses to enforce the rule.
   559                          type: integer
   560                        type:
   561                          description: Match on a specific ICMP type.  For example
   562                            a value of 8 refers to ICMP Echo Request (i.e. pings).
   563                          type: integer
   564                      type: object
   565                    notProtocol:
   566                      anyOf:
   567                      - type: integer
   568                      - type: string
   569                      description: NotProtocol is the negated version of the Protocol
   570                        field.
   571                      pattern: ^.*
   572                      x-kubernetes-int-or-string: true
   573                    protocol:
   574                      anyOf:
   575                      - type: integer
   576                      - type: string
   577                      description: "Protocol is an optional field that restricts the
   578                        rule to only apply to traffic of a specific IP protocol. Required
   579                        if any of the EntityRules contain Ports (because ports only
   580                        apply to certain protocols). \n Must be one of these string
   581                        values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\",
   582                        \"UDPLite\" or an integer in the range 1-255."
   583                      pattern: ^.*
   584                      x-kubernetes-int-or-string: true
   585                    source:
   586                      description: Source contains the match criteria that apply to
   587                        source entity.
   588                      properties:
   589                        namespaceSelector:
   590                          description: "NamespaceSelector is an optional field that
   591                            contains a selector expression. Only traffic that originates
   592                            from (or terminates at) endpoints within the selected
   593                            namespaces will be matched. When both NamespaceSelector
   594                            and Selector are defined on the same rule, then only workload
   595                            endpoints that are matched by both selectors will be selected
   596                            by the rule. \n For NetworkPolicy, an empty NamespaceSelector
   597                            implies that the Selector is limited to selecting only
   598                            workload endpoints in the same namespace as the NetworkPolicy.
   599                            \n For NetworkPolicy, `global()` NamespaceSelector implies
   600                            that the Selector is limited to selecting only GlobalNetworkSet
   601                            or HostEndpoint. \n For GlobalNetworkPolicy, an empty
   602                            NamespaceSelector implies the Selector applies to workload
   603                            endpoints across all namespaces."
   604                          type: string
   605                        nets:
   606                          description: Nets is an optional field that restricts the
   607                            rule to only apply to traffic that originates from (or
   608                            terminates at) IP addresses in any of the given subnets.
   609                          items:
   610                            type: string
   611                          type: array
   612                        notNets:
   613                          description: NotNets is the negated version of the Nets
   614                            field.
   615                          items:
   616                            type: string
   617                          type: array
   618                        notPorts:
   619                          description: NotPorts is the negated version of the Ports
   620                            field. Since only some protocols have ports, if any ports
   621                            are specified it requires the Protocol match in the Rule
   622                            to be set to "TCP" or "UDP".
   623                          items:
   624                            anyOf:
   625                            - type: integer
   626                            - type: string
   627                            pattern: ^.*
   628                            x-kubernetes-int-or-string: true
   629                          type: array
   630                        notSelector:
   631                          description: NotSelector is the negated version of the Selector
   632                            field.  See Selector field for subtleties with negated
   633                            selectors.
   634                          type: string
   635                        ports:
   636                          description: "Ports is an optional field that restricts
   637                            the rule to only apply to traffic that has a source (destination)
   638                            port that matches one of these ranges/values. This value
   639                            is a list of integers or strings that represent ranges
   640                            of ports. \n Since only some protocols have ports, if
   641                            any ports are specified it requires the Protocol match
   642                            in the Rule to be set to \"TCP\" or \"UDP\"."
   643                          items:
   644                            anyOf:
   645                            - type: integer
   646                            - type: string
   647                            pattern: ^.*
   648                            x-kubernetes-int-or-string: true
   649                          type: array
   650                        selector:
   651                          description: "Selector is an optional field that contains
   652                            a selector expression (see Policy for sample syntax).
   653                            \ Only traffic that originates from (terminates at) endpoints
   654                            matching the selector will be matched. \n Note that: in
   655                            addition to the negated version of the Selector (see NotSelector
   656                            below), the selector expression syntax itself supports
   657                            negation.  The two types of negation are subtly different.
   658                            One negates the set of matched endpoints, the other negates
   659                            the whole match: \n \tSelector = \"!has(my_label)\" matches
   660                            packets that are from other Calico-controlled \tendpoints
   661                            that do not have the label “my_label”. \n \tNotSelector
   662                            = \"has(my_label)\" matches packets that are not from
   663                            Calico-controlled \tendpoints that do have the label “my_label”.
   664                            \n The effect is that the latter will accept packets from
   665                            non-Calico sources whereas the former is limited to packets
   666                            from Calico-controlled endpoints."
   667                          type: string
   668                        serviceAccounts:
   669                          description: ServiceAccounts is an optional field that restricts
   670                            the rule to only apply to traffic that originates from
   671                            (or terminates at) a pod running as a matching service
   672                            account.
   673                          properties:
   674                            names:
   675                              description: Names is an optional field that restricts
   676                                the rule to only apply to traffic that originates
   677                                from (or terminates at) a pod running as a service
   678                                account whose name is in the list.
   679                              items:
   680                                type: string
   681                              type: array
   682                            selector:
   683                              description: Selector is an optional field that restricts
   684                                the rule to only apply to traffic that originates
   685                                from (or terminates at) a pod running as a service
   686                                account that matches the given label selector. If
   687                                both Names and Selector are specified then they are
   688                                AND'ed.
   689                              type: string
   690                          type: object
   691                      type: object
   692                  required:
   693                  - action
   694                  type: object
   695                type: array
   696              order:
   697                description: Order is an optional field that specifies the order in
   698                  which the policy is applied. Policies with higher "order" are applied
   699                  after those with lower order.  If the order is omitted, it may be
   700                  considered to be "infinite" - i.e. the policy will be applied last.  Policies
   701                  with identical order will be applied in alphanumerical order based
   702                  on the Policy "Name".
   703                type: number
   704              selector:
   705                description: "The selector is an expression used to pick pick out
   706                  the endpoints that the policy should be applied to. \n Selector
   707                  expressions follow this syntax: \n \tlabel == \"string_literal\"
   708                  \ ->  comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"
   709                  \  ->  not equal; also matches if label is not present \tlabel in
   710                  { \"a\", \"b\", \"c\", ... }  ->  true if the value of label X is
   711                  one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\",
   712                  ... }  ->  true if the value of label X is not one of \"a\", \"b\",
   713                  \"c\" \thas(label_name)  -> True if that label is present \t! expr
   714                  -> negation of expr \texpr && expr  -> Short-circuit and \texpr
   715                  || expr  -> Short-circuit or \t( expr ) -> parens for grouping \tall()
   716                  or the empty selector -> matches all endpoints. \n Label names are
   717                  allowed to contain alphanumerics, -, _ and /. String literals are
   718                  more permissive but they do not support escape characters. \n Examples
   719                  (with made-up labels): \n \ttype == \"webserver\" && deployment
   720                  == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment !=
   721                  \"dev\" \t! has(label_name)"
   722                type: string
   723              serviceAccountSelector:
   724                description: ServiceAccountSelector is an optional field for an expression
   725                  used to select a pod based on service accounts.
   726                type: string
   727              types:
   728                description: "Types indicates whether this policy applies to ingress,
   729                  or to egress, or to both.  When not explicitly specified (and so
   730                  the value on creation is empty or nil), Calico defaults Types according
   731                  to what Ingress and Egress are present in the policy.  The default
   732                  is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including
   733                  the case where there are   also no Ingress rules) \n - [ PolicyTypeEgress
   734                  ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress,
   735                  PolicyTypeEgress ], if there are both Ingress and Egress rules.
   736                  \n When the policy is read back again, Types will always be one
   737                  of these values, never empty or nil."
   738                items:
   739                  description: PolicyType enumerates the possible values of the PolicySpec
   740                    Types field.
   741                  type: string
   742                type: array
   743            type: object
   744        type: object
   745    served: true
   746    storage: true
   747status:
   748  acceptedNames:
   749    kind: ""
   750    plural: ""
   751  conditions: []
   752  storedVersions: []

View as plain text