Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type IPBlock ¶
type IPBlock struct {
// CIDR is a string representing the IP Block
// Valid examples are "192.168.1.1/24"
CIDR string `json:"cidr" protobuf:"bytes,1,name=cidr"`
// Except is a slice of CIDRs that should not be included within an IP Block
// Valid examples are "192.168.1.1/24"
// Except values will be rejected if they are outside the CIDR range
// +optional
Except []string `json:"except,omitempty" protobuf:"bytes,2,rep,name=except"`
}
IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should not be included within this rule.
type NetworkPolicy ¶
type NetworkPolicy struct {
metav1.TypeMeta `json:",inline"`
// Standard object's metadata.
// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
// +optional
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Specification of the desired behavior for this NetworkPolicy.
// +optional
Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
}
NetworkPolicy describes what network traffic is allowed for a set of Pods
func (*NetworkPolicy) GetObjectKind ¶
func (e *NetworkPolicy) GetObjectKind() schema.ObjectKind
Required to satisfy Object interface
func (*NetworkPolicy) GetObjectMeta ¶
func (e *NetworkPolicy) GetObjectMeta() metav1.Object
Required to satisfy ObjectMetaAccessor interface
type NetworkPolicyEgressRule ¶
type NetworkPolicyEgressRule struct {
// List of destination ports for outgoing traffic.
// Each item in this list is combined using a logical OR. If this field is
// empty or missing, this rule matches all ports (traffic not restricted by port).
// If this field is present and contains at least one item, then this rule allows
// traffic only if the traffic matches at least one port in the list.
// +optional
Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
// List of destinations for outgoing traffic of pods selected for this rule.
// Items in this list are combined using a logical OR operation. If this field is
// empty or missing, this rule matches all destinations (traffic not restricted by
// destination). If this field is present and contains at least one item, this rule
// allows traffic only if the traffic matches at least one item in the to list.
// +optional
To []NetworkPolicyPeer `json:"to,omitempty" protobuf:"bytes,2,rep,name=to"`
}
NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8
type NetworkPolicyIngressRule ¶
type NetworkPolicyIngressRule struct {
// List of ports which should be made accessible on the pods selected for this rule.
// Each item in this list is combined using a logical OR.
// If this field is empty or missing, this rule matches all ports (traffic not restricted by port).
// If this field is present and contains at least one item, then this rule allows traffic
// only if the traffic matches at least one port in the list.
// +optional
Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
// List of sources which should be able to access the pods selected for this rule.
// Items in this list are combined using a logical OR operation.
// If this field is empty or missing, this rule matches all sources (traffic not restricted by source).
// If this field is present and contains at least on item, this rule allows traffic only if the
// traffic matches at least one item in the from list.
// +optional
From []NetworkPolicyPeer `json:"from,omitempty" protobuf:"bytes,2,rep,name=from"`
}
This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.
type NetworkPolicyList ¶
type NetworkPolicyList struct {
metav1.TypeMeta `json:",inline"`
// Standard list metadata.
// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
// +optional
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
// Items is a list of schema objects.
Items []NetworkPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
}
Network Policy List is a list of NetworkPolicy objects.
func (*NetworkPolicyList) GetListMeta ¶
func (el *NetworkPolicyList) GetListMeta() metav1.List
Required to satisfy ListMetaAccessor interface
func (*NetworkPolicyList) GetObjectKind ¶
func (el *NetworkPolicyList) GetObjectKind() schema.ObjectKind
Required to satisfy Object interface
type NetworkPolicyPeer ¶
type NetworkPolicyPeer struct {
// This is a label selector which selects Pods in this namespace.
// This field follows standard label selector semantics.
// If present but empty, this selector selects all pods in this namespace.
// +optional
PodSelector *metav1.LabelSelector `json:"podSelector,omitempty" protobuf:"bytes,1,opt,name=podSelector"`
// Selects Namespaces using cluster scoped-labels. This
// matches all pods in all namespaces selected by this label selector.
// This field follows standard label selector semantics.
// If present but empty, this selector selects all namespaces.
// +optional
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,2,opt,name=namespaceSelector"`
// IPBlock defines policy on a particular IPBlock
// +optional
IPBlock *IPBlock `json:"ipBlock,omitempty" protobuf:"bytes,3,rep,name=ipBlock"`
}
NetworkPolicyPeer describes a peer to allow traffic from. Exactly one of its fields must be specified.
type NetworkPolicyPort ¶
type NetworkPolicyPort struct {
// Optional. The protocol (TCP or UDP) which traffic must match.
// If not specified, this field defaults to TCP.
// +optional
Protocol *Protocol `json:"protocol,omitempty" protobuf:"bytes,1,opt,name=protocol,casttype=k8s.io/api/core/v1.Protocol"`
// If specified, the port on the given protocol. This can
// either be a numerical or named port on a pod. If this field is not provided,
// this matches all port names and numbers.
// If present, only traffic on the specified protocol AND port
// will be matched.
// +optional
Port *intstr.IntOrString `json:"port,omitempty" protobuf:"bytes,2,opt,name=port"`
}
type NetworkPolicySpec ¶
type NetworkPolicySpec struct {
// Selects the pods to which this NetworkPolicy object applies. The array of ingress rules
// is applied to any pods selected by this field. Multiple network policies can select the
// same set of pods. In this case, the ingress rules for each are combined additively.
// This field is NOT optional and follows standard label selector semantics.
// An empty podSelector matches all pods in this namespace.
PodSelector metav1.LabelSelector `json:"podSelector" protobuf:"bytes,1,opt,name=podSelector"`
// List of ingress rules to be applied to the selected pods.
// Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod
// OR if the traffic source is the pod's local node,
// OR if the traffic matches at least one ingress rule across all of the NetworkPolicy
// objects whose podSelector matches the pod.
// If this field is empty then this NetworkPolicy does not allow any traffic
// (and serves solely to ensure that the pods it selects are isolated by default).
// +optional
Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty" protobuf:"bytes,2,rep,name=ingress"`
// List of egress rules to be applied to the selected pods. Outgoing traffic is
// allowed if there are no NetworkPolicies selecting the pod (and cluster policy
// otherwise allows the traffic), OR if the traffic matches at least one egress rule
// across all of the NetworkPolicy objects whose podSelector matches the pod. If
// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
// solely to ensure that the pods it selects are isolated by default).
// This field is beta-level in 1.8
// +optional
Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`
// List of rule types that the NetworkPolicy relates to.
// Valid options are Ingress, Egress, or Ingress,Egress.
// If this field is not specified, it will default based on the existence of Ingress or Egress rules;
// policies that contain an Egress section are assumed to affect Egress, and all policies
// (whether or not they contain an Ingress section) are assumed to affect Ingress.
// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
// Likewise, if you want to write a policy that specifies that no egress is allowed,
// you must specify a policyTypes value that include "Egress" (since such a policy would not include
// an Egress section and would otherwise default to just [ "Ingress" ]).
// This field is beta-level in 1.8
// +optional
PolicyTypes []PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,4,rep,name=policyTypes,casttype=PolicyType"`
}
type PolicyType ¶
type PolicyType string
Policy Type string describes the NetworkPolicy type This type is beta-level in 1.8
const ( // PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods PolicyTypeIngress PolicyType = "Ingress" // PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods PolicyTypeEgress PolicyType = "Egress" )
Source Files
Click to show internal directories.
Click to hide internal directories.