Documentation
¶
Overview ¶
Package v2 is the v2 version of the API. +groupName=cilium.io
Index ¶
- Constants
- Variables
- func CreateCustomResourceDefinitions(clientset apiextensionsclient.Interface) error
- func Resource(resource string) schema.GroupResource
- type AddressPair
- type AddressPairList
- type AllowedIdentityList
- type AllowedIdentityTuple
- type CiliumEndpoint
- type CiliumEndpointList
- type CiliumNetworkPolicy
- func (r *CiliumNetworkPolicy) AnnotationsEquals(o *CiliumNetworkPolicy) bool
- func (in *CiliumNetworkPolicy) DeepCopy() *CiliumNetworkPolicy
- func (in *CiliumNetworkPolicy) DeepCopyInto(out *CiliumNetworkPolicy)
- func (in *CiliumNetworkPolicy) DeepCopyObject() runtime.Object
- func (r *CiliumNetworkPolicy) GetControllerName() string
- func (r *CiliumNetworkPolicy) GetIdentityLabels() labels.LabelArray
- func (r *CiliumNetworkPolicy) GetPolicyStatus(nodeName string) CiliumNetworkPolicyNodeStatus
- func (r *CiliumNetworkPolicy) Parse() (api.Rules, error)
- func (r *CiliumNetworkPolicy) RequiresDerivative() bool
- func (r *CiliumNetworkPolicy) SetDerivedPolicyStatus(derivativePolicyName string, status CiliumNetworkPolicyNodeStatus)
- func (r *CiliumNetworkPolicy) SetPolicyStatus(nodeName string, cnpns CiliumNetworkPolicyNodeStatus)
- func (r *CiliumNetworkPolicy) SpecEquals(o *CiliumNetworkPolicy) bool
- func (r *CiliumNetworkPolicy) String() string
- type CiliumNetworkPolicyList
- type CiliumNetworkPolicyNodeStatus
- type CiliumNetworkPolicyStatus
- type ControllerList
- type ControllerStatus
- type ControllerStatusStatus
- type DeprecatedEndpointStatus
- type EndpointIdentity
- type EndpointNetworking
- type EndpointPolicy
- type EndpointPolicyDirection
- type EndpointStatus
- type Timestamp
Constants ¶
View Source
const ( // CustomResourceDefinitionGroup is the name of the third party resource group CustomResourceDefinitionGroup = k8sconst.GroupName // CustomResourceDefinitionVersion is the current version of the resource CustomResourceDefinitionVersion = "v2" // CustomResourceDefinitionSchemaVersion is semver-conformant version of CRD schema // Used to determine if CRD needs to be updated in cluster CustomResourceDefinitionSchemaVersion = "1.14" // CustomResourceDefinitionSchemaVersionKey is key to label which holds the CRD schema version CustomResourceDefinitionSchemaVersionKey = "io.cilium.k8s.crd.schema.version" // CNPKindDefinition is the kind name for Cilium Network Policy CNPKindDefinition = "CiliumNetworkPolicy" )
View Source
const EndpointStatusLogEntries = 5
EndpointStatusLogEntries is the maximum number of log entries in EndpointStatus.Log
Variables ¶
View Source
var ( // SchemeBuilder is needed by DeepCopy generator. SchemeBuilder runtime.SchemeBuilder // AddToScheme adds all types of this clientset into the given scheme. // This allows composition of clientsets, like in: // // import ( // "k8s.io/client-go/kubernetes" // clientsetscheme "k8s.io/client-go/kuberentes/scheme" // aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" // ) // // kclientset, _ := kubernetes.NewForConfig(c) // aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) AddToScheme = localSchemeBuilder.AddToScheme )
View Source
var ( CIDR = apiextensionsv1beta1.JSONSchemaProps{ Description: "CIDR is a CIDR prefix / IP Block.", Type: "string", OneOf: []apiextensionsv1beta1.JSONSchemaProps{ { Type: "string", Pattern: `^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4]` + `[0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$`, }, { Type: "string", Pattern: `^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))` + `|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)` + `|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))` + `|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))` + `|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))` + `|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))` + `|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))` + `|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))` + `(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$`, }, }, } CIDRRule = apiextensionsv1beta1.JSONSchemaProps{ Description: "CIDRRule is a rule that specifies a CIDR prefix to/from which outside " + "communication is allowed, along with an optional list of subnets within that CIDR " + "prefix to/from which outside communication is not allowed.", Required: []string{ "cidr", }, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "cidr": CIDR, "except": { Description: "ExceptCIDRs is a list of IP blocks which the endpoint subject to " + "the rule is not allowed to initiate connections to. These CIDR prefixes " + "should be contained within Cidr. These exceptions are only applied to the " + "Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any " + "other CIDRRules.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &CIDR, }, }, }, } EgressRule = apiextensionsv1beta1.JSONSchemaProps{ Description: "EgressRule contains all rule types which can be applied at egress, i.e. " + "network traffic that originates inside the endpoint and exits the endpoint " + "selected by the endpointSelector.\n\n- All members of this structure are optional. " + "If omitted or empty, the\n member will have no effect on the rule.\n\n- For now, " + "combining ToPorts and ToCIDR in the same rule is not supported\n and such rules " + "will be rejected. In the future, this will be supported and\n if if multiple " + "members of the structure are specified, then all members\n must match in order " + "for the rule to take effect.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "toCIDR": { Description: "ToCIDR is a list of IP blocks which the endpoint subject to the " + "rule is allowed to initiate connections. This will match on the " + "destination IP address of outgoing connections. Adding a prefix into " + "ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are " + "allowed between ToCIDR and ToCIDRSet.\n\nExample: Any endpoint with the " + "label \"app=database-proxy\" is allowed to initiate connections to " + "10.2.3.0/24", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &CIDR, }, }, "toCIDRSet": { Description: "ToCIDRSet is a list of IP blocks which the endpoint subject to " + "the rule is allowed to initiate connections to in addition to connections " + "which are allowed via FromEndpoints, along with a list of subnets " + "contained within their corresponding IP block to which traffic should not " + "be allowed. This will match on the destination IP address of outgoing " + "connections. Adding a prefix into ToCIDR or into ToCIDRSet with no " + "ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and " + "ToCIDRSet.\n\nExample: Any endpoint with the label \"app=database-proxy\" " + "is allowed to initiate connections to 10.2.3.0/24 except from IPs in " + "subnet 10.2.3.0/28.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &CIDRRule, }, }, "toEntities": { Description: "ToEntities is a list of special entities to which the endpoint " + "subject to the rule is allowed to initiate connections. Supported " + "entities are `world`, `cluster` and `host`", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "string", }, }, }, "toPorts": { Description: "ToPorts is a list of destination ports identified by port number " + "and protocol which the endpoint subject to the rule is allowed to connect " + "to.\n\nExample: Any endpoint with the label \"role=frontend\" is allowed " + "to initiate connections to destination port 8080/tcp", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRule, }, }, "toServices": { Description: "ToServices is a list of services to which the endpoint subject " + "to the rule is allowed to initiate connections.\n\nExample: Any endpoint " + "with the label \"app=backend-app\" is allowed to initiate connections to " + "all cidrs backing the \"external-service\" service", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &Service, }, }, "toEndpoints": { Description: "ToEndpoints is a list of endpoints identified by an " + "EndpointSelector to which the endpoint subject to the rule" + "is allowed to communicate.\n\nExample: Any endpoint with the label " + "\"role=frontend\" can be consumed by any endpoint carrying the label " + "\"role=backend\".", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &EndpointSelector, }, }, "toRequires": { Description: "ToRequires is a list of additional constraints which must be " + "met in order for the selected endpoints to be able to reach other " + "endpoints. These additional constraints do not by themselves grant access " + "privileges and must always be accompanied with at least one matching " + "FromEndpoints.\n\nExample: Any Endpoint with the label \"team=A\" " + "requires any endpoint to which it communicates to also carry the label " + "\"team=A\".", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &EndpointSelector, }, }, "toGroups": { Description: `ToGroups is a list of constraints that will gather data from third-party providers and create a new derived policy.`, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "AWS": AWSGroup, }, }, "toFQDNs": { Description: `ToFQDNs is a list of rules matching fqdns that endpoint is allowed to communicate with`, Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &FQDNRule, }, }, }, } FQDNRule = apiextensionsv1beta1.JSONSchemaProps{ Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "matchName": MatchFQDNName, "matchPattern": MatchFQDNPattern, }, } MatchFQDNName = apiextensionsv1beta1.JSONSchemaProps{ Description: `MatchName matches fqdn name`, Type: "string", Pattern: fqdnNameRegex, } MatchFQDNPattern = apiextensionsv1beta1.JSONSchemaProps{ Description: `MatchPattern matches fqdn by pattern`, Type: "string", Pattern: fqdnPatternRegex, } AWSGroup = apiextensionsv1beta1.JSONSchemaProps{ Description: "", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "SecurityGroupsIds": { Description: `SecurityGroupsIds is the list of AWS security group IDs that will filter the instances IPs from the AWS API`, Type: "array", }, "SecurityGroupsNames": { Description: `SecurityGroupsNames is the list of AWS security group names that will filter the instances IPs from the AWS API`, Type: "array", }, "Region": { Description: `Region is the key that will filter the AWS EC2 instances in the given region`, Type: "string", }, }, } EndpointSelector = *LabelSelector.DeepCopy() IngressRule = apiextensionsv1beta1.JSONSchemaProps{ Description: "IngressRule contains all rule types which can be applied at ingress, " + "i.e. network traffic that originates outside of the endpoint and is entering " + "the endpoint selected by the endpointSelector.\n\n- All members of this structure " + "are optional. If omitted or empty, the\n member will have no effect on the rule." + "\n\n- If multiple members are set, all of them need to match in order for\n " + "the rule to take effect. The exception to this rule is FromRequires field;\n " + "the effects of any Requires field in any rule will apply to all other\n rules " + "as well.\n\n- For now, combining ToPorts, FromCIDR, and FromEndpoints in the same " + "rule\n is not supported and any such rules will be rejected. In the future, " + "this\n will be supported and if multiple members of this structure are specified," + "\n then all members must match in order for the rule to take effect. The\n " + "exception to this rule is the Requires field, the effects of any Requires\n " + "field in any rule will apply to all other rules as well.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "fromCIDR": { Description: "FromCIDR is a list of IP blocks which the endpoint subject to " + "the rule is allowed to receive connections from. This will match on the " + "source IP address of incoming connections. Adding a prefix into FromCIDR " + "or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are " + "allowed between FromCIDR and FromCIDRSet.\n\nExample: Any endpoint with " + "the label \"app=my-legacy-pet\" is allowed to receive connections from " + "10.3.9.1", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &CIDR, }, }, "fromCIDRSet": { Description: "FromCIDRSet is a list of IP blocks which the endpoint subject to " + "the rule is allowed to receive connections from in addition to " + "FromEndpoints, along with a list of subnets contained within their " + "corresponding IP block from which traffic should not be allowed. This " + "will match on the source IP address of incoming connections. Adding a " + "prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is " + "equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet." + "\n\nExample: Any endpoint with the label \"app=my-legacy-pet\" is allowed " + "to receive connections from 10.0.0.0/8 except from IPs in subnet " + "10.96.0.0/12.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &CIDRRule, }, }, "fromEndpoints": { Description: "FromEndpoints is a list of endpoints identified by an " + "EndpointSelector which are allowed to communicate with the endpoint " + "subject to the rule.\n\nExample: Any endpoint with the label " + "\"role=backend\" can be consumed by any endpoint carrying the label " + "\"role=frontend\".", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &EndpointSelector, }, }, "fromEntities": { Description: "FromEntities is a list of special entities which the endpoint " + "subject to the rule is allowed to receive connections from. Supported " + "entities are `world`, `cluster`, `host`, and `init`", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "string", }, }, }, "fromRequires": { Description: "FromRequires is a list of additional constraints which must be " + "met in order for the selected endpoints to be reachable. These additional " + "constraints do no by itself grant access privileges and must always be " + "accompanied with at least one matching FromEndpoints.\n\nExample: Any " + "Endpoint with the label \"team=A\" requires consuming endpoint to also " + "carry the label \"team=A\".", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &EndpointSelector, }, }, "toPorts": { Description: "ToPorts is a list of destination ports identified by port number " + "and protocol which the endpoint subject to the rule is allowed to receive " + "connections on.\n\nExample: Any endpoint with the label \"app=httpd\" can " + "only accept incoming connections on port 80/tcp.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRule, }, }, }, } K8sServiceNamespace = apiextensionsv1beta1.JSONSchemaProps{ Description: "K8sServiceNamespace is an abstraction for the k8s service + namespace " + "types.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "namespace": { Type: "string", }, "serviceName": { Type: "string", }, }, } L7Rules = apiextensionsv1beta1.JSONSchemaProps{ Description: "L7Rules is a union of port level rule types. Mixing of different port " + "level rule types is disallowed, so exactly one of the following must be set. If " + "none are specified, then no additional port level rules are applied.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "http": { Description: "HTTP specific rules.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRuleHTTP, }, }, "kafka": { Description: "Kafka-specific rules.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRuleKafka, }, }, "l7proto": { Description: "Parser type name that uses Key-Value pair rules.", Type: "string", }, "l7": { Description: "Generic Key-Value pair rules.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRuleL7, }, }, "dns": { Description: "DNS specific rules", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRuleDNS, }, }, }, } PortRuleDNS = apiextensionsv1beta1.JSONSchemaProps{ Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "matchName": MatchFQDNName, "matchPattern": MatchFQDNPattern, }, } Label = apiextensionsv1beta1.JSONSchemaProps{ Description: "Label is the cilium's representation of a container label.", Required: []string{ "key", }, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "key": { Type: "string", }, "source": { Description: "Source can be one of the values present in const.go " + "(e.g.: LabelSourceContainer)", Type: "string", }, "value": { Type: "string", }, }, } LabelSelector = apiextensionsv1beta1.JSONSchemaProps{ Description: "A label selector is a label query over a set of resources. The result " + "of matchLabels and matchExpressions are ANDed. An empty label selector matches " + "all objects. A null label selector matches no objects.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "matchLabels": { Description: "matchLabels is a map of {key,value} pairs. A single {key,value} " + "in the matchLabels map is equivalent to an element of matchExpressions, " + "whose key field is \"key\", the operator is \"In\", and the values array " + "contains only \"value\". The requirements are ANDed.", Type: "object", }, "matchExpressions": { Description: "matchExpressions is a list of label selector requirements. " + "The requirements are ANDed.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &LabelSelectorRequirement, }, }, }, } LabelSelectorRequirement = apiextensionsv1beta1.JSONSchemaProps{ Description: "A label selector requirement is a selector that contains values, a key, " + "and an operator that relates the key and values.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "key": { Description: "key is the label key that the selector applies to.", Type: "string", }, "operator": { Description: "operator represents a key's relationship to a set of values. " + "Valid operators are In, NotIn, Exists and DoesNotExist.", Type: "string", Enum: []apiextensionsv1beta1.JSON{ { Raw: []byte(`"In"`), }, { Raw: []byte(`"NotIn"`), }, { Raw: []byte(`"Exists"`), }, { Raw: []byte(`"DoesNotExist"`), }, }, }, "values": { Description: "values is an array of string values. If the operator is In or " + "NotIn, the values array must be non-empty. If the operator is Exists or " + "DoesNotExist, the values array must be empty. This array is replaced " + "during a strategic merge patch.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "string", }, }, }, }, Required: []string{"key", "operator"}, } PortProtocol = apiextensionsv1beta1.JSONSchemaProps{ Description: "PortProtocol specifies an L4 port with an optional transport protocol", Required: []string{ "port", }, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "port": { Description: "Port is an L4 port number. For now the string will be strictly " + "parsed as a single uint16. In the future, this field may support ranges " + "in the form \"1024-2048", Type: "string", Pattern: `^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|` + `[1-5][0-9]{4}|[0-9]{1,4})$`, }, "protocol": { Description: `Protocol is the L4 protocol. If omitted or empty, any protocol ` + `matches. Accepted values: "TCP", "UDP", ""/"ANY"\n\nMatching on ` + `ICMP is not supported.`, Type: "string", Enum: []apiextensionsv1beta1.JSON{ { Raw: []byte(`"TCP"`), }, { Raw: []byte(`"UDP"`), }, { Raw: []byte(`"ANY"`), }, }, }, }, } PortRule = apiextensionsv1beta1.JSONSchemaProps{ Description: "PortRule is a list of ports/protocol combinations with optional Layer 7 " + "rules which must be met.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "ports": { Description: "Ports is a list of L4 port/protocol\n\nIf omitted or empty but " + "RedirectPort is set, then all ports of the endpoint subject to either the " + "ingress or egress rule are being redirected.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortProtocol, }, }, "redirectPort": { Description: "RedirectPort is the L4 port which, if set, all traffic matching " + "the Ports is being redirected to. Whatever listener behind that port " + "becomes responsible to enforce the port rules and is also responsible to " + "reinject all traffic back and ensure it reaches its original destination.", Type: "integer", Format: "uint16", }, "rules": L7Rules, }, } PortRuleHTTP = apiextensionsv1beta1.JSONSchemaProps{ Description: "PortRuleHTTP is a list of HTTP protocol constraints. All fields are " + "optional, if all fields are empty or missing, the rule does not have any effect." + "\n\nAll fields of this type are extended POSIX regex as defined by " + "IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) " + "matched against the path of an incoming request. Currently it can contain " + "characters disallowed from the conventional \"path\" part of a URL as defined by " + "RFC 3986.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "headers": { Description: "Headers is a list of HTTP headers which must be present in the " + "request. If omitted or empty, requests are allowed regardless of headers " + "present.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "string", }, }, }, "host": { Description: "Host is an extended POSIX regex matched against the host header " + "of a request, e.g. \"foo.com\"\n\nIf omitted or empty, the value of the " + "host header is ignored.", Type: "string", Format: "idn-hostname", }, "method": { Description: "Method is an extended POSIX regex matched against the method of " + "a request, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\n" + "If omitted or empty, all methods are allowed.", Type: "string", }, "path": { Description: "Path is an extended POSIX regex matched against the path of a " + "request. Currently it can contain characters disallowed from the " + "conventional \"path\" part of a URL as defined by RFC 3986.\n\n" + "If omitted or empty, all paths are all allowed.", Type: "string", }, }, } PortRuleKafka = apiextensionsv1beta1.JSONSchemaProps{ Description: "PortRuleKafka is a list of Kafka protocol constraints. All fields are " + "optional, if all fields are empty or missing, the rule will match all Kafka " + "messages.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "role": { Description: "Role is a case-insensitive string and describes a group of API keys" + "necessary to perform certain higher level Kafka operations such as" + "\"produce\" or \"consume\". An APIGroup automatically expands into all APIKeys" + "required to perform the specified higher level operation." + "The following values are supported:" + "- \"produce\": Allow producing to the topics specified in the rule" + "- \"consume\": Allow consuming from the topics specified in the rule" + "This field is incompatible with the APIKey field, either APIKey or Role" + "may be specified. If omitted or empty, the field has no effect and the " + "logic of the APIKey field applies.", Type: "string", Enum: []apiextensionsv1beta1.JSON{ { Raw: []byte(`"produce"`), }, { Raw: []byte(`"consume"`), }, }, }, "apiKey": { Description: "APIKey is a case-insensitive string matched against the key of " + "a request, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", " + "et al Reference: https://kafka.apache.org/protocol#protocol_api_keys\n\n" + "If omitted or empty, all keys are allowed.", Type: "string", }, "apiVersion": { Description: "APIVersion is the version matched against the api version of the " + "Kafka message. If set, it has to be a string representing a positive " + "integer.\n\nIf omitted or empty, all versions are allowed.", Type: "string", }, "clientID": { Description: "ClientID is the client identifier as provided in the request.\n\n" + "From Kafka protocol documentation: This is a user supplied identifier for " + "the client application. The user can use any identifier they like and it " + "will be used when logging errors, monitoring aggregates, etc. For " + "example, one might want to monitor not just the requests per second " + "overall, but the number coming from each client application (each of " + "which could reside on multiple servers). This id acts as a logical " + "grouping across all requests from a particular client.\n\nIf omitted or " + "empty, all client identifiers are allowed.", Type: "string", }, "topic": { Description: "Topic is the topic name contained in the message. If a Kafka " + "request contains multiple topics, then all topics must be allowed or the " + "message will be rejected.\n\nThis constraint is ignored if the matched " + "request message type doesn't contain any topic. Maximum size of Topic can " + "be 249 characters as per recent Kafka spec and allowed characters are " + "a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths " + "of 255, but in Kafka 0.10 version the length was changed from 255 to 249. " + "For compatibility reasons we are using 255\n\nIf omitted or empty, all " + "topics are allowed.", Type: "string", MaxLength: getInt64(255), }, }, } PortRuleL7 = apiextensionsv1beta1.JSONSchemaProps{ Description: "PortRuleL7 is a map of {key,value} pairs which is passed to the " + "parser referenced in l7proto. It is up to the parser to define what to " + "do with the map data. If omitted or empty, all requests are allowed. " + "Both keys and values must be strings.", } Rule = apiextensionsv1beta1.JSONSchemaProps{ Description: "Rule is a policy rule which must be applied to all endpoints which match " + "the labels contained in the endpointSelector\n\nEach rule is split into an " + "ingress section which contains all rules applicable at ingress, and an egress " + "section applicable at egress. For rule types such as `L4Rule` and `CIDR` which " + "can be applied at both ingress and egress, both ingress and egress side have to " + "either specifically allow the connection or one side has to be omitted.\n\n" + "Either ingress, egress, or both can be provided. If both ingress and egress are " + "omitted, the rule has no effect.", Required: []string{ "endpointSelector", }, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "Description": { Description: "Description is a free form string, it can be used by the creator " + "of the rule to store human readable explanation of the purpose of this " + "rule. Rules cannot be identified by comment.", Type: "string", }, "egress": { Description: "Egress is a list of EgressRule which are enforced at egress. If " + "omitted or empty, this rule does not apply at egress.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &EgressRule, }, }, "endpointSelector": EndpointSelector, "ingress": { Description: "Ingress is a list of IngressRule which are enforced at ingress. " + "If omitted or empty, this rule does not apply at ingress.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &IngressRule, }, }, "labels": { Description: "Labels is a list of optional strings which can be used to " + "re-identify the rule or to store metadata. It is possible to lookup or " + "delete strings based on labels. Labels are not required to be unique, " + "multiple rules can have overlapping or identical labels.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &Label, }, }, }, } Service = apiextensionsv1beta1.JSONSchemaProps{ Description: "Service wraps around selectors for services", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "k8sService": K8sServiceNamespace, "k8sServiceSelector": ServiceSelector, }, } ServiceSelector = apiextensionsv1beta1.JSONSchemaProps{ Description: "ServiceSelector is a label selector for k8s services", Required: []string{ "selector", }, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "selector": EndpointSelector, "namespace": { Type: "string", }, }, } )
View Source
var SchemeGroupVersion = schema.GroupVersion{ Group: CustomResourceDefinitionGroup, Version: CustomResourceDefinitionVersion, }
SchemeGroupVersion is group version used to register these objects
Functions ¶
func CreateCustomResourceDefinitions ¶
func CreateCustomResourceDefinitions(clientset apiextensionsclient.Interface) error
CreateCustomResourceDefinitions creates our CRD objects in the kubernetes cluster
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type AddressPair ¶
AddressPair is is a par of IPv4 and/or IPv6 address +k8s:deepcopy-gen=false
type AddressPairList ¶
type AddressPairList []*AddressPair
AddressPairList is a list of address pairs +k8s:deepcopy-gen=false
func (AddressPairList) Sort ¶
func (a AddressPairList) Sort()
Sort sorts an AddressPairList by IPv4 and IPv6 address
type AllowedIdentityList ¶
type AllowedIdentityList []AllowedIdentityTuple
AllowedIdentityList is a list of AllowedIdentityTuple +k8s:deepcopy-gen=false
func (AllowedIdentityList) Sort ¶
func (a AllowedIdentityList) Sort()
Sort sorts a list AllowedIdentityTuple by numeric identity, port and protocol
type AllowedIdentityTuple ¶
type AllowedIdentityTuple struct {
Identity uint64 `json:"identity,omitempty"`
IdentityLabels map[string]string `json:"identity-labels,omitempty"`
DestPort uint16 `json:"dest-port,omitempty"`
Protocol uint8 `json:"protocol,omitempty"`
}
AllowedIdentityTuple specifies an allowed peer by identity, destination port and protocol +k8s:deepcopy-gen=false
type CiliumEndpoint ¶
type CiliumEndpoint struct {
// +k8s:openapi-gen=false
metav1.TypeMeta `json:",inline"`
// +k8s:openapi-gen=false
metav1.ObjectMeta `json:"metadata"`
Status EndpointStatus `json:"status"`
}
CiliumEndpoint is the status of a Cilium policy rule +k8s:openapi-gen=false
func (*CiliumEndpoint) DeepCopy ¶
func (in *CiliumEndpoint) DeepCopy() *CiliumEndpoint
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumEndpoint.
func (*CiliumEndpoint) DeepCopyInto ¶
func (in *CiliumEndpoint) DeepCopyInto(out *CiliumEndpoint)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumEndpoint) DeepCopyObject ¶
func (in *CiliumEndpoint) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CiliumEndpointList ¶
type CiliumEndpointList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
// Items is a list of CiliumEndpoint
Items []CiliumEndpoint `json:"items"`
}
CiliumEndpointList is a list of CiliumEndpoint objects +k8s:openapi-gen=false
func (*CiliumEndpointList) DeepCopy ¶
func (in *CiliumEndpointList) DeepCopy() *CiliumEndpointList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumEndpointList.
func (*CiliumEndpointList) DeepCopyInto ¶
func (in *CiliumEndpointList) DeepCopyInto(out *CiliumEndpointList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumEndpointList) DeepCopyObject ¶
func (in *CiliumEndpointList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CiliumNetworkPolicy ¶
type CiliumNetworkPolicy struct {
// +k8s:openapi-gen=false
metav1.TypeMeta `json:",inline"`
// +k8s:openapi-gen=false
metav1.ObjectMeta `json:"metadata"`
// Spec is the desired Cilium specific rule specification.
Spec *api.Rule `json:"spec,omitempty"`
// Specs is a list of desired Cilium specific rule specification.
Specs api.Rules `json:"specs,omitempty"`
// Status is the status of the Cilium policy rule
// +optional
Status CiliumNetworkPolicyStatus `json:"status"`
}
CiliumNetworkPolicy is a Kubernetes third-party resource with an extended version of NetworkPolicy
func (*CiliumNetworkPolicy) AnnotationsEquals ¶
func (r *CiliumNetworkPolicy) AnnotationsEquals(o *CiliumNetworkPolicy) bool
AnnotationsEquals returns true if ObjectMeta.Annotations of each CiliumNetworkPolicy are equivalent (i.e., they contain equivalent key-value pairs).
func (*CiliumNetworkPolicy) DeepCopy ¶
func (in *CiliumNetworkPolicy) DeepCopy() *CiliumNetworkPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicy.
func (*CiliumNetworkPolicy) DeepCopyInto ¶
func (in *CiliumNetworkPolicy) DeepCopyInto(out *CiliumNetworkPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumNetworkPolicy) DeepCopyObject ¶
func (in *CiliumNetworkPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*CiliumNetworkPolicy) GetControllerName ¶
func (r *CiliumNetworkPolicy) GetControllerName() string
GetControllerName returns the unique name for the controller manager.
func (*CiliumNetworkPolicy) GetIdentityLabels ¶
func (r *CiliumNetworkPolicy) GetIdentityLabels() labels.LabelArray
GetIdentityLabels returns all rule labels in the CiliumNetworkPolicy.
func (*CiliumNetworkPolicy) GetPolicyStatus ¶
func (r *CiliumNetworkPolicy) GetPolicyStatus(nodeName string) CiliumNetworkPolicyNodeStatus
GetPolicyStatus returns the CiliumNetworkPolicyNodeStatus corresponding to nodeName in the provided CiliumNetworkPolicy. If Nodes within the rule's Status is nil, returns an empty CiliumNetworkPolicyNodeStatus.
func (*CiliumNetworkPolicy) Parse ¶
func (r *CiliumNetworkPolicy) Parse() (api.Rules, error)
Parse parses a CiliumNetworkPolicy and returns a list of cilium policy rules.
func (*CiliumNetworkPolicy) RequiresDerivative ¶
func (r *CiliumNetworkPolicy) RequiresDerivative() bool
RequiresDerivative return true if the CNP has any rule that will create a new derivative rule.
func (*CiliumNetworkPolicy) SetDerivedPolicyStatus ¶
func (r *CiliumNetworkPolicy) SetDerivedPolicyStatus(derivativePolicyName string, status CiliumNetworkPolicyNodeStatus)
SetDerivedPolicyStatus set the derivative policy status for the given derivative policy name.
func (*CiliumNetworkPolicy) SetPolicyStatus ¶
func (r *CiliumNetworkPolicy) SetPolicyStatus(nodeName string, cnpns CiliumNetworkPolicyNodeStatus)
SetPolicyStatus sets the given policy status for the given nodes' map
func (*CiliumNetworkPolicy) SpecEquals ¶
func (r *CiliumNetworkPolicy) SpecEquals(o *CiliumNetworkPolicy) bool
SpecEquals returns true if the spec and specs metadata is the sa
func (*CiliumNetworkPolicy) String ¶
func (r *CiliumNetworkPolicy) String() string
type CiliumNetworkPolicyList ¶
type CiliumNetworkPolicyList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata"`
// Items is a list of CiliumNetworkPolicy
Items []CiliumNetworkPolicy `json:"items"`
}
CiliumNetworkPolicyList is a list of CiliumNetworkPolicy objects +k8s:openapi-gen=false
func (*CiliumNetworkPolicyList) DeepCopy ¶
func (in *CiliumNetworkPolicyList) DeepCopy() *CiliumNetworkPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyList.
func (*CiliumNetworkPolicyList) DeepCopyInto ¶
func (in *CiliumNetworkPolicyList) DeepCopyInto(out *CiliumNetworkPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumNetworkPolicyList) DeepCopyObject ¶
func (in *CiliumNetworkPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CiliumNetworkPolicyNodeStatus ¶
type CiliumNetworkPolicyNodeStatus struct {
// OK is true when the policy has been parsed and imported successfully
// into the in-memory policy repository on the node.
OK bool `json:"ok,omitempty"`
// Error describes any error that occurred when parsing or importing the
// policy, or realizing the policy for the endpoints to which it applies
// on the node.
Error string `json:"error,omitempty"`
// LastUpdated contains the last time this status was updated
LastUpdated Timestamp `json:"lastUpdated,omitempty"`
// Revision is the policy revision of the repository which first implemented
// this policy.
Revision uint64 `json:"localPolicyRevision,omitempty"`
// Enforcing is set to true once all endpoints present at the time the
// policy has been imported are enforcing this policy.
Enforcing bool `json:"enforcing,omitempty"`
// Annotations corresponds to the Annotations in the ObjectMeta of the CNP
// that have been realized on the node for CNP. That is, if a CNP has been
// imported and has been assigned annotation X=Y by the user,
// Annotations in CiliumNetworkPolicyNodeStatus will be X=Y once the
// CNP that was imported corresponding to Annotation X=Y has been realized on
// the node.
Annotations map[string]string `json:"annotations,omitempty"`
}
CiliumNetworkPolicyNodeStatus is the status of a Cilium policy rule for a specific node
func (*CiliumNetworkPolicyNodeStatus) DeepCopy ¶
func (in *CiliumNetworkPolicyNodeStatus) DeepCopy() *CiliumNetworkPolicyNodeStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyNodeStatus.
func (*CiliumNetworkPolicyNodeStatus) DeepCopyInto ¶
func (in *CiliumNetworkPolicyNodeStatus) DeepCopyInto(out *CiliumNetworkPolicyNodeStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CiliumNetworkPolicyStatus ¶
type CiliumNetworkPolicyStatus struct {
// Nodes is the Cilium policy status for each node
Nodes map[string]CiliumNetworkPolicyNodeStatus `json:"nodes,omitempty"`
// DerivativePolicies is the status of all policies derived from the Cilium
// policy
DerivativePolicies map[string]CiliumNetworkPolicyNodeStatus `json:"derivativePolicies,omitempty"`
}
CiliumNetworkPolicyStatus is the status of a Cilium policy rule
func (*CiliumNetworkPolicyStatus) DeepCopy ¶
func (in *CiliumNetworkPolicyStatus) DeepCopy() *CiliumNetworkPolicyStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyStatus.
func (*CiliumNetworkPolicyStatus) DeepCopyInto ¶
func (in *CiliumNetworkPolicyStatus) DeepCopyInto(out *CiliumNetworkPolicyStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ControllerList ¶
type ControllerList []ControllerStatus
ControllerList is a list of ControllerStatus +k8s:deepcopy-gen=false
func (ControllerList) Sort ¶
func (c ControllerList) Sort()
Sort sorts the ControllerList by controller name
type ControllerStatus ¶
type ControllerStatus struct {
// Name is the name of the controller
Name string `json:"name,omitempty"`
// Configuration is the controller configuration
Configuration *models.ControllerStatusConfiguration `json:"configuration,omitempty"`
// Status is the status of the controller
Status ControllerStatusStatus `json:"status,omitempty"`
// UUID is the UUID of the controller
UUID string `json:"uuid,omitempty"`
}
ControllerStatus is the status of a failing controller +k8s:deepcopy-gen=false
type ControllerStatusStatus ¶
type ControllerStatusStatus struct {
ConsecutiveFailureCount int64 `json:"consecutive-failure-count,omitempty"`
FailureCount int64 `json:"failure-count,omitempty"`
LastFailureMsg string `json:"last-failure-msg,omitempty"`
LastFailureTimestamp string `json:"last-failure-timestamp,omitempty"`
LastSuccessTimestamp string `json:"last-success-timestamp,omitempty"`
SuccessCount int64 `json:"success-count,omitempty"`
}
ControllerStatusStatus is the detailed status section of a controller +k8s:deepcopy-gen=false
type DeprecatedEndpointStatus ¶
type DeprecatedEndpointStatus struct {
Controllers ControllerList `json:"controllers,omitempty"`
Identity *EndpointIdentity `json:"identity,omitempty"`
Log []*models.EndpointStatusChange `json:"log,omitempty"`
Networking *EndpointNetworking `json:"networking,omitempty"`
State string `json:"state,omitempty"`
// These fields are no longer populated
Realized *deprecatedEndpointConfigurationSpec `json:"realized,omitempty"`
Labels *deprecatedLabelConfigurationStatus `json:"labels,omitempty"`
Policy *models.EndpointPolicyStatus `json:"policy,omitempty"`
ExternalIdentifiers *models.EndpointIdentifiers `json:"external-identifiers,omitempty"`
Health *models.EndpointHealth `json:"health,omitempty"`
}
DeprecatedEndpointStatus is the original endpoint status provided for backwards compatibility.
See EndpointStatus for descriptions of fields +k8s:deepcopy-gen=false
type EndpointIdentity ¶
type EndpointIdentity struct {
// ID is the numeric identity of the endpoint
ID int64 `json:"id,omitempty"`
// Labels is the list of labels associated with the identity
Labels []string `json:"labels,omitempty"`
// Deprecated fields
LabelsSHA256 string `json:"labelsSHA256,omitempty"`
}
EndpointIdentity is the identity information of an endpoint +k8s:deepcopy-gen=false
type EndpointNetworking ¶
type EndpointNetworking struct {
// IP4/6 addresses assigned to this Endpoint
Addressing AddressPairList `json:"addressing"`
// Deprecated fields
HostAddressing *models.NodeAddressing `json:"host-addressing,omitempty"`
HostMac string `json:"host-mac,omitempty"`
InterfaceIndex int64 `json:"interface-index,omitempty"`
InterfaceName string `json:"interface-name,omitempty"`
Mac string `json:"mac,omitempty"`
}
EndpointNetworking is the addressing information of an endpoint +k8s:deepcopy-gen=false
type EndpointPolicy ¶
type EndpointPolicy struct {
Ingress *EndpointPolicyDirection `json:"ingress,omitempty"`
Egress *EndpointPolicyDirection `json:"egress,omitempty"`
}
EndpointPolicy represents the endpoint's policy by listing all allowed ingress and egress identities in combination with L4 port and protocol +k8s:deepcopy-gen=false
type EndpointPolicyDirection ¶
type EndpointPolicyDirection struct {
Enforcing bool `json:"enforcing"`
Allowed AllowedIdentityList `json:"allowed,omitempty"`
Removing AllowedIdentityList `json:"removing,omitempty"`
Adding AllowedIdentityList `json:"adding,omitempty"`
}
EndpointPolicyDirection is the list of allowed identities per direction +k8s:deepcopy-gen=false
type EndpointStatus ¶
type EndpointStatus struct {
// The cilium-agent-local ID of the endpoint
ID int64 `json:"id,omitempty"`
// Controllers is the list of failing controllers for this endpoint
Controllers ControllerList `json:"controllers,omitempty"`
// ExternalIdentifiers is a set of identifiers to identify the endpoint
// apart from the pod name. This includes container runtime IDs.
ExternalIdentifiers *models.EndpointIdentifiers `json:"external-identifiers,omitempty"`
// Summary overall endpoint & subcomponent health
Health *models.EndpointHealth `json:"health,omitempty"`
// Identity is the security identity associated with the endpoint
Identity *EndpointIdentity `json:"identity,omitempty"`
// Log is the list of the last few warning and error log entries
Log []*models.EndpointStatusChange `json:"log,omitempty"`
// Networking properties of the endpoint
Networking *EndpointNetworking `json:"networking,omitempty"`
Policy *EndpointPolicy `json:"policy,omitempty"`
// State is the state of the endpoint
//
// States are:
// - creating
// - waiting-for-identity
// - not-ready
// - waiting-to-regenerate
// - regenerating
// - restoring
// - ready
// - disconnecting
// - disconnected
State string `json:"state,omitempty"`
// Deprecated fields
Spec *deprecatedEndpointConfigurationSpec `json:"spec,omitempty"`
Status *DeprecatedEndpointStatus `json:"status,omitempty"`
}
EndpointStatus is the status of a Cilium endpoint The custom deepcopy function below is a workaround. We can generate a deepcopy for EndpointStatus but not for the various models.* types it includes. We can't generate functions for classes in other packages, nor can we change the models.Endpoint type to use proxy types we define here. +k8s:deepcopy-gen=false
func (*EndpointStatus) DeepCopyInto ¶
func (m *EndpointStatus) DeepCopyInto(out *EndpointStatus)
DeepCopyInto is an inefficient hack to allow reusing models.Endpoint in the CiliumEndpoint CRD.
func (*EndpointStatus) MarshalBinary ¶
func (m *EndpointStatus) MarshalBinary() ([]byte, error)
MarshalBinary interface implementation
func (*EndpointStatus) UnmarshalBinary ¶
func (m *EndpointStatus) UnmarshalBinary(b []byte) error
UnmarshalBinary interface implementation
type Timestamp ¶
Timestamp is a wrapper of time.Time so that we can create our own implementation of DeepCopyInto.
func NewTimestamp ¶
func NewTimestamp() Timestamp
NewTimestamp creates a new Timestamp with the current time.Now()
func (*Timestamp) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Timestamp.
func (*Timestamp) DeepCopyInto ¶
DeepCopyInto creates a deep-copy of the Time value. The underlying time.Time type is effectively immutable in the time API, so it is safe to copy-by-assign, despite the presence of (unexported) Pointer fields.
Source Files
Click to show internal directories.
Click to hide internal directories.