Affected by GO-2024-2568 and 4 other vulnerabilities

GO-2024-2568: Unencrypted ingress/health traffic when using Wireguard transparent encryption in github.com/cilium/cilium

GO-2024-2569: Unencrypted traffic between pods when using Wireguard and an external kvstore in github.com/cilium/cilium

GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

client

package

v1.8.0-rc2 Latest Latest Go to latest Published: May 29, 2020 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/cilium

Documentation ¶

Index ¶

Constants
Variables
func CreateCustomResourceDefinitions(clientset apiextensionsclient.Interface) error

Constants ¶

View Source

const (
	// CustomResourceDefinitionGroup is the name of the third party resource group
	CustomResourceDefinitionGroup = k8sconst.GroupName

	// CustomResourceDefinitionVersion is the current version of the resource
	CustomResourceDefinitionVersion = "v2"

	// CustomResourceDefinitionSchemaVersion is semver-conformant version of CRD schema
	// Used to determine if CRD needs to be updated in cluster
	CustomResourceDefinitionSchemaVersion = "1.20"

	// CustomResourceDefinitionSchemaVersionKey is key to label which holds the CRD schema version
	CustomResourceDefinitionSchemaVersionKey = "io.cilium.k8s.crd.schema.version"

	// CNPKindDefinition is the kind name for Cilium Network Policy
	CNPKindDefinition = "CiliumNetworkPolicy"

	// CCNPKindDefinition is the kind name for Cilium Cluster wide Network Policy
	CCNPKindDefinition = "CiliumClusterwideNetworkPolicy"

	// CNKindDefinition is the kind name for Cilium Node
	CNKindDefinition = "CiliumNode"
)

Variables ¶

View Source

var (
	CNPCRV = apiextensionsv1beta1.CustomResourceValidation{
		OpenAPIV3Schema: &apiextensionsv1beta1.JSONSchemaProps{

			Type:       "object",
			Properties: properties,
		},
	}

	CIDR = apiextensionsv1beta1.JSONSchemaProps{
		Description: "CIDR is a CIDR prefix / IP Block.",
		Type:        "string",
		OneOf: []apiextensionsv1beta1.JSONSchemaProps{
			{

				Pattern: `^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4]` +
					`[0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$`,
			},
			{

				Pattern: `^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))` +
					`|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)` +
					`|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))` +
					`|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))` +
					`(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$`,
			},
		},
	}

	CIDRRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "CIDRRule is a rule that specifies a CIDR prefix to/from which outside " +
			"communication is allowed, along with an optional list of subnets within that CIDR " +
			"prefix to/from which outside communication is not allowed.",
		Required: []string{
			"cidr",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"cidr": CIDR,
			"except": {
				Description: "ExceptCIDRs is a list of IP blocks which the endpoint subject to " +
					"the rule is not allowed to initiate connections to. These CIDR prefixes " +
					"should be contained within Cidr. These exceptions are only applied to the " +
					"Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any " +
					"other CIDRRules.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDR,
				},
			},
		},
	}

	EgressRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "EgressRule contains all rule types which can be applied at egress, i.e. " +
			"network traffic that originates inside the endpoint and exits the endpoint " +
			"selected by the endpointSelector.\n\n- All members of this structure are optional. " +
			"If omitted or empty, the\n  member will have no effect on the rule.\n\n- For now, " +
			"combining ToPorts and ToCIDR in the same rule is not supported\n  and such rules " +
			"will be rejected. In the future, this will be supported and\n  if if multiple " +
			"members of the structure are specified, then all members\n  must match in order " +
			"for the rule to take effect.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"toCIDR": {
				Description: "ToCIDR is a list of IP blocks which the endpoint subject to the " +
					"rule is allowed to initiate connections. This will match on the " +
					"destination IP address of outgoing connections. Adding a prefix into " +
					"ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are " +
					"allowed between ToCIDR and ToCIDRSet.\n\nExample: Any endpoint with the " +
					"label \"app=database-proxy\" is allowed to initiate connections to " +
					"10.2.3.0/24",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDR,
				},
			},
			"toCIDRSet": {
				Description: "ToCIDRSet is a list of IP blocks which the endpoint subject to " +
					"the rule is allowed to initiate connections to in addition to connections " +
					"which are allowed via FromEndpoints, along with a list of subnets " +
					"contained within their corresponding IP block to which traffic should not " +
					"be allowed. This will match on the destination IP address of outgoing " +
					"connections. Adding a prefix into ToCIDR or into ToCIDRSet with no " +
					"ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and " +
					"ToCIDRSet.\n\nExample: Any endpoint with the label \"app=database-proxy\" " +
					"is allowed to initiate connections to 10.2.3.0/24 except from IPs in " +
					"subnet 10.2.3.0/28.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDRRule,
				},
			},
			"toEntities": {
				Description: "ToEntities is a list of special entities to which the endpoint " +
					"subject to the rule is allowed to initiate connections. Supported " +
					"entities are `world`, `cluster` and `host`",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"toPorts": {
				Description: "ToPorts is a list of destination ports identified by port number " +
					"and protocol which the endpoint subject to the rule is allowed to connect " +
					"to.\n\nExample: Any endpoint with the label \"role=frontend\" is allowed " +
					"to initiate connections to destination port 8080/tcp",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRule,
				},
			},
			"toServices": {
				Description: "ToServices is a list of services to which the endpoint subject " +
					"to the rule is allowed to initiate connections.\n\nExample: Any endpoint " +
					"with the label \"app=backend-app\" is allowed to initiate connections to " +
					"all cidrs backing the \"external-service\" service",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &Service,
				},
			},
			"toEndpoints": {
				Description: "ToEndpoints is a list of endpoints identified by an " +
					"EndpointSelector to which the endpoint subject to the rule" +
					"is allowed to communicate.\n\nExample: Any endpoint with the label " +
					"\"role=frontend\" can be consumed by any endpoint carrying the label " +
					"\"role=backend\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"toRequires": {
				Description: "ToRequires is a list of additional constraints which must be " +
					"met in order for the selected endpoints to be able to reach other " +
					"endpoints. These additional constraints do not by themselves grant access " +
					"privileges and must always be accompanied with at least one matching " +
					"FromEndpoints.\n\nExample: Any Endpoint with the label \"team=A\" " +
					"requires any endpoint to which it communicates to also carry the label " +
					"\"team=A\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"toGroups": {
				Type: "object",
				Description: `ToGroups is a list of constraints that will
				gather data from third-party providers and create a new
				derived policy.`,
				Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
					"aws": AWSGroup,
				},
			},
			"toFQDNs": {
				Description: `ToFQDNs is a list of rules matching fqdns that endpoint
				is allowed to communicate with`,
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &FQDNRule,
				},
			},
		},
	}

	FQDNRule = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`,
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"matchName":    MatchFQDNName,
			"matchPattern": MatchFQDNPattern,
		},
	}

	MatchFQDNName = apiextensionsv1beta1.JSONSchemaProps{
		Description: `MatchName matches fqdn name`,
		Type:        "string",
		Pattern:     fqdnNameRegex,
	}

	MatchFQDNPattern = apiextensionsv1beta1.JSONSchemaProps{
		Description: `MatchPattern matches fqdn by pattern`,
		Type:        "string",
		Pattern:     fqdnPatternRegex,
	}

	AWSGroup = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"securityGroupsIds": {
				Description: `SecurityGroupsIds is the list of AWS security
				group IDs that will filter the instances IPs from the AWS API`,
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"securityGroupsNames": {
				Description: `SecurityGroupsNames is the list of  AWS security
				group names that will filter the instances IPs from the AWS API`,
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"region": {
				Description: `Region is the key that will filter the AWS EC2
				instances in the given region`,
				Type: "string",
			},
		},
	}

	EndpointSelector = *LabelSelector.DeepCopy()
	NodeSelector     = *LabelSelector.DeepCopy()

	IngressRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "IngressRule contains all rule types which can be applied at ingress, " +
			"i.e. network traffic that originates outside of the endpoint and is entering " +
			"the endpoint selected by the endpointSelector.\n\n- All members of this structure " +
			"are optional. If omitted or empty, the\n  member will have no effect on the rule." +
			"\n\n- If multiple members are set, all of them need to match in order for\n  " +
			"the rule to take effect. The exception to this rule is FromRequires field;\n  " +
			"the effects of any Requires field in any rule will apply to all other\n  rules " +
			"as well.\n\n- For now, combining ToPorts, FromCIDR, and FromEndpoints in the same " +
			"rule\n  is not supported and any such rules will be rejected. In the future, " +
			"this\n  will be supported and if multiple members of this structure are specified," +
			"\n then all members must match in order for the rule to take effect. The\n  " +
			"exception to this rule is the Requires field, the effects of any Requires\n  " +
			"field in any rule will apply to all other rules as well.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"fromCIDR": {
				Description: "FromCIDR is a list of IP blocks which the endpoint subject to " +
					"the rule is allowed to receive connections from. This will match on the " +
					"source IP address of incoming connections. Adding  a prefix into FromCIDR " +
					"or into FromCIDRSet with no ExcludeCIDRs is  equivalent. Overlaps are " +
					"allowed between FromCIDR and FromCIDRSet.\n\nExample: Any endpoint with " +
					"the label \"app=my-legacy-pet\" is allowed to receive connections from " +
					"10.3.9.1",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDR,
				},
			},
			"fromCIDRSet": {
				Description: "FromCIDRSet is a list of IP blocks which the endpoint subject to " +
					"the rule is allowed to receive connections from in addition to " +
					"FromEndpoints, along with a list of subnets contained within their " +
					"corresponding IP block from which traffic should not be allowed. This " +
					"will match on the source IP address of incoming connections. Adding a " +
					"prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is " +
					"equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet." +
					"\n\nExample: Any endpoint with the label \"app=my-legacy-pet\" is allowed " +
					"to receive connections from 10.0.0.0/8 except from IPs in subnet " +
					"10.96.0.0/12.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDRRule,
				},
			},
			"fromEndpoints": {
				Description: "FromEndpoints is a list of endpoints identified by an " +
					"EndpointSelector which are allowed to communicate with the endpoint " +
					"subject to the rule.\n\nExample: Any endpoint with the label " +
					"\"role=backend\" can be consumed by any endpoint carrying the label " +
					"\"role=frontend\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"fromEntities": {
				Description: "FromEntities is a list of special entities which the endpoint " +
					"subject to the rule is allowed to receive connections from. Supported " +
					"entities are `world`, `cluster`, `host`, and `init`",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"fromRequires": {
				Description: "FromRequires is a list of additional constraints which must be " +
					"met in order for the selected endpoints to be reachable. These additional " +
					"constraints do no by itself grant access privileges and must always be " +
					"accompanied with at least one matching FromEndpoints.\n\nExample: Any " +
					"Endpoint with the label \"team=A\" requires consuming endpoint to also " +
					"carry the label \"team=A\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"toPorts": {
				Description: "ToPorts is a list of destination ports identified by port number " +
					"and protocol which the endpoint subject to the rule is allowed to receive " +
					"connections on.\n\nExample: Any endpoint with the label \"app=httpd\" can " +
					"only accept incoming connections on port 80/tcp.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRule,
				},
			},
		},
	}

	K8sServiceNamespace = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "K8sServiceNamespace is an abstraction for the k8s service + namespace " +
			"types.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"namespace": {
				Type: "string",
			},
			"serviceName": {
				Type: "string",
			},
		},
	}

	L7Rules = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "L7Rules is a union of port level rule types. Mixing of different port " +
			"level rule types is disallowed, so exactly one of the following must be set. If " +
			"none are specified, then no additional port level rules are applied.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"http": {
				Description: "HTTP specific rules.",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleHTTP,
				},
			},
			"kafka": {
				Description: "Kafka-specific rules.",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleKafka,
				},
			},
			"l7proto": {
				Description: "Parser type name that uses Key-Value pair rules.",
				Type:        "string",
			},
			"l7": {
				Description: "Generic Key-Value pair rules.",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleL7,
				},
			},
			"dns": {
				Description: "DNS specific rules",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleDNS,
				},
			},
		},
	}

	PortRuleDNS = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`,
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"matchName":    MatchFQDNName,
			"matchPattern": MatchFQDNPattern,
		},
	}

	Label = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "Label is the cilium's representation of a container label.",
		Required: []string{
			"key",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"key": {
				Type: "string",
			},
			"source": {
				Description: "Source can be one of the values present in const.go " +
					"(e.g.: LabelSourceContainer)",
				Type: "string",
			},
			"value": {
				Type: "string",
			},
		},
	}

	LabelSelector = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "A label selector is a label query over a set of resources. The result " +
			"of matchLabels and matchExpressions are ANDed. An empty label selector matches " +
			"all objects. A null label selector matches no objects.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"matchLabels": {
				Description: "matchLabels is a map of {key,value} pairs. A single {key,value} " +
					"in the matchLabels map is equivalent to an element of matchExpressions, " +
					"whose key field is \"key\", the operator is \"In\", and the values array " +
					"contains only \"value\". The requirements are ANDed.",
				Type: "object",
			},
			"matchExpressions": {
				Description: "matchExpressions is a list of label selector requirements. " +
					"The requirements are ANDed.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &LabelSelectorRequirement,
				},
			},
		},
	}

	LabelSelectorRequirement = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "A label selector requirement is a selector that contains values, a key, " +
			"and an operator that relates the key and values.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"key": {
				Description: "key is the label key that the selector applies to.",
				Type:        "string",
			},
			"operator": {
				Description: "operator represents a key's relationship to a set of values. " +
					"Valid operators are In, NotIn, Exists and DoesNotExist.",
				Type: "string",
				Enum: []apiextensionsv1beta1.JSON{
					{
						Raw: []byte(`"In"`),
					},
					{
						Raw: []byte(`"NotIn"`),
					},
					{
						Raw: []byte(`"Exists"`),
					},
					{
						Raw: []byte(`"DoesNotExist"`),
					},
				},
			},
			"values": {
				Description: "values is an array of string values. If the operator is In or " +
					"NotIn, the values array must be non-empty. If the operator is Exists or " +
					"DoesNotExist, the values array must be empty. This array is replaced " +
					"during a strategic merge patch.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
		},
		Required: []string{"key", "operator"},
	}

	PortProtocol = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "PortProtocol specifies an L4 port with an optional transport protocol",
		Required: []string{
			"port",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"port": {
				Description: "Port is an L4 port number or a port name. For now the string will be strictly " +
					"parsed as a single uint16 or a valid port name, which consists of at most 15 alphanumeric " +
					"characters of which at least one is not a number, as well as non-consecutive dashes " +
					"('-') except for in the beginning or the end. In the future, this field may support ranges " +
					"in the form \"1024-2048",
				Type: "string",

				Pattern: `^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|` +
					`[1-5][0-9]{4}|[0-9]{1,4}|` +
					`([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*)$`,
			},
			"protocol": {
				Description: `Protocol is the L4 protocol. If omitted or empty, any protocol ` +
					`matches. Accepted values: "TCP", "UDP", ""/"ANY"\n\nMatching on ` +
					`ICMP is not supported.`,
				Type: "string",
				Enum: []apiextensionsv1beta1.JSON{
					{
						Raw: []byte(`"TCP"`),
					},
					{
						Raw: []byte(`"UDP"`),
					},
					{
						Raw: []byte(`"ANY"`),
					},
				},
			},
		},
	}

	Secret = map[string]apiextensionsv1beta1.JSONSchemaProps{
		"namespace": {
			Description: "Namespace is the namespace in which the secret exists. If " +
				"namespace is omitted, the namespace of the enclosing rule is assumed, " +
				"or \"\", if none applies.",
			Type: "string",
		},
		"name": {
			Description: "Name is the name of the secret.",
			Type:        "string",
		},
	}

	TLSContext = map[string]apiextensionsv1beta1.JSONSchemaProps{
		"secret": {
			Description: "Secret contains the certificates and private key for the TLS context.",
			Type:        "object",
			Properties:  Secret,
			Required: []string{
				"name",
			},
		},
		"certificate": {
			Description: "Certificate is the file name or secret item name for the certificate chain. " +
				"If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist." +
				"If specified for an originating TLS context, then this is used as a " +
				"client certificate.",
			Type: "string",
		},
		"privateKey": {
			Description: "PrivateKey is the file name or secret item name for the private key matching " +
				"the certificate chain. If omitted, 'tls.key' is assumed, if it exists. " +
				"If given, the item must exist.",
			Type: "string",
		},
		"trustedCA": {
			Description: "TrustedCA is the file name or secret item name for the trusted CA used to verify " +
				"the certificate of the remote party. If specified for a terminating " +
				"TLS context, then a client certificate is required. " +
				"If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.",
			Type: "string",
		},
	}

	PortRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRule is a list of ports/protocol combinations with optional Layer 7 " +
			"rules which must be met.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"ports": {
				Description: "Ports is a list of L4 port/protocol.",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortProtocol,
				},
			},
			"terminatingTLS": {
				Description: "TerminatingTLS is the TLS context for the connection terminated by " +
					"the L7 proxy.  For egress policy this specifies the server-side TLS " +
					"parameters to be applied on the connections originated from the local " +
					"POD and terminated by the L7 proxy. For ingress policy this specifies " +
					"the server-side TLS parameters to be applied on the connections " +
					"originated from a remote source and terminated by the L7 proxy.",
				Type:       "object",
				Properties: TLSContext,
				Required: []string{
					"secret",
				},
			},
			"originatingTLS": {
				Description: "OriginatingTLS is the TLS context for the connections originated by " +
					"the L7 proxy.  For egress policy this specifies the client-side TLS " +
					"parameters for the upstream connection originating from the L7 proxy " +
					"to the remote destination. For ingress policy this specifies the " +
					"client-side TLS parameters for the connection from the L7 proxy to " +
					"the local POD.",
				Type:       "object",
				Properties: TLSContext,
				Required: []string{
					"secret",
				},
			},
			"rules": L7Rules,
		},
	}

	HeaderMatch = map[string]apiextensionsv1beta1.JSONSchemaProps{
		"mismatch": {
			Description: "Mismatch identifies what to do in case there is no match. The " +
				"default is to drop the request. Otherwise the overall rule is still " +
				"considered as matching, but the mismatches are logged in the access log.",
			Type: "string",
			Enum: []apiextensionsv1beta1.JSON{
				{
					Raw: []byte(`"LOG"`),
				},
				{
					Raw: []byte(`"ADD"`),
				},
				{
					Raw: []byte(`"DELETE"`),
				},
				{
					Raw: []byte(`"REPLACE"`),
				},
			},
		},
		"name": {
			Description: "Name identifies the header.",
			Type:        "string",
		},
		"secret": {
			Description: "Secret refers to a secret that contains the value that must be present in the request.",
			Type:        "object",
			Properties:  Secret,
			Required: []string{
				"name",
			},
		},
		"value": {
			Description: "Value contains the header value that must be present in the request. If both Secret " +
				"and Value are specified, " +
				"the Secret takes precedence, if it exists; i.e., the Value will only be used if " +
				"the Secret cannot be found or accessed.",
			Type: "string",
		},
	}

	PortRuleHTTP = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRuleHTTP is a list of HTTP protocol constraints. All fields are " +
			"optional, if all fields are empty or missing, the rule does not have any effect." +
			"\n\nAll fields of this type are extended POSIX regex as defined by " +
			"IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) " +
			"matched against the path of an incoming request. Currently it can contain " +
			"characters disallowed from the conventional \"path\" part of a URL as defined by " +
			"RFC 3986.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"headerMatches": {
				Description: "HeaderMatches is a list of HTTP headers which must be present and match " +
					"against the given or referenced values or expressions. If omitted or empty, " +
					"requests are allowed regardless of headers present.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type:       "object",
						Properties: HeaderMatch,
						Required: []string{
							"name",
						},
					},
				},
			},
			"headers": {
				Description: "Headers is a list of HTTP headers which must be present in the " +
					"request. If omitted or empty, requests are allowed regardless of headers " +
					"present.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"host": {
				Description: "Host is an extended POSIX regex matched against the host header " +
					"of a request, e.g. \"foo.com\"\n\nIf omitted or empty, the value of the " +
					"host header is ignored.",
				Type:   "string",
				Format: "idn-hostname",
			},
			"method": {
				Description: "Method is an extended POSIX regex matched against the method of " +
					"a request, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\n" +
					"If omitted or empty, all methods are allowed.",
				Type: "string",
			},
			"path": {
				Description: "Path is an extended POSIX regex matched against the path of a " +
					"request. Currently it can contain characters disallowed from the " +
					"conventional \"path\" part of a URL as defined by RFC 3986.\n\n" +
					"If omitted or empty, all paths are all allowed.",
				Type: "string",
			},
		},
	}

	PortRuleKafka = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRuleKafka is a list of Kafka protocol constraints. All fields are " +
			"optional, if all fields are empty or missing, the rule will match all Kafka " +
			"messages.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"role": {
				Description: "Role is a case-insensitive string and describes a group of API keys" +
					"necessary to perform certain higher level Kafka operations such as" +
					"\"produce\" or \"consume\". An APIGroup automatically expands into all APIKeys" +
					"required to perform the specified higher level operation." +
					"The following values are supported:" +
					"- \"produce\": Allow producing to the topics specified in the rule" +
					"- \"consume\": Allow consuming from the topics specified in the rule" +
					"This field is incompatible with the APIKey field, either APIKey or Role" +
					"may be specified. If omitted or empty, the field has no effect and the " +
					"logic of the APIKey field applies.",
				Type: "string",
				Enum: []apiextensionsv1beta1.JSON{
					{
						Raw: []byte(`"produce"`),
					},
					{
						Raw: []byte(`"consume"`),
					},
				},
			},
			"apiKey": {
				Description: "APIKey is a case-insensitive string matched against the key of " +
					"a request, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", " +
					"et al Reference: https://kafka.apache.org/protocol#protocol_api_keys\n\n" +
					"If omitted or empty, all keys are allowed.",
				Type: "string",
			},
			"apiVersion": {
				Description: "APIVersion is the version matched against the api version of the " +
					"Kafka message. If set, it has to be a string representing a positive " +
					"integer.\n\nIf omitted or empty, all versions are allowed.",
				Type: "string",
			},
			"clientID": {
				Description: "ClientID is the client identifier as provided in the request.\n\n" +
					"From Kafka protocol documentation: This is a user supplied identifier for " +
					"the client application. The user can use any identifier they like and it " +
					"will be used when logging errors, monitoring aggregates, etc. For " +
					"example, one might want to monitor not just the requests per second " +
					"overall, but the number coming from each client application (each of " +
					"which could reside on multiple servers). This id acts as a logical " +
					"grouping across all requests from a particular client.\n\nIf omitted or " +
					"empty, all client identifiers are allowed.",
				Type: "string",
			},
			"topic": {
				Description: "Topic is the topic name contained in the message. If a Kafka " +
					"request contains multiple topics, then all topics must be allowed or the " +
					"message will be rejected.\n\nThis constraint is ignored if the matched " +
					"request message type doesn't contain any topic. Maximum size of Topic can " +
					"be 249 characters as per recent Kafka spec and allowed characters are " +
					"a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths " +
					"of 255, but in Kafka 0.10 version the length was changed from 255 to 249. " +
					"For compatibility reasons we are using 255\n\nIf omitted or empty, all " +
					"topics are allowed.",
				Type:      "string",
				MaxLength: getInt64(255),
			},
		},
	}

	PortRuleL7 = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRuleL7 is a map of {key,value} pairs which is passed to the " +
			"parser referenced in l7proto. It is up to the parser to define what to " +
			"do with the map data. If omitted or empty, all requests are allowed. " +
			"Both keys and values must be strings.",
	}

	Rule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "Rule is a policy rule which must be applied to all endpoints which match " +
			"the labels contained in the endpointSelector or all nodes which match the labels " +
			"contained in the nodeSelector.\n\nEach rule is split into an ingress section " +
			"which contains all rules applicable at ingress, and an egress section applicable " +
			"at egress. For rule types such as `L4Rule` and `CIDR` which can be applied at both " +
			"ingress and egress, both ingress and egress side have to either specifically allow " +
			"the connection or one side has to be omitted.\n\nEither ingress, egress, or both " +
			"can be provided. If both ingress and egress are omitted, the rule has no effect.",
		Required: []string{"endpointSelector"},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"Description": {
				Description: "Description is a free form string, it can be used by the creator " +
					"of the rule to store human readable explanation of the purpose of this " +
					"rule. Rules cannot be identified by comment.",
				Type: "string",
			},
			"egress": {
				Description: "Egress is a list of EgressRule which are enforced at egress. If " +
					"omitted or empty, this rule does not apply at egress.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EgressRule,
				},
			},
			"endpointSelector": EndpointSelector,
			"ingress": {
				Description: "Ingress is a list of IngressRule which are enforced at ingress. " +
					"If omitted or empty, this rule does not apply at ingress.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &IngressRule,
				},
			},
			"labels": {
				Description: "Labels is a list of optional strings which can be used to " +
					"re-identify the rule or to store metadata. It is possible to lookup or " +
					"delete strings based on labels. Labels are not required to be unique, " +
					"multiple rules can have overlapping or identical labels.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &Label,
				},
			},
		},
	}

	Service = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "Service wraps around selectors for services",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"k8sService":         K8sServiceNamespace,
			"k8sServiceSelector": ServiceSelector,
		},
	}

	ServiceSelector = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "ServiceSelector is a label selector for k8s services",
		Required: []string{
			"selector",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"selector": EndpointSelector,
			"namespace": {
				Type: "string",
			},
		},
	}
)

View Source

var SchemeGroupVersion = schema.GroupVersion{
	Group:   CustomResourceDefinitionGroup,
	Version: CustomResourceDefinitionVersion,
}

SchemeGroupVersion is group version used to register these objects

Functions ¶

func CreateCustomResourceDefinitions ¶

func CreateCustomResourceDefinitions(clientset apiextensionsclient.Interface) error

CreateCustomResourceDefinitions creates our CRD objects in the kubernetes cluster

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL

client

Documentation ¶

Index ¶

Constants ¶

Variables ¶

Functions ¶

func CreateCustomResourceDefinitions ¶

Types ¶

Source Files ¶