Documentation ¶
Overview ¶
Package policy is a generated protocol buffer package.
Package policy defines data model for Kubernetes Network Policy.
It is generated from these files:
policy.proto
It has these top-level messages:
Policy
Index ¶
- Constants
- Variables
- func Key(name string, namespace string) string
- func KeyPrefix() string
- func ParsePolicyFromKey(key string) (policy string, namespace string, err error)
- type ID
- type Policy
- func (*Policy) Descriptor() ([]byte, []int)
- func (m *Policy) GetEgressRule() []*Policy_EgressRule
- func (m *Policy) GetIngressRule() []*Policy_IngressRule
- func (m *Policy) GetLabel() []*Policy_Label
- func (m *Policy) GetName() string
- func (m *Policy) GetNamespace() string
- func (m *Policy) GetPods() *Policy_LabelSelector
- func (m *Policy) GetPolicyType() Policy_PolicyType
- func (*Policy) ProtoMessage()
- func (m *Policy) Reset()
- func (m *Policy) String() string
- type Policy_EgressRule
- type Policy_IngressRule
- type Policy_Label
- type Policy_LabelSelector
- func (*Policy_LabelSelector) Descriptor() ([]byte, []int)
- func (m *Policy_LabelSelector) GetMatchExpression() []*Policy_LabelSelector_LabelExpression
- func (m *Policy_LabelSelector) GetMatchLabel() []*Policy_Label
- func (*Policy_LabelSelector) ProtoMessage()
- func (m *Policy_LabelSelector) Reset()
- func (m *Policy_LabelSelector) String() string
- type Policy_LabelSelector_LabelExpression
- func (*Policy_LabelSelector_LabelExpression) Descriptor() ([]byte, []int)
- func (m *Policy_LabelSelector_LabelExpression) GetKey() string
- func (m *Policy_LabelSelector_LabelExpression) GetOperator() Policy_LabelSelector_LabelExpression_Operator
- func (m *Policy_LabelSelector_LabelExpression) GetValue() []string
- func (*Policy_LabelSelector_LabelExpression) ProtoMessage()
- func (m *Policy_LabelSelector_LabelExpression) Reset()
- func (m *Policy_LabelSelector_LabelExpression) String() string
- type Policy_LabelSelector_LabelExpression_Operator
- type Policy_Peer
- func (*Policy_Peer) Descriptor() ([]byte, []int)
- func (m *Policy_Peer) GetIpBlock() *Policy_Peer_IPBlock
- func (m *Policy_Peer) GetNamespaces() *Policy_LabelSelector
- func (m *Policy_Peer) GetPods() *Policy_LabelSelector
- func (*Policy_Peer) ProtoMessage()
- func (m *Policy_Peer) Reset()
- func (m *Policy_Peer) String() string
- type Policy_Peer_IPBlock
- type Policy_PolicyType
- type Policy_Port
- type Policy_Port_PortNameOrNumber
- func (*Policy_Port_PortNameOrNumber) Descriptor() ([]byte, []int)
- func (m *Policy_Port_PortNameOrNumber) GetName() string
- func (m *Policy_Port_PortNameOrNumber) GetNumber() int32
- func (m *Policy_Port_PortNameOrNumber) GetType() Policy_Port_PortNameOrNumber_Type
- func (*Policy_Port_PortNameOrNumber) ProtoMessage()
- func (m *Policy_Port_PortNameOrNumber) Reset()
- func (m *Policy_Port_PortNameOrNumber) String() string
- type Policy_Port_PortNameOrNumber_Type
- type Policy_Port_Protocol
Constants ¶
const (
// PolicyKeyword defines the keyword identifying Network policy data.
PolicyKeyword = "policy"
)
Variables ¶
var Policy_LabelSelector_LabelExpression_Operator_name = map[int32]string{
0: "IN",
1: "NOT_IN",
2: "EXISTS",
3: "DOES_NOT_EXIST",
}
var Policy_LabelSelector_LabelExpression_Operator_value = map[string]int32{
"IN": 0,
"NOT_IN": 1,
"EXISTS": 2,
"DOES_NOT_EXIST": 3,
}
var Policy_PolicyType_name = map[int32]string{
0: "DEFAULT",
1: "INGRESS",
2: "EGRESS",
3: "INGRESS_AND_EGRESS",
}
var Policy_PolicyType_value = map[string]int32{
"DEFAULT": 0,
"INGRESS": 1,
"EGRESS": 2,
"INGRESS_AND_EGRESS": 3,
}
var Policy_Port_PortNameOrNumber_Type_name = map[int32]string{
0: "NUMBER",
1: "NAME",
}
var Policy_Port_PortNameOrNumber_Type_value = map[string]int32{
"NUMBER": 0,
"NAME": 1,
}
var Policy_Port_Protocol_name = map[int32]string{
0: "TCP",
1: "UDP",
}
var Policy_Port_Protocol_value = map[string]int32{
"TCP": 0,
"UDP": 1,
}
Functions ¶
Types ¶
type Policy ¶
type Policy struct { // Name of the policy unique within the namespace. // Cannot be updated. Name string `protobuf:"bytes,1,opt,name=name" json:"name,omitempty"` // Namespace the policy is inserted into. // An empty namespace is equivalent to the "default" namespace, but "default" // is the canonical representation used in the key for a key-value store. // Cannot be updated. Namespace string `protobuf:"bytes,2,opt,name=namespace" json:"namespace,omitempty"` // A list of labels attached to this policy. // +optional Label []*Policy_Label `protobuf:"bytes,3,rep,name=label" json:"label,omitempty"` // Pods to which this policy applies. The array of ingress rules is applied // to all pods selected by this field. Multiple network policies can select // the same set of pods. In such case, the ingress rules for each are combined // additively. // This field is NOT optional and follows standard label selector semantics. // An empty selector matches all pods in this namespace. Pods *Policy_LabelSelector `protobuf:"bytes,4,opt,name=pods" json:"pods,omitempty"` PolicyType Policy_PolicyType `protobuf:"varint,5,opt,name=policy_type,json=policyType,enum=policy.Policy_PolicyType" json:"policy_type,omitempty"` // List of ingress rules applied to the selected pods. // Traffic is allowed to a pod if there are no network policies selecting the pod // OR if the traffic source is the pod's local node, // OR if the traffic matches at least one ingress rule across all of the network // policies applied to the pod. // If there are no ingress rules then this network policy does not allow // any traffic (and serves solely to ensure that the selected pods are isolated // by default). // +optional IngressRule []*Policy_IngressRule `protobuf:"bytes,6,rep,name=ingress_rule,json=ingressRule" json:"ingress_rule,omitempty"` // List of egress rules to be applied to the selected pods. // Outgoing traffic is allowed if there are no network policies selecting // the pod OR if the traffic matches at least one egress rule across // all of the network policies applied to the pod. // If there are no egress rules then this network policy does not allow // any outgoing traffic (and serves solely to ensure that the selected pods // are isolated by default). // This field is beta-level in Kubernetes 1.8. // +optional EgressRule []*Policy_EgressRule `protobuf:"bytes,7,rep,name=egress_rule,json=egressRule" json:"egress_rule,omitempty"` }
Policy describes what network traffic is allowed for a set of Pods.
func (*Policy) Descriptor ¶
func (*Policy) GetEgressRule ¶
func (m *Policy) GetEgressRule() []*Policy_EgressRule
func (*Policy) GetIngressRule ¶
func (m *Policy) GetIngressRule() []*Policy_IngressRule
func (*Policy) GetLabel ¶
func (m *Policy) GetLabel() []*Policy_Label
func (*Policy) GetNamespace ¶
func (*Policy) GetPods ¶
func (m *Policy) GetPods() *Policy_LabelSelector
func (*Policy) GetPolicyType ¶
func (m *Policy) GetPolicyType() Policy_PolicyType
func (*Policy) ProtoMessage ¶
func (*Policy) ProtoMessage()
type Policy_EgressRule ¶
type Policy_EgressRule struct { // List of destination ports for outgoing traffic. // Each item in this list is combined using a logical OR. // If the array is empty or null, then this egress rule matches all ports // (traffic not restricted by port). // If the array is non-empty, then this egress rule allows traffic // only if the traffic matches at least one port in the list. // +optional Port []*Policy_Port `protobuf:"bytes,1,rep,name=port" json:"port,omitempty"` // List of destinations for outgoing traffic of pods selected for this policy. // Items in this list are combined using a logical OR operation. // If the array is empty or null, this egress rule matches all destinations // (traffic not restricted by destination). // If the array is non-empty, then this egress rule allows traffic only // if the traffic matches at least one item in the to list. // +optional To []*Policy_Peer `protobuf:"bytes,2,rep,name=to" json:"to,omitempty"` }
Egress rule matches traffic if and only if the traffic matches both port-s AND to. This field is beta-level in Kubernetes 1.8.
func (*Policy_EgressRule) Descriptor ¶
func (*Policy_EgressRule) Descriptor() ([]byte, []int)
func (*Policy_EgressRule) GetPort ¶
func (m *Policy_EgressRule) GetPort() []*Policy_Port
func (*Policy_EgressRule) GetTo ¶
func (m *Policy_EgressRule) GetTo() []*Policy_Peer
func (*Policy_EgressRule) ProtoMessage ¶
func (*Policy_EgressRule) ProtoMessage()
func (*Policy_EgressRule) Reset ¶
func (m *Policy_EgressRule) Reset()
func (*Policy_EgressRule) String ¶
func (m *Policy_EgressRule) String() string
type Policy_IngressRule ¶
type Policy_IngressRule struct { // List of ports made accessible on the pods selected for this policy. // Each item in this list is combined using a logical OR. // If the array is empty or null, then this ingress rule matches all ports // (traffic not restricted by port). // If the array is non-empty, then this ingress rule allows traffic // only if the traffic matches at least one port in the list. // +optional Port []*Policy_Port `protobuf:"bytes,1,rep,name=port" json:"port,omitempty"` // List of sources which are able to access the pods selected for this // policy. // Items in this list are combined using a logical OR operation. // If the array is empty or null, then this ingress rule matches all sources // (traffic not restricted by source). // If the array is non-empty, then this ingress rule allows traffic only // if the traffic matches at least one item in the from list. // +optional From []*Policy_Peer `protobuf:"bytes,2,rep,name=from" json:"from,omitempty"` }
Ingress rule matches traffic if and only if the traffic matches both port-s AND from.
func (*Policy_IngressRule) Descriptor ¶
func (*Policy_IngressRule) Descriptor() ([]byte, []int)
func (*Policy_IngressRule) GetFrom ¶
func (m *Policy_IngressRule) GetFrom() []*Policy_Peer
func (*Policy_IngressRule) GetPort ¶
func (m *Policy_IngressRule) GetPort() []*Policy_Port
func (*Policy_IngressRule) ProtoMessage ¶
func (*Policy_IngressRule) ProtoMessage()
func (*Policy_IngressRule) Reset ¶
func (m *Policy_IngressRule) Reset()
func (*Policy_IngressRule) String ¶
func (m *Policy_IngressRule) String() string
type Policy_Label ¶
type Policy_Label struct { Key string `protobuf:"bytes,1,opt,name=key" json:"key,omitempty"` Value string `protobuf:"bytes,2,opt,name=value" json:"value,omitempty"` }
Label is a key/value pair attached to an object (namespace in this case). Labels are used to organize and to select subsets of objects.
func (*Policy_Label) Descriptor ¶
func (*Policy_Label) Descriptor() ([]byte, []int)
func (*Policy_Label) GetKey ¶
func (m *Policy_Label) GetKey() string
func (*Policy_Label) GetValue ¶
func (m *Policy_Label) GetValue() string
func (*Policy_Label) ProtoMessage ¶
func (*Policy_Label) ProtoMessage()
func (*Policy_Label) Reset ¶
func (m *Policy_Label) Reset()
func (*Policy_Label) String ¶
func (m *Policy_Label) String() string
type Policy_LabelSelector ¶
type Policy_LabelSelector struct { // A list of labels that a resource needs to have attached in order to get // selected. // +optional MatchLabel []*Policy_Label `protobuf:"bytes,1,rep,name=match_label,json=matchLabel" json:"match_label,omitempty"` // A list of key-value expressions applied to labels. // For a given resource and its labels, all expressions must evaluate // to TRUE for the resource to get selected. MatchExpression []*Policy_LabelSelector_LabelExpression `protobuf:"bytes,2,rep,name=match_expression,json=matchExpression" json:"match_expression,omitempty"` }
A label selector is a label query over a set of resources. The result of match_label-s and match_expression-s are ANDed. An empty label selector matches all objects. A null label selector matches no objects.
func (*Policy_LabelSelector) Descriptor ¶
func (*Policy_LabelSelector) Descriptor() ([]byte, []int)
func (*Policy_LabelSelector) GetMatchExpression ¶
func (m *Policy_LabelSelector) GetMatchExpression() []*Policy_LabelSelector_LabelExpression
func (*Policy_LabelSelector) GetMatchLabel ¶
func (m *Policy_LabelSelector) GetMatchLabel() []*Policy_Label
func (*Policy_LabelSelector) ProtoMessage ¶
func (*Policy_LabelSelector) ProtoMessage()
func (*Policy_LabelSelector) Reset ¶
func (m *Policy_LabelSelector) Reset()
func (*Policy_LabelSelector) String ¶
func (m *Policy_LabelSelector) String() string
type Policy_LabelSelector_LabelExpression ¶
type Policy_LabelSelector_LabelExpression struct { // Key is the label key that the expression applies to. Key string `protobuf:"bytes,1,opt,name=key" json:"key,omitempty"` Operator Policy_LabelSelector_LabelExpression_Operator `protobuf:"varint,2,opt,name=operator,enum=policy.Policy_LabelSelector_LabelExpression_Operator" json:"operator,omitempty"` // An array of string values. // If the operator is IN or NOT_IN, the values array must be non-empty. // If the operator is EXISTS or DOES_NOT_EXIST, the values array // must be empty. // +optional Value []string `protobuf:"bytes,3,rep,name=value" json:"value,omitempty"` }
An expression that contains values, a label key, and an operator that relates the key and values.
func (*Policy_LabelSelector_LabelExpression) Descriptor ¶
func (*Policy_LabelSelector_LabelExpression) Descriptor() ([]byte, []int)
func (*Policy_LabelSelector_LabelExpression) GetKey ¶
func (m *Policy_LabelSelector_LabelExpression) GetKey() string
func (*Policy_LabelSelector_LabelExpression) GetOperator ¶
func (m *Policy_LabelSelector_LabelExpression) GetOperator() Policy_LabelSelector_LabelExpression_Operator
func (*Policy_LabelSelector_LabelExpression) GetValue ¶
func (m *Policy_LabelSelector_LabelExpression) GetValue() []string
func (*Policy_LabelSelector_LabelExpression) ProtoMessage ¶
func (*Policy_LabelSelector_LabelExpression) ProtoMessage()
func (*Policy_LabelSelector_LabelExpression) Reset ¶
func (m *Policy_LabelSelector_LabelExpression) Reset()
func (*Policy_LabelSelector_LabelExpression) String ¶
func (m *Policy_LabelSelector_LabelExpression) String() string
type Policy_LabelSelector_LabelExpression_Operator ¶
type Policy_LabelSelector_LabelExpression_Operator int32
Operator represents a key's relationship to a set of values.
const ( Policy_LabelSelector_LabelExpression_IN Policy_LabelSelector_LabelExpression_Operator = 0 Policy_LabelSelector_LabelExpression_NOT_IN Policy_LabelSelector_LabelExpression_Operator = 1 Policy_LabelSelector_LabelExpression_EXISTS Policy_LabelSelector_LabelExpression_Operator = 2 Policy_LabelSelector_LabelExpression_DOES_NOT_EXIST Policy_LabelSelector_LabelExpression_Operator = 3 )
func (Policy_LabelSelector_LabelExpression_Operator) EnumDescriptor ¶
func (Policy_LabelSelector_LabelExpression_Operator) EnumDescriptor() ([]byte, []int)
func (Policy_LabelSelector_LabelExpression_Operator) String ¶
func (x Policy_LabelSelector_LabelExpression_Operator) String() string
type Policy_Peer ¶
type Policy_Peer struct { // This is a label selector which selects Pods in this namespace. // If present but empty, this selector selects all pods in this namespace. // +optional Pods *Policy_LabelSelector `protobuf:"bytes,1,opt,name=pods" json:"pods,omitempty"` // Selects namespaces using cluster scoped-labels. // This matches all pods in all namespaces selected by this label selector. // If present but empty, this selector selects all namespaces. // +optional Namespaces *Policy_LabelSelector `protobuf:"bytes,2,opt,name=namespaces" json:"namespaces,omitempty"` IpBlock *Policy_Peer_IPBlock `protobuf:"bytes,3,opt,name=ip_block,json=ipBlock" json:"ip_block,omitempty"` }
A selector for a set of pods.
func (*Policy_Peer) Descriptor ¶
func (*Policy_Peer) Descriptor() ([]byte, []int)
func (*Policy_Peer) GetIpBlock ¶
func (m *Policy_Peer) GetIpBlock() *Policy_Peer_IPBlock
func (*Policy_Peer) GetNamespaces ¶
func (m *Policy_Peer) GetNamespaces() *Policy_LabelSelector
func (*Policy_Peer) GetPods ¶
func (m *Policy_Peer) GetPods() *Policy_LabelSelector
func (*Policy_Peer) ProtoMessage ¶
func (*Policy_Peer) ProtoMessage()
func (*Policy_Peer) Reset ¶
func (m *Policy_Peer) Reset()
func (*Policy_Peer) String ¶
func (m *Policy_Peer) String() string
type Policy_Peer_IPBlock ¶
type Policy_Peer_IPBlock struct { // CIDR is a string representing the IP Block. // Valid examples are "192.168.1.1/24". Cidr string `protobuf:"bytes,1,opt,name=cidr" json:"cidr,omitempty"` // Except is a slice of CIDRs that should not be included within an IP Block // Valid examples are "192.168.1.1/24". // Except values are inside the CIDR range. // +optional Except []string `protobuf:"bytes,2,rep,name=except" json:"except,omitempty"` }
IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed to/from the pods selected for this network policy. The except entries describe CIDRs that should not be included within this rule.
func (*Policy_Peer_IPBlock) Descriptor ¶
func (*Policy_Peer_IPBlock) Descriptor() ([]byte, []int)
func (*Policy_Peer_IPBlock) GetCidr ¶
func (m *Policy_Peer_IPBlock) GetCidr() string
func (*Policy_Peer_IPBlock) GetExcept ¶
func (m *Policy_Peer_IPBlock) GetExcept() []string
func (*Policy_Peer_IPBlock) ProtoMessage ¶
func (*Policy_Peer_IPBlock) ProtoMessage()
func (*Policy_Peer_IPBlock) Reset ¶
func (m *Policy_Peer_IPBlock) Reset()
func (*Policy_Peer_IPBlock) String ¶
func (m *Policy_Peer_IPBlock) String() string
type Policy_PolicyType ¶
type Policy_PolicyType int32
PolicyType selects the rule types that the network policy relates to. By default, rule types are determined based on the existence of Ingress or Egress rules: policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. For example, policies are egress-only if and only if policyType is set to EGRESS. Likewise, policies blocking all egress traffic are either EGRESS or INGRESS_AND_EGRESS as they do not include an Egress section and would otherwise default to just INGRESS. This field is beta-level in Kubernetes 1.8. +optional
const ( Policy_DEFAULT Policy_PolicyType = 0 Policy_INGRESS Policy_PolicyType = 1 Policy_EGRESS Policy_PolicyType = 2 Policy_INGRESS_AND_EGRESS Policy_PolicyType = 3 )
func (Policy_PolicyType) EnumDescriptor ¶
func (Policy_PolicyType) EnumDescriptor() ([]byte, []int)
func (Policy_PolicyType) String ¶
func (x Policy_PolicyType) String() string
type Policy_Port ¶
type Policy_Port struct { Protocol Policy_Port_Protocol `protobuf:"varint,3,opt,name=protocol,enum=policy.Policy_Port_Protocol" json:"protocol,omitempty"` // If specified, the port on the given protocol. // This can either be a numerical or named port on a pod. // If this field is not provided, the rule matches all port names and // numbers. // If present, only traffic on the specified protocol AND port // will be matched. // +optional Port *Policy_Port_PortNameOrNumber `protobuf:"bytes,1,opt,name=port" json:"port,omitempty"` }
A port selector.
func (*Policy_Port) Descriptor ¶
func (*Policy_Port) Descriptor() ([]byte, []int)
func (*Policy_Port) GetPort ¶
func (m *Policy_Port) GetPort() *Policy_Port_PortNameOrNumber
func (*Policy_Port) GetProtocol ¶
func (m *Policy_Port) GetProtocol() Policy_Port_Protocol
func (*Policy_Port) ProtoMessage ¶
func (*Policy_Port) ProtoMessage()
func (*Policy_Port) Reset ¶
func (m *Policy_Port) Reset()
func (*Policy_Port) String ¶
func (m *Policy_Port) String() string
type Policy_Port_PortNameOrNumber ¶
type Policy_Port_PortNameOrNumber struct { Type Policy_Port_PortNameOrNumber_Type `protobuf:"varint,1,opt,name=type,enum=policy.Policy_Port_PortNameOrNumber_Type" json:"type,omitempty"` // Port number from the range: 0 < x < 65536. Number int32 `protobuf:"varint,2,opt,name=number" json:"number,omitempty"` // Port name as defined by containers in the pod. Name string `protobuf:"bytes,3,opt,name=name" json:"name,omitempty"` }
Numerical or named port.
func (*Policy_Port_PortNameOrNumber) Descriptor ¶
func (*Policy_Port_PortNameOrNumber) Descriptor() ([]byte, []int)
func (*Policy_Port_PortNameOrNumber) GetName ¶
func (m *Policy_Port_PortNameOrNumber) GetName() string
func (*Policy_Port_PortNameOrNumber) GetNumber ¶
func (m *Policy_Port_PortNameOrNumber) GetNumber() int32
func (*Policy_Port_PortNameOrNumber) GetType ¶
func (m *Policy_Port_PortNameOrNumber) GetType() Policy_Port_PortNameOrNumber_Type
func (*Policy_Port_PortNameOrNumber) ProtoMessage ¶
func (*Policy_Port_PortNameOrNumber) ProtoMessage()
func (*Policy_Port_PortNameOrNumber) Reset ¶
func (m *Policy_Port_PortNameOrNumber) Reset()
func (*Policy_Port_PortNameOrNumber) String ¶
func (m *Policy_Port_PortNameOrNumber) String() string
type Policy_Port_PortNameOrNumber_Type ¶
type Policy_Port_PortNameOrNumber_Type int32
Port reference type.
const ( Policy_Port_PortNameOrNumber_NUMBER Policy_Port_PortNameOrNumber_Type = 0 Policy_Port_PortNameOrNumber_NAME Policy_Port_PortNameOrNumber_Type = 1 )
func (Policy_Port_PortNameOrNumber_Type) EnumDescriptor ¶
func (Policy_Port_PortNameOrNumber_Type) EnumDescriptor() ([]byte, []int)
func (Policy_Port_PortNameOrNumber_Type) String ¶
func (x Policy_Port_PortNameOrNumber_Type) String() string
type Policy_Port_Protocol ¶
type Policy_Port_Protocol int32
The protocol (TCP or UDP) which traffic must match. If not specified, this field defaults to TCP. +optional
const ( Policy_Port_TCP Policy_Port_Protocol = 0 Policy_Port_UDP Policy_Port_Protocol = 1 )
func (Policy_Port_Protocol) EnumDescriptor ¶
func (Policy_Port_Protocol) EnumDescriptor() ([]byte, []int)
func (Policy_Port_Protocol) String ¶
func (x Policy_Port_Protocol) String() string