v2

package
v1.6.10 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 2, 2020 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Overview

Package v2 is the v2 version of the API. +groupName=cilium.io

Index

Constants

View Source
const (
	// CustomResourceDefinitionGroup is the name of the third party resource group
	CustomResourceDefinitionGroup = k8sconst.GroupName

	// CustomResourceDefinitionVersion is the current version of the resource
	CustomResourceDefinitionVersion = "v2"

	// CustomResourceDefinitionSchemaVersion is semver-conformant version of CRD schema
	// Used to determine if CRD needs to be updated in cluster
	CustomResourceDefinitionSchemaVersion = "1.15"

	// CustomResourceDefinitionSchemaVersionKey is key to label which holds the CRD schema version
	CustomResourceDefinitionSchemaVersionKey = "io.cilium.k8s.crd.schema.version"

	// CNPKindDefinition is the kind name for Cilium Network Policy
	CNPKindDefinition = "CiliumNetworkPolicy"
)
View Source
const EndpointStatusLogEntries = 5

EndpointStatusLogEntries is the maximum number of log entries in EndpointStatus.Log

Variables

View Source
var (
	// SchemeBuilder is needed by DeepCopy generator.
	SchemeBuilder runtime.SchemeBuilder

	// AddToScheme adds all types of this clientset into the given scheme.
	// This allows composition of clientsets, like in:
	//
	//   import (
	//     "k8s.io/client-go/kubernetes"
	//     clientsetscheme "k8s.io/client-go/kuberentes/scheme"
	//     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
	//   )
	//
	//   kclientset, _ := kubernetes.NewForConfig(c)
	//   aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
	AddToScheme = localSchemeBuilder.AddToScheme
)
View Source
var (
	CNPCRV = apiextensionsv1beta1.CustomResourceValidation{
		OpenAPIV3Schema: &apiextensionsv1beta1.JSONSchemaProps{

			Type:       "object",
			Properties: properties,
		},
	}

	CIDR = apiextensionsv1beta1.JSONSchemaProps{
		Description: "CIDR is a CIDR prefix / IP Block.",
		Type:        "string",
		OneOf: []apiextensionsv1beta1.JSONSchemaProps{
			{

				Pattern: `^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4]` +
					`[0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$`,
			},
			{

				Pattern: `^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))` +
					`|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)` +
					`|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))` +
					`|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))` +
					`(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$`,
			},
		},
	}

	CIDRRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "CIDRRule is a rule that specifies a CIDR prefix to/from which outside " +
			"communication is allowed, along with an optional list of subnets within that CIDR " +
			"prefix to/from which outside communication is not allowed.",
		Required: []string{
			"cidr",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"cidr": CIDR,
			"except": {
				Description: "ExceptCIDRs is a list of IP blocks which the endpoint subject to " +
					"the rule is not allowed to initiate connections to. These CIDR prefixes " +
					"should be contained within Cidr. These exceptions are only applied to the " +
					"Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any " +
					"other CIDRRules.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDR,
				},
			},
		},
	}

	EgressRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "EgressRule contains all rule types which can be applied at egress, i.e. " +
			"network traffic that originates inside the endpoint and exits the endpoint " +
			"selected by the endpointSelector.\n\n- All members of this structure are optional. " +
			"If omitted or empty, the\n  member will have no effect on the rule.\n\n- For now, " +
			"combining ToPorts and ToCIDR in the same rule is not supported\n  and such rules " +
			"will be rejected. In the future, this will be supported and\n  if if multiple " +
			"members of the structure are specified, then all members\n  must match in order " +
			"for the rule to take effect.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"toCIDR": {
				Description: "ToCIDR is a list of IP blocks which the endpoint subject to the " +
					"rule is allowed to initiate connections. This will match on the " +
					"destination IP address of outgoing connections. Adding a prefix into " +
					"ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are " +
					"allowed between ToCIDR and ToCIDRSet.\n\nExample: Any endpoint with the " +
					"label \"app=database-proxy\" is allowed to initiate connections to " +
					"10.2.3.0/24",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDR,
				},
			},
			"toCIDRSet": {
				Description: "ToCIDRSet is a list of IP blocks which the endpoint subject to " +
					"the rule is allowed to initiate connections to in addition to connections " +
					"which are allowed via FromEndpoints, along with a list of subnets " +
					"contained within their corresponding IP block to which traffic should not " +
					"be allowed. This will match on the destination IP address of outgoing " +
					"connections. Adding a prefix into ToCIDR or into ToCIDRSet with no " +
					"ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and " +
					"ToCIDRSet.\n\nExample: Any endpoint with the label \"app=database-proxy\" " +
					"is allowed to initiate connections to 10.2.3.0/24 except from IPs in " +
					"subnet 10.2.3.0/28.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDRRule,
				},
			},
			"toEntities": {
				Description: "ToEntities is a list of special entities to which the endpoint " +
					"subject to the rule is allowed to initiate connections. Supported " +
					"entities are `world`, `cluster` and `host`",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"toPorts": {
				Description: "ToPorts is a list of destination ports identified by port number " +
					"and protocol which the endpoint subject to the rule is allowed to connect " +
					"to.\n\nExample: Any endpoint with the label \"role=frontend\" is allowed " +
					"to initiate connections to destination port 8080/tcp",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRule,
				},
			},
			"toServices": {
				Description: "ToServices is a list of services to which the endpoint subject " +
					"to the rule is allowed to initiate connections.\n\nExample: Any endpoint " +
					"with the label \"app=backend-app\" is allowed to initiate connections to " +
					"all cidrs backing the \"external-service\" service",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &Service,
				},
			},
			"toEndpoints": {
				Description: "ToEndpoints is a list of endpoints identified by an " +
					"EndpointSelector to which the endpoint subject to the rule" +
					"is allowed to communicate.\n\nExample: Any endpoint with the label " +
					"\"role=frontend\" can be consumed by any endpoint carrying the label " +
					"\"role=backend\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"toRequires": {
				Description: "ToRequires is a list of additional constraints which must be " +
					"met in order for the selected endpoints to be able to reach other " +
					"endpoints. These additional constraints do not by themselves grant access " +
					"privileges and must always be accompanied with at least one matching " +
					"FromEndpoints.\n\nExample: Any Endpoint with the label \"team=A\" " +
					"requires any endpoint to which it communicates to also carry the label " +
					"\"team=A\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"toGroups": {
				Type: "object",
				Description: `ToGroups is a list of constraints that will
				gather data from third-party providers and create a new
				derived policy.`,
				Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
					"aws": AWSGroup,
				},
			},
			"toFQDNs": {
				Description: `ToFQDNs is a list of rules matching fqdns that endpoint
				is allowed to communicate with`,
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &FQDNRule,
				},
			},
		},
	}

	FQDNRule = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`,
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"matchName":    MatchFQDNName,
			"matchPattern": MatchFQDNPattern,
		},
	}

	MatchFQDNName = apiextensionsv1beta1.JSONSchemaProps{
		Description: `MatchName matches fqdn name`,
		Type:        "string",
		Pattern:     fqdnNameRegex,
	}

	MatchFQDNPattern = apiextensionsv1beta1.JSONSchemaProps{
		Description: `MatchPattern matches fqdn by pattern`,
		Type:        "string",
		Pattern:     fqdnPatternRegex,
	}

	AWSGroup = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"securityGroupsIds": {
				Description: `SecurityGroupsIds is the list of AWS security
				group IDs that will filter the instances IPs from the AWS API`,
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"securityGroupsNames": {
				Description: `SecurityGroupsNames is the list of  AWS security
				group names that will filter the instances IPs from the AWS API`,
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"region": {
				Description: `Region is the key that will filter the AWS EC2
				instances in the given region`,
				Type: "string",
			},
		},
	}
	EndpointSelector = initEndpointSelector()

	IngressRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "IngressRule contains all rule types which can be applied at ingress, " +
			"i.e. network traffic that originates outside of the endpoint and is entering " +
			"the endpoint selected by the endpointSelector.\n\n- All members of this structure " +
			"are optional. If omitted or empty, the\n  member will have no effect on the rule." +
			"\n\n- If multiple members are set, all of them need to match in order for\n  " +
			"the rule to take effect. The exception to this rule is FromRequires field;\n  " +
			"the effects of any Requires field in any rule will apply to all other\n  rules " +
			"as well.\n\n- For now, combining ToPorts, FromCIDR, and FromEndpoints in the same " +
			"rule\n  is not supported and any such rules will be rejected. In the future, " +
			"this\n  will be supported and if multiple members of this structure are specified," +
			"\n then all members must match in order for the rule to take effect. The\n  " +
			"exception to this rule is the Requires field, the effects of any Requires\n  " +
			"field in any rule will apply to all other rules as well.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"fromCIDR": {
				Description: "FromCIDR is a list of IP blocks which the endpoint subject to " +
					"the rule is allowed to receive connections from. This will match on the " +
					"source IP address of incoming connections. Adding  a prefix into FromCIDR " +
					"or into FromCIDRSet with no ExcludeCIDRs is  equivalent. Overlaps are " +
					"allowed between FromCIDR and FromCIDRSet.\n\nExample: Any endpoint with " +
					"the label \"app=my-legacy-pet\" is allowed to receive connections from " +
					"10.3.9.1",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDR,
				},
			},
			"fromCIDRSet": {
				Description: "FromCIDRSet is a list of IP blocks which the endpoint subject to " +
					"the rule is allowed to receive connections from in addition to " +
					"FromEndpoints, along with a list of subnets contained within their " +
					"corresponding IP block from which traffic should not be allowed. This " +
					"will match on the source IP address of incoming connections. Adding a " +
					"prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is " +
					"equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet." +
					"\n\nExample: Any endpoint with the label \"app=my-legacy-pet\" is allowed " +
					"to receive connections from 10.0.0.0/8 except from IPs in subnet " +
					"10.96.0.0/12.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDRRule,
				},
			},
			"fromEndpoints": {
				Description: "FromEndpoints is a list of endpoints identified by an " +
					"EndpointSelector which are allowed to communicate with the endpoint " +
					"subject to the rule.\n\nExample: Any endpoint with the label " +
					"\"role=backend\" can be consumed by any endpoint carrying the label " +
					"\"role=frontend\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"fromEntities": {
				Description: "FromEntities is a list of special entities which the endpoint " +
					"subject to the rule is allowed to receive connections from. Supported " +
					"entities are `world`, `cluster`, `host`, and `init`",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"fromRequires": {
				Description: "FromRequires is a list of additional constraints which must be " +
					"met in order for the selected endpoints to be reachable. These additional " +
					"constraints do no by itself grant access privileges and must always be " +
					"accompanied with at least one matching FromEndpoints.\n\nExample: Any " +
					"Endpoint with the label \"team=A\" requires consuming endpoint to also " +
					"carry the label \"team=A\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"toPorts": {
				Description: "ToPorts is a list of destination ports identified by port number " +
					"and protocol which the endpoint subject to the rule is allowed to receive " +
					"connections on.\n\nExample: Any endpoint with the label \"app=httpd\" can " +
					"only accept incoming connections on port 80/tcp.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRule,
				},
			},
		},
	}

	K8sServiceNamespace = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "K8sServiceNamespace is an abstraction for the k8s service + namespace " +
			"types.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"namespace": {
				Type: "string",
			},
			"serviceName": {
				Type: "string",
			},
		},
	}

	L7Rules = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "L7Rules is a union of port level rule types. Mixing of different port " +
			"level rule types is disallowed, so exactly one of the following must be set. If " +
			"none are specified, then no additional port level rules are applied.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"http": {
				Description: "HTTP specific rules.",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleHTTP,
				},
			},
			"kafka": {
				Description: "Kafka-specific rules.",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleKafka,
				},
			},
			"l7proto": {
				Description: "Parser type name that uses Key-Value pair rules.",
				Type:        "string",
			},
			"l7": {
				Description: "Generic Key-Value pair rules.",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleL7,
				},
			},
			"dns": {
				Description: "DNS specific rules",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleDNS,
				},
			},
		},
	}

	PortRuleDNS = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`,
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"matchName":    MatchFQDNName,
			"matchPattern": MatchFQDNPattern,
		},
	}

	Label = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "Label is the cilium's representation of a container label.",
		Required: []string{
			"key",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"key": {
				Type: "string",
			},
			"source": {
				Description: "Source can be one of the values present in const.go " +
					"(e.g.: LabelSourceContainer)",
				Type: "string",
			},
			"value": {
				Type: "string",
			},
		},
	}

	LabelSelector = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "A label selector is a label query over a set of resources. The result " +
			"of matchLabels and matchExpressions are ANDed. An empty label selector matches " +
			"all objects. A null label selector matches no objects.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"matchLabels": {
				Description: "matchLabels is a map of {key,value} pairs. A single {key,value} " +
					"in the matchLabels map is equivalent to an element of matchExpressions, " +
					"whose key field is \"key\", the operator is \"In\", and the values array " +
					"contains only \"value\". The requirements are ANDed.",
				Type: "object",
			},
			"matchExpressions": {
				Description: "matchExpressions is a list of label selector requirements. " +
					"The requirements are ANDed.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &LabelSelectorRequirement,
				},
			},
		},
	}

	LabelSelectorRequirement = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "A label selector requirement is a selector that contains values, a key, " +
			"and an operator that relates the key and values.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"key": {
				Description: "key is the label key that the selector applies to.",
				Type:        "string",
			},
			"operator": {
				Description: "operator represents a key's relationship to a set of values. " +
					"Valid operators are In, NotIn, Exists and DoesNotExist.",
				Type: "string",
				Enum: []apiextensionsv1beta1.JSON{
					{
						Raw: []byte(`"In"`),
					},
					{
						Raw: []byte(`"NotIn"`),
					},
					{
						Raw: []byte(`"Exists"`),
					},
					{
						Raw: []byte(`"DoesNotExist"`),
					},
				},
			},
			"values": {
				Description: "values is an array of string values. If the operator is In or " +
					"NotIn, the values array must be non-empty. If the operator is Exists or " +
					"DoesNotExist, the values array must be empty. This array is replaced " +
					"during a strategic merge patch.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
		},
		Required: []string{"key", "operator"},
	}

	PortProtocol = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "PortProtocol specifies an L4 port with an optional transport protocol",
		Required: []string{
			"port",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"port": {
				Description: "Port is an L4 port number. For now the string will be strictly " +
					"parsed as a single uint16. In the future, this field may support ranges " +
					"in the form \"1024-2048",
				Type: "string",

				Pattern: `^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|` +
					`[1-5][0-9]{4}|[0-9]{1,4})$`,
			},
			"protocol": {
				Description: `Protocol is the L4 protocol. If omitted or empty, any protocol ` +
					`matches. Accepted values: "TCP", "UDP", ""/"ANY"\n\nMatching on ` +
					`ICMP is not supported.`,
				Type: "string",
				Enum: []apiextensionsv1beta1.JSON{
					{
						Raw: []byte(`"TCP"`),
					},
					{
						Raw: []byte(`"UDP"`),
					},
					{
						Raw: []byte(`"ANY"`),
					},
				},
			},
		},
	}

	PortRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRule is a list of ports/protocol combinations with optional Layer 7 " +
			"rules which must be met.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"ports": {
				Description: "Ports is a list of L4 port/protocol\n\nIf omitted or empty but " +
					"RedirectPort is set, then all ports of the endpoint subject to either the " +
					"ingress or egress rule are being redirected.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortProtocol,
				},
			},
			"redirectPort": {
				Description: "RedirectPort is the L4 port which, if set, all traffic matching " +
					"the Ports is being redirected to. Whatever listener behind that port " +
					"becomes responsible to enforce the port rules and is also responsible to " +
					"reinject all traffic back and ensure it reaches its original destination.",
				Type:   "integer",
				Format: "uint16",
			},
			"rules": initPortRule(),
		},
	}

	PortRuleHTTP = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRuleHTTP is a list of HTTP protocol constraints. All fields are " +
			"optional, if all fields are empty or missing, the rule does not have any effect." +
			"\n\nAll fields of this type are extended POSIX regex as defined by " +
			"IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) " +
			"matched against the path of an incoming request. Currently it can contain " +
			"characters disallowed from the conventional \"path\" part of a URL as defined by " +
			"RFC 3986.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"headers": {
				Description: "Headers is a list of HTTP headers which must be present in the " +
					"request. If omitted or empty, requests are allowed regardless of headers " +
					"present.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"host": {
				Description: "Host is an extended POSIX regex matched against the host header " +
					"of a request, e.g. \"foo.com\"\n\nIf omitted or empty, the value of the " +
					"host header is ignored.",
				Type:   "string",
				Format: "idn-hostname",
			},
			"method": {
				Description: "Method is an extended POSIX regex matched against the method of " +
					"a request, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\n" +
					"If omitted or empty, all methods are allowed.",
				Type: "string",
			},
			"path": {
				Description: "Path is an extended POSIX regex matched against the path of a " +
					"request. Currently it can contain characters disallowed from the " +
					"conventional \"path\" part of a URL as defined by RFC 3986.\n\n" +
					"If omitted or empty, all paths are all allowed.",
				Type: "string",
			},
		},
	}

	PortRuleKafka = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRuleKafka is a list of Kafka protocol constraints. All fields are " +
			"optional, if all fields are empty or missing, the rule will match all Kafka " +
			"messages.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"role": {
				Description: "Role is a case-insensitive string and describes a group of API keys" +
					"necessary to perform certain higher level Kafka operations such as" +
					"\"produce\" or \"consume\". An APIGroup automatically expands into all APIKeys" +
					"required to perform the specified higher level operation." +
					"The following values are supported:" +
					"- \"produce\": Allow producing to the topics specified in the rule" +
					"- \"consume\": Allow consuming from the topics specified in the rule" +
					"This field is incompatible with the APIKey field, either APIKey or Role" +
					"may be specified. If omitted or empty, the field has no effect and the " +
					"logic of the APIKey field applies.",
				Type: "string",
				Enum: []apiextensionsv1beta1.JSON{
					{
						Raw: []byte(`"produce"`),
					},
					{
						Raw: []byte(`"consume"`),
					},
				},
			},
			"apiKey": {
				Description: "APIKey is a case-insensitive string matched against the key of " +
					"a request, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", " +
					"et al Reference: https://kafka.apache.org/protocol#protocol_api_keys\n\n" +
					"If omitted or empty, all keys are allowed.",
				Type: "string",
			},
			"apiVersion": {
				Description: "APIVersion is the version matched against the api version of the " +
					"Kafka message. If set, it has to be a string representing a positive " +
					"integer.\n\nIf omitted or empty, all versions are allowed.",
				Type: "string",
			},
			"clientID": {
				Description: "ClientID is the client identifier as provided in the request.\n\n" +
					"From Kafka protocol documentation: This is a user supplied identifier for " +
					"the client application. The user can use any identifier they like and it " +
					"will be used when logging errors, monitoring aggregates, etc. For " +
					"example, one might want to monitor not just the requests per second " +
					"overall, but the number coming from each client application (each of " +
					"which could reside on multiple servers). This id acts as a logical " +
					"grouping across all requests from a particular client.\n\nIf omitted or " +
					"empty, all client identifiers are allowed.",
				Type: "string",
			},
			"topic": {
				Description: "Topic is the topic name contained in the message. If a Kafka " +
					"request contains multiple topics, then all topics must be allowed or the " +
					"message will be rejected.\n\nThis constraint is ignored if the matched " +
					"request message type doesn't contain any topic. Maximum size of Topic can " +
					"be 249 characters as per recent Kafka spec and allowed characters are " +
					"a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths " +
					"of 255, but in Kafka 0.10 version the length was changed from 255 to 249. " +
					"For compatibility reasons we are using 255\n\nIf omitted or empty, all " +
					"topics are allowed.",
				Type:      "string",
				MaxLength: getInt64(255),
			},
		},
	}

	PortRuleL7 = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRuleL7 is a map of {key,value} pairs which is passed to the " +
			"parser referenced in l7proto. It is up to the parser to define what to " +
			"do with the map data. If omitted or empty, all requests are allowed. " +
			"Both keys and values must be strings.",
	}

	Rule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "Rule is a policy rule which must be applied to all endpoints which match " +
			"the labels contained in the endpointSelector\n\nEach rule is split into an " +
			"ingress section which contains all rules applicable at ingress, and an egress " +
			"section applicable at egress. For rule types such as `L4Rule` and `CIDR` which " +
			"can be applied at both ingress and egress, both ingress and egress side have to " +
			"either specifically allow the connection or one side has to be omitted.\n\n" +
			"Either ingress, egress, or both can be provided. If both ingress and egress are " +
			"omitted, the rule has no effect.",
		Required: []string{
			"endpointSelector",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"Description": {
				Description: "Description is a free form string, it can be used by the creator " +
					"of the rule to store human readable explanation of the purpose of this " +
					"rule. Rules cannot be identified by comment.",
				Type: "string",
			},
			"egress": {
				Description: "Egress is a list of EgressRule which are enforced at egress. If " +
					"omitted or empty, this rule does not apply at egress.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EgressRule,
				},
			},
			"endpointSelector": initRuleEndpointSelector(),
			"ingress": {
				Description: "Ingress is a list of IngressRule which are enforced at ingress. " +
					"If omitted or empty, this rule does not apply at ingress.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &IngressRule,
				},
			},
			"labels": {
				Description: "Labels is a list of optional strings which can be used to " +
					"re-identify the rule or to store metadata. It is possible to lookup or " +
					"delete strings based on labels. Labels are not required to be unique, " +
					"multiple rules can have overlapping or identical labels.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &Label,
				},
			},
		},
	}

	Service = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "Service wraps around selectors for services",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"k8sService":         K8sServiceNamespace,
			"k8sServiceSelector": initK8sServiceSelector(),
		},
	}

	ServiceSelector = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "ServiceSelector is a label selector for k8s services",
		Required: []string{
			"selector",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"selector": EndpointSelector,
			"namespace": {
				Type: "string",
			},
		},
	}
)

SchemeGroupVersion is group version used to register these objects

Functions

func CreateCustomResourceDefinitions

func CreateCustomResourceDefinitions(clientset apiextensionsclient.Interface) error

CreateCustomResourceDefinitions creates our CRD objects in the kubernetes cluster

func Resource

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type AddressPair

type AddressPair struct {
	IPV4 string `json:"ipv4,omitempty"`
	IPV6 string `json:"ipv6,omitempty"`
}

AddressPair is is a par of IPv4 and/or IPv6 address +k8s:deepcopy-gen=false

type AddressPairList

type AddressPairList []*AddressPair

AddressPairList is a list of address pairs +k8s:deepcopy-gen=false

func (AddressPairList) Sort

func (a AddressPairList) Sort()

Sort sorts an AddressPairList by IPv4 and IPv6 address

type AllocationIP added in v1.6.0

type AllocationIP struct {
	// Owner is the owner of the IP. This field is set if the IP has been
	// allocated. It will be set to the pod name or another identifier
	// representing the usage of the IP
	//
	// The owner field is left blank for an entry in Spec.IPAM.Pool and
	// filled out as the IP is used and also added to Status.IPAM.Used.
	//
	// +optional
	Owner string `json:"owner,omitempty"`

	// Resource is set for both available and allocated IPs, it represents
	// what resource the IP is associated with, e.g. in combination with
	// AWS ENI, this will refer to the ID of the ENI
	//
	// +optional
	Resource string `json:"resource,omitempty"`
}

AllocationIP is an IP which is available for allocation, or already has been allocated

func (*AllocationIP) DeepCopy added in v1.6.0

func (in *AllocationIP) DeepCopy() *AllocationIP

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllocationIP.

func (*AllocationIP) DeepCopyInto added in v1.6.0

func (in *AllocationIP) DeepCopyInto(out *AllocationIP)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AllowedIdentityList

type AllowedIdentityList []AllowedIdentityTuple

AllowedIdentityList is a list of AllowedIdentityTuple +k8s:deepcopy-gen=false

func (AllowedIdentityList) Sort

func (a AllowedIdentityList) Sort()

Sort sorts a list AllowedIdentityTuple by numeric identity, port and protocol

type AllowedIdentityTuple

type AllowedIdentityTuple struct {
	Identity       uint64            `json:"identity,omitempty"`
	IdentityLabels map[string]string `json:"identity-labels,omitempty"`
	DestPort       uint16            `json:"dest-port,omitempty"`
	Protocol       uint8             `json:"protocol,omitempty"`
}

AllowedIdentityTuple specifies an allowed peer by identity, destination port and protocol +k8s:deepcopy-gen=false

type AwsSubnet added in v1.6.0

type AwsSubnet struct {
	// ID is the ID of the subnet
	ID string `json:"id,omitempty"`

	// CIDR is the CIDR range associated with the subnet
	CIDR string `json:"cidr,omitempty"`
}

AwsSubnet stores information regarding an AWS subnet

func (*AwsSubnet) DeepCopy added in v1.6.0

func (in *AwsSubnet) DeepCopy() *AwsSubnet

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsSubnet.

func (*AwsSubnet) DeepCopyInto added in v1.6.0

func (in *AwsSubnet) DeepCopyInto(out *AwsSubnet)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AwsVPC added in v1.6.0

type AwsVPC struct {
	/// ID is the ID of a VPC
	ID string `json:"id,omitempty"`

	// PrimaryCIDR is the primary CIDR of the VPC
	PrimaryCIDR string `json:"primary-cidr,omitempty"`

	// CIDRs is the list of CIDR ranges associated with the VPC
	CIDRs []string `json:"cidrs,omitempty"`
}

AwsVPC stores information regarding an AWS VPC

func (*AwsVPC) DeepCopy added in v1.6.0

func (in *AwsVPC) DeepCopy() *AwsVPC

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsVPC.

func (*AwsVPC) DeepCopyInto added in v1.6.0

func (in *AwsVPC) DeepCopyInto(out *AwsVPC)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CiliumEndpoint

type CiliumEndpoint struct {
	// +k8s:openapi-gen=false
	metav1.TypeMeta `json:",inline"`
	// +k8s:openapi-gen=false
	metav1.ObjectMeta `json:"metadata"`

	Status EndpointStatus `json:"status"`
}

CiliumEndpoint is the status of a Cilium policy rule +k8s:openapi-gen=false

func (*CiliumEndpoint) DeepCopy

func (in *CiliumEndpoint) DeepCopy() *CiliumEndpoint

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumEndpoint.

func (*CiliumEndpoint) DeepCopyInto

func (in *CiliumEndpoint) DeepCopyInto(out *CiliumEndpoint)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumEndpoint) DeepCopyObject

func (in *CiliumEndpoint) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumEndpointList

type CiliumEndpointList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	// Items is a list of CiliumEndpoint
	Items []CiliumEndpoint `json:"items"`
}

CiliumEndpointList is a list of CiliumEndpoint objects +k8s:openapi-gen=false

func (*CiliumEndpointList) DeepCopy

func (in *CiliumEndpointList) DeepCopy() *CiliumEndpointList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumEndpointList.

func (*CiliumEndpointList) DeepCopyInto

func (in *CiliumEndpointList) DeepCopyInto(out *CiliumEndpointList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumEndpointList) DeepCopyObject

func (in *CiliumEndpointList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumIdentity added in v1.6.0

type CiliumIdentity struct {
	// +k8s:openapi-gen=false
	metav1.TypeMeta `json:",inline"`
	// +k8s:openapi-gen=false
	metav1.ObjectMeta `json:"metadata"`

	// SecurityLabels is the source-of-truth set of labels for this identity.
	SecurityLabels map[string]string `json:"security-labels"`

	Status IdentityStatus `json:"status"`
}

CiliumIdentity is a CRD that represents an identity managed by Cilium. It is intended as a backing store for identity allocation, acting as the global coordination backend, and can be used in place of a KVStore (such as etcd). The name of the CRD is the numeric identity and the labels on the CRD object are the the kubernetes sourced labels seen by cilium. This is currently the only label source possible when running under kubernetes. Non-kubernetes labels are filtered but all labels, from all sources, are places in the SecurityLabels field. These also include the source and are used to define the identity. The labels under metav1.ObjectMeta can be used when searching for CiliumIdentity instances that include particular labels. This can be done with invocations such as:

kubectl get ciliumid -l 'foo=bar'

Each node using a ciliumidentity updates the status field with it's name and a timestamp when it first allocates or uses an identity, and periodically after that. It deletes its entry when no longer using this identity. cilium-operator uses the list of nodes in status to reference count users of this identity, and to expire stale usage.

func (*CiliumIdentity) DeepCopy added in v1.6.0

func (in *CiliumIdentity) DeepCopy() *CiliumIdentity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumIdentity.

func (*CiliumIdentity) DeepCopyInto added in v1.6.0

func (in *CiliumIdentity) DeepCopyInto(out *CiliumIdentity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumIdentity) DeepCopyObject added in v1.6.0

func (in *CiliumIdentity) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumIdentityList added in v1.6.0

type CiliumIdentityList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	// Items is a list of CiliumIdentity
	Items []CiliumIdentity `json:"items"`
}

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

CiliumIdentityList is a list of CiliumIdentity objects

func (*CiliumIdentityList) DeepCopy added in v1.6.0

func (in *CiliumIdentityList) DeepCopy() *CiliumIdentityList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumIdentityList.

func (*CiliumIdentityList) DeepCopyInto added in v1.6.0

func (in *CiliumIdentityList) DeepCopyInto(out *CiliumIdentityList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumIdentityList) DeepCopyObject added in v1.6.0

func (in *CiliumIdentityList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumNetworkPolicy

type CiliumNetworkPolicy struct {
	// +k8s:openapi-gen=false
	metav1.TypeMeta `json:",inline"`
	// +k8s:openapi-gen=false
	metav1.ObjectMeta `json:"metadata"`

	// Spec is the desired Cilium specific rule specification.
	Spec *api.Rule `json:"spec,omitempty"`

	// Specs is a list of desired Cilium specific rule specification.
	Specs api.Rules `json:"specs,omitempty"`

	// Status is the status of the Cilium policy rule
	// +optional
	Status CiliumNetworkPolicyStatus `json:"status"`
}

CiliumNetworkPolicy is a Kubernetes third-party resource with an extended version of NetworkPolicy

func (*CiliumNetworkPolicy) AnnotationsEquals

func (r *CiliumNetworkPolicy) AnnotationsEquals(o *CiliumNetworkPolicy) bool

AnnotationsEquals returns true if ObjectMeta.Annotations of each CiliumNetworkPolicy are equivalent (i.e., they contain equivalent key-value pairs).

func (*CiliumNetworkPolicy) DeepCopy

func (in *CiliumNetworkPolicy) DeepCopy() *CiliumNetworkPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicy.

func (*CiliumNetworkPolicy) DeepCopyInto

func (in *CiliumNetworkPolicy) DeepCopyInto(out *CiliumNetworkPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumNetworkPolicy) DeepCopyObject

func (in *CiliumNetworkPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*CiliumNetworkPolicy) GetControllerName

func (r *CiliumNetworkPolicy) GetControllerName() string

GetControllerName returns the unique name for the controller manager.

func (*CiliumNetworkPolicy) GetIdentityLabels

func (r *CiliumNetworkPolicy) GetIdentityLabels() labels.LabelArray

GetIdentityLabels returns all rule labels in the CiliumNetworkPolicy.

func (*CiliumNetworkPolicy) GetPolicyStatus

func (r *CiliumNetworkPolicy) GetPolicyStatus(nodeName string) CiliumNetworkPolicyNodeStatus

GetPolicyStatus returns the CiliumNetworkPolicyNodeStatus corresponding to nodeName in the provided CiliumNetworkPolicy. If Nodes within the rule's Status is nil, returns an empty CiliumNetworkPolicyNodeStatus.

func (*CiliumNetworkPolicy) Parse

func (r *CiliumNetworkPolicy) Parse() (api.Rules, error)

Parse parses a CiliumNetworkPolicy and returns a list of cilium policy rules.

func (*CiliumNetworkPolicy) RequiresDerivative

func (r *CiliumNetworkPolicy) RequiresDerivative() bool

RequiresDerivative return true if the CNP has any rule that will create a new derivative rule.

func (*CiliumNetworkPolicy) SetDerivedPolicyStatus

func (r *CiliumNetworkPolicy) SetDerivedPolicyStatus(derivativePolicyName string, status CiliumNetworkPolicyNodeStatus)

SetDerivedPolicyStatus set the derivative policy status for the given derivative policy name.

func (*CiliumNetworkPolicy) SetPolicyStatus

func (r *CiliumNetworkPolicy) SetPolicyStatus(nodeName string, cnpns CiliumNetworkPolicyNodeStatus)

SetPolicyStatus sets the given policy status for the given nodes' map

func (*CiliumNetworkPolicy) SpecEquals

func (r *CiliumNetworkPolicy) SpecEquals(o *CiliumNetworkPolicy) bool

SpecEquals returns true if the spec and specs metadata is the sa

func (*CiliumNetworkPolicy) String

func (r *CiliumNetworkPolicy) String() string

type CiliumNetworkPolicyList

type CiliumNetworkPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	// Items is a list of CiliumNetworkPolicy
	Items []CiliumNetworkPolicy `json:"items"`
}

CiliumNetworkPolicyList is a list of CiliumNetworkPolicy objects +k8s:openapi-gen=false

func (*CiliumNetworkPolicyList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyList.

func (*CiliumNetworkPolicyList) DeepCopyInto

func (in *CiliumNetworkPolicyList) DeepCopyInto(out *CiliumNetworkPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumNetworkPolicyList) DeepCopyObject

func (in *CiliumNetworkPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumNetworkPolicyNodeStatus

type CiliumNetworkPolicyNodeStatus struct {
	// OK is true when the policy has been parsed and imported successfully
	// into the in-memory policy repository on the node.
	OK bool `json:"ok,omitempty"`

	// Error describes any error that occurred when parsing or importing the
	// policy, or realizing the policy for the endpoints to which it applies
	// on the node.
	Error string `json:"error,omitempty"`

	// LastUpdated contains the last time this status was updated
	LastUpdated Timestamp `json:"lastUpdated,omitempty"`

	// Revision is the policy revision of the repository which first implemented
	// this policy.
	Revision uint64 `json:"localPolicyRevision,omitempty"`

	// Enforcing is set to true once all endpoints present at the time the
	// policy has been imported are enforcing this policy.
	Enforcing bool `json:"enforcing,omitempty"`

	// Annotations corresponds to the Annotations in the ObjectMeta of the CNP
	// that have been realized on the node for CNP. That is, if a CNP has been
	// imported and has been assigned annotation X=Y by the user,
	// Annotations in CiliumNetworkPolicyNodeStatus will be X=Y once the
	// CNP that was imported corresponding to Annotation X=Y has been realized on
	// the node.
	Annotations map[string]string `json:"annotations,omitempty"`
}

CiliumNetworkPolicyNodeStatus is the status of a Cilium policy rule for a specific node

func (*CiliumNetworkPolicyNodeStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyNodeStatus.

func (*CiliumNetworkPolicyNodeStatus) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CiliumNetworkPolicyStatus

type CiliumNetworkPolicyStatus struct {
	// Nodes is the Cilium policy status for each node
	Nodes map[string]CiliumNetworkPolicyNodeStatus `json:"nodes,omitempty"`

	// DerivativePolicies is the status of all policies derived from the Cilium
	// policy
	DerivativePolicies map[string]CiliumNetworkPolicyNodeStatus `json:"derivativePolicies,omitempty"`
}

CiliumNetworkPolicyStatus is the status of a Cilium policy rule

func (*CiliumNetworkPolicyStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyStatus.

func (*CiliumNetworkPolicyStatus) DeepCopyInto

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CiliumNode added in v1.6.0

type CiliumNode struct {
	// +k8s:openapi-gen=false
	metav1.TypeMeta `json:",inline"`
	// +k8s:openapi-gen=false
	metav1.ObjectMeta `json:"metadata"`

	// Spec defines the desired specification/configuration of the node
	Spec NodeSpec `json:"spec"`

	// Status defines the realized specification/configuration and status
	// of the node
	Status NodeStatus `json:"status"`
}

CiliumNode represents a node managed by Cilium. It contains a specification to control various node specific configuration aspects and a status section to represent the status of the node

func (*CiliumNode) DeepCopy added in v1.6.0

func (in *CiliumNode) DeepCopy() *CiliumNode

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNode.

func (*CiliumNode) DeepCopyInto added in v1.6.0

func (in *CiliumNode) DeepCopyInto(out *CiliumNode)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumNode) DeepCopyObject added in v1.6.0

func (in *CiliumNode) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumNodeList added in v1.6.0

type CiliumNodeList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata"`

	// Items is a list of CiliumNode
	Items []CiliumNode `json:"items"`
}

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

CiliumNodeList is a list of CiliumNode objects

func (*CiliumNodeList) DeepCopy added in v1.6.0

func (in *CiliumNodeList) DeepCopy() *CiliumNodeList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNodeList.

func (*CiliumNodeList) DeepCopyInto added in v1.6.0

func (in *CiliumNodeList) DeepCopyInto(out *CiliumNodeList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumNodeList) DeepCopyObject added in v1.6.0

func (in *CiliumNodeList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ControllerList

type ControllerList []ControllerStatus

ControllerList is a list of ControllerStatus +k8s:deepcopy-gen=false

func (ControllerList) Sort

func (c ControllerList) Sort()

Sort sorts the ControllerList by controller name

type ControllerStatus

type ControllerStatus struct {
	// Name is the name of the controller
	Name string `json:"name,omitempty"`

	// Configuration is the controller configuration
	Configuration *models.ControllerStatusConfiguration `json:"configuration,omitempty"`

	// Status is the status of the controller
	Status ControllerStatusStatus `json:"status,omitempty"`

	// UUID is the UUID of the controller
	UUID string `json:"uuid,omitempty"`
}

ControllerStatus is the status of a failing controller +k8s:deepcopy-gen=false

type ControllerStatusStatus

type ControllerStatusStatus struct {
	ConsecutiveFailureCount int64  `json:"consecutive-failure-count,omitempty"`
	FailureCount            int64  `json:"failure-count,omitempty"`
	LastFailureMsg          string `json:"last-failure-msg,omitempty"`
	LastFailureTimestamp    string `json:"last-failure-timestamp,omitempty"`
	LastSuccessTimestamp    string `json:"last-success-timestamp,omitempty"`
	SuccessCount            int64  `json:"success-count,omitempty"`
}

ControllerStatusStatus is the detailed status section of a controller +k8s:deepcopy-gen=false

type DeprecatedEndpointStatus

type DeprecatedEndpointStatus struct {
	Controllers ControllerList                 `json:"controllers,omitempty"`
	Identity    *EndpointIdentity              `json:"identity,omitempty"`
	Log         []*models.EndpointStatusChange `json:"log,omitempty"`
	Networking  *EndpointNetworking            `json:"networking,omitempty"`
	State       string                         `json:"state,omitempty"`

	// These fields are no longer populated
	Realized            *deprecatedEndpointConfigurationSpec `json:"realized,omitempty"`
	Labels              *deprecatedLabelConfigurationStatus  `json:"labels,omitempty"`
	Policy              *models.EndpointPolicyStatus         `json:"policy,omitempty"`
	ExternalIdentifiers *models.EndpointIdentifiers          `json:"external-identifiers,omitempty"`
	Health              *models.EndpointHealth               `json:"health,omitempty"`
}

DeprecatedEndpointStatus is the original endpoint status provided for backwards compatibility.

See EndpointStatus for descriptions of fields +k8s:deepcopy-gen=false

type ENI added in v1.6.0

type ENI struct {
	// ID is the ENI ID
	//
	// +optional
	ID string `json:"id,omitempty"`

	// IP is the primary IP of the ENI
	//
	// +optional
	IP string `json:"ip,omitempty"`

	// MAC is the mac address of the ENI
	//
	// +optional
	MAC string `json:"mac,omitempty"`

	// AvailabilityZone is the availability zone of the ENI
	//
	// +optional
	AvailabilityZone string `json:"availability-zone,omitempty"`

	// Description is the description field of the ENI
	//
	// +optional
	Description string `json:"description,omitempty"`

	// Number is the interface index, it used in combination with
	// FirstInterfaceIndex
	//
	// +optional
	Number int `json:"number,omitempty"`

	// Subnet is the subnet the ENI is associated with
	//
	// +optional
	Subnet AwsSubnet `json:"subnet,omitempty"`

	// VPC is the VPC information to which the ENI is attached to
	//
	// +optional
	VPC AwsVPC `json:"vpc,omitempty"`

	// Addresses is the list of all IPs associated with the ENI, including
	// all secondary addresses
	//
	// +optional
	Addresses []string `json:"addresses,omitempty"`

	// SecurityGroups are the security groups associated with the ENI
	SecurityGroups []string `json:"security-groups,omitempty"`
}

ENI represents an AWS Elastic Network Interface

More details: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

func (*ENI) DeepCopy added in v1.6.0

func (in *ENI) DeepCopy() *ENI

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ENI.

func (*ENI) DeepCopyInto added in v1.6.0

func (in *ENI) DeepCopyInto(out *ENI)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ENISpec added in v1.6.0

type ENISpec struct {
	// InstanceID is the AWS InstanceId of the node. The InstanceID is used
	// to retrieve AWS metadata for the node.
	InstanceID string `json:"instance-id,omitempty"`

	// InstanceType is the AWS EC2 instance type, e.g. "m5.large"
	InstanceType string `json:"instance-type,omitempty"`

	// MinAllocate is the minimum number of IPs that must be allocated when
	// the node is first bootstrapped. It defines the minimum base socket
	// of addresses that must be available. After reaching this watermark,
	// the PreAllocate and MaxAboveWatermark logic takes over to continue
	// allocating IPs.
	//
	// +optional
	MinAllocate int `json:"min-allocate,omitempty"`

	// PreAllocate defines the number of IP addresses that must be
	// available for allocation in the IPAMspec. It defines the buffer of
	// addresses available immediately without requiring cilium-operator to
	// get involved.
	//
	// +optional
	PreAllocate int `json:"pre-allocate,omitempty"`

	// MaxAboveWatermark is the maximum number of addresses to allocate
	// beyond the addresses needed to reach the PreAllocate watermark.
	// Going above the watermark can help reduce the number of API calls to
	// allocate IPs, e.g. when a new ENI is allocated, as many secondary
	// IPs as possible are allocated. Limiting the amount can help reduce
	// waste of IPs.
	//
	// +optional
	MaxAboveWatermark int `json:"max-above-watermark,omitempty"`

	// FirstInterfaceIndex is the index of the first ENI to use for IP
	// allocation, e.g. if the node has eth0, eth1, eth2 and
	// FirstInterfaceIndex is set to 1, then only eth1 and eth2 will be
	// used for IP allocation, eth0 will be ignored for PodIP allocation.
	//
	// +optional
	FirstInterfaceIndex int `json:"first-interface-index,omitempty"`

	// SecurityGroups is the list of security groups to attach to any ENI
	// that is created and attached to the instance.
	//
	// +optional
	SecurityGroups []string `json:"security-groups,omitempty"`

	// SubnetTags is the list of tags to use when evaluating what AWS
	// subnets to use for ENI and IP allocation
	//
	// +optional
	SubnetTags map[string]string `json:"subnet-tags,omitempty"`

	// VpcID is the VPC ID to use when allocating ENIs
	VpcID string `json:"vpc-id,omitempty"`

	// AvailabilityZone is the availability zone to use when allocating
	// ENIs
	AvailabilityZone string `json:"availability-zone,omitempty"`

	// DeleteOnTermination defines that the ENI should be deleted when the
	// associated instance is terminated
	//
	// +optional
	DeleteOnTermination bool `json:"delete-on-termination,omitempty"`
}

ENISpec is the ENI specification of a node. This specification is considered by the cilium-operator to act as an IPAM operator and makes ENI IPs available via the IPAMSpec section.

The ENI specification can either be provided explicitly by the user or the cilium agent running on the node can be instructed to create the CiliumNode custom resource along with an ENI specification when the node registers itself to the Kubernetes cluster.

func (*ENISpec) DeepCopy added in v1.6.0

func (in *ENISpec) DeepCopy() *ENISpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ENISpec.

func (*ENISpec) DeepCopyInto added in v1.6.0

func (in *ENISpec) DeepCopyInto(out *ENISpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ENIStatus added in v1.6.0

type ENIStatus struct {
	// ENIs is the list of ENIs on the node
	//
	// +optional
	ENIs map[string]ENI `json:"enis,omitempty"`
}

ENIStatus is the status of ENI addressing of the node

func (*ENIStatus) DeepCopy added in v1.6.0

func (in *ENIStatus) DeepCopy() *ENIStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ENIStatus.

func (*ENIStatus) DeepCopyInto added in v1.6.0

func (in *ENIStatus) DeepCopyInto(out *ENIStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EncryptionSpec added in v1.6.0

type EncryptionSpec struct {
	// Key is the index to the key to use for encryption or 0 if encryption
	// is disabled
	//
	// +optional
	Key int `json:"key,omitempty"`
}

EncryptionSpec defines the encryption relevant configuration of a node

func (*EncryptionSpec) DeepCopy added in v1.6.0

func (in *EncryptionSpec) DeepCopy() *EncryptionSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionSpec.

func (*EncryptionSpec) DeepCopyInto added in v1.6.0

func (in *EncryptionSpec) DeepCopyInto(out *EncryptionSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EndpointIdentity

type EndpointIdentity struct {
	// ID is the numeric identity of the endpoint
	ID int64 `json:"id,omitempty"`

	// Labels is the list of labels associated with the identity
	Labels []string `json:"labels,omitempty"`

	// Deprecated fields
	LabelsSHA256 string `json:"labelsSHA256,omitempty"`
}

EndpointIdentity is the identity information of an endpoint

func (*EndpointIdentity) DeepCopy added in v1.6.0

func (in *EndpointIdentity) DeepCopy() *EndpointIdentity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointIdentity.

func (*EndpointIdentity) DeepCopyInto added in v1.6.0

func (in *EndpointIdentity) DeepCopyInto(out *EndpointIdentity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EndpointNetworking

type EndpointNetworking struct {
	// IP4/6 addresses assigned to this Endpoint
	Addressing AddressPairList `json:"addressing"`

	// NodeIP is the IP of the node the endpoint is running on. The IP must
	// be reachable between nodes.
	NodeIP string `json:"node,omitempty"`

	// Deprecated fields
	HostAddressing *models.NodeAddressing `json:"host-addressing,omitempty"`
	HostMac        string                 `json:"host-mac,omitempty"`
	InterfaceIndex int64                  `json:"interface-index,omitempty"`
	InterfaceName  string                 `json:"interface-name,omitempty"`
	Mac            string                 `json:"mac,omitempty"`
}

EndpointNetworking is the addressing information of an endpoint

func (*EndpointNetworking) DeepCopy added in v1.6.0

func (in *EndpointNetworking) DeepCopy() *EndpointNetworking

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointNetworking.

func (*EndpointNetworking) DeepCopyInto added in v1.6.0

func (in *EndpointNetworking) DeepCopyInto(out *EndpointNetworking)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EndpointPolicy

type EndpointPolicy struct {
	Ingress *EndpointPolicyDirection `json:"ingress,omitempty"`
	Egress  *EndpointPolicyDirection `json:"egress,omitempty"`
}

EndpointPolicy represents the endpoint's policy by listing all allowed ingress and egress identities in combination with L4 port and protocol +k8s:deepcopy-gen=false

type EndpointPolicyDirection

type EndpointPolicyDirection struct {
	Enforcing bool                `json:"enforcing"`
	Allowed   AllowedIdentityList `json:"allowed,omitempty"`
	Removing  AllowedIdentityList `json:"removing,omitempty"`
	Adding    AllowedIdentityList `json:"adding,omitempty"`
}

EndpointPolicyDirection is the list of allowed identities per direction +k8s:deepcopy-gen=false

type EndpointStatus

type EndpointStatus struct {
	// The cilium-agent-local ID of the endpoint
	ID int64 `json:"id,omitempty"`

	// Controllers is the list of failing controllers for this endpoint
	Controllers ControllerList `json:"controllers,omitempty"`

	// ExternalIdentifiers is a set of identifiers to identify the endpoint
	// apart from the pod name. This includes container runtime IDs.
	ExternalIdentifiers *models.EndpointIdentifiers `json:"external-identifiers,omitempty"`

	// Summary overall endpoint & subcomponent health
	Health *models.EndpointHealth `json:"health,omitempty"`

	// Identity is the security identity associated with the endpoint
	Identity *EndpointIdentity `json:"identity,omitempty"`

	// Log is the list of the last few warning and error log entries
	Log []*models.EndpointStatusChange `json:"log,omitempty"`

	// Networking properties of the endpoint
	//
	// +optional
	Networking *EndpointNetworking `json:"networking,omitempty"`

	// Encryption is the encryption configuration of the node
	//
	// +optional
	Encryption EncryptionSpec `json:"encryption,omitempty"`

	Policy *EndpointPolicy `json:"policy,omitempty"`

	// State is the state of the endpoint
	//
	// States are:
	// - creating
	// - waiting-for-identity
	// - not-ready
	// - waiting-to-regenerate
	// - regenerating
	// - restoring
	// - ready
	// - disconnecting
	// - disconnected
	State string `json:"state,omitempty"`

	// Deprecated fields
	Spec   *deprecatedEndpointConfigurationSpec `json:"spec,omitempty"`
	Status *DeprecatedEndpointStatus            `json:"status,omitempty"`
}

EndpointStatus is the status of a Cilium endpoint The custom deepcopy function below is a workaround. We can generate a deepcopy for EndpointStatus but not for the various models.* types it includes. We can't generate functions for classes in other packages, nor can we change the models.Endpoint type to use proxy types we define here. +k8s:deepcopy-gen=false

func (*EndpointStatus) DeepCopyInto

func (m *EndpointStatus) DeepCopyInto(out *EndpointStatus)

DeepCopyInto is an inefficient hack to allow reusing models.Endpoint in the CiliumEndpoint CRD.

func (*EndpointStatus) MarshalBinary

func (m *EndpointStatus) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (*EndpointStatus) UnmarshalBinary

func (m *EndpointStatus) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

type HealthAddressingSpec added in v1.6.0

type HealthAddressingSpec struct {
	// IPv4 is the IPv4 address of the IPv4 health endpoint
	//
	// +optional
	IPv4 string `json:"ipv4,omitempty"`

	// IPv6 is the IPv6 address of the IPv4 health endpoint
	//
	// +optional
	IPv6 string `json:"ipv6,omitempty"`
}

HealthAddressingSpec is the addressing information required to do connectivity health checking

func (*HealthAddressingSpec) DeepCopy added in v1.6.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthAddressingSpec.

func (*HealthAddressingSpec) DeepCopyInto added in v1.6.0

func (in *HealthAddressingSpec) DeepCopyInto(out *HealthAddressingSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IPAMSpec added in v1.6.0

type IPAMSpec struct {
	// Pool is the list of IPs available to the node for allocation. When
	// an IP is used, the IP will remain on this list but will be added to
	// Status.IPAM.Used
	//
	// +optional
	Pool map[string]AllocationIP `json:"pool,omitempty"`

	// PodCIDRs is the list of CIDRs available to the node for allocation.
	// When an IP is used, the IP will be added to Status.IPAM.Used
	//
	// +optional
	PodCIDRs []string `json:"podCIDRs,omitempty"`
}

IPAMSpec is the IPAM specification of the node

func (*IPAMSpec) DeepCopy added in v1.6.0

func (in *IPAMSpec) DeepCopy() *IPAMSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPAMSpec.

func (*IPAMSpec) DeepCopyInto added in v1.6.0

func (in *IPAMSpec) DeepCopyInto(out *IPAMSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IPAMStatus added in v1.6.0

type IPAMStatus struct {
	// Used lists all IPs out of Spec.IPAM.Pool which have been allocated
	// and are in use.
	//
	// +optional
	Used map[string]AllocationIP `json:"used,omitempty"`
}

IPAMStatus is the IPAM status of a node

func (*IPAMStatus) DeepCopy added in v1.6.0

func (in *IPAMStatus) DeepCopy() *IPAMStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPAMStatus.

func (*IPAMStatus) DeepCopyInto added in v1.6.0

func (in *IPAMStatus) DeepCopyInto(out *IPAMStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IdentityStatus added in v1.6.0

type IdentityStatus struct {
	Nodes map[string]metav1.Time `json:"nodes,omitempty"`
}

IdentityStatus is the status of an identity

func (*IdentityStatus) DeepCopy added in v1.6.0

func (in *IdentityStatus) DeepCopy() *IdentityStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityStatus.

func (*IdentityStatus) DeepCopyInto added in v1.6.0

func (in *IdentityStatus) DeepCopyInto(out *IdentityStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NodeAddress added in v1.6.0

type NodeAddress struct {
	// Type is the type of the node address
	Type addressing.AddressType `json:"type,omitempty"`

	// IP is an IP of a node
	IP string `json:"ip,omitempty"`
}

NodeAddress is a node address

func (*NodeAddress) DeepCopy added in v1.6.0

func (in *NodeAddress) DeepCopy() *NodeAddress

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeAddress.

func (*NodeAddress) DeepCopyInto added in v1.6.0

func (in *NodeAddress) DeepCopyInto(out *NodeAddress)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NodeSpec added in v1.6.0

type NodeSpec struct {
	// Addresses is the list of all node addresses
	//
	// +optional
	Addresses []NodeAddress `json:"addresses,omitempty"`

	// HealthAddressing is the addressing information for health
	// connectivity checking
	//
	// +optional
	HealthAddressing HealthAddressingSpec `json:"health,omitempty"`

	// Encryption is the encryption configuration of the node
	//
	// +optional
	Encryption EncryptionSpec `json:"encryption,omitempty"`

	// ENI is the AWS ENI specific configuration
	//
	// +optional
	ENI ENISpec `json:"eni,omitempty"`

	// IPAM is the address management specification. This section can be
	// populated by a user or it can be automatically populated by an IPAM
	// operator
	//
	// +optional
	IPAM IPAMSpec `json:"ipam,omitempty"`
}

NodeSpec is the configuration specific to a node

func (*NodeSpec) DeepCopy added in v1.6.0

func (in *NodeSpec) DeepCopy() *NodeSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeSpec.

func (*NodeSpec) DeepCopyInto added in v1.6.0

func (in *NodeSpec) DeepCopyInto(out *NodeSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NodeStatus added in v1.6.0

type NodeStatus struct {
	// ENI is the AWS ENi specific status of the node
	//
	// +optional
	ENI ENIStatus `json:"eni,omitempty"`

	// IPAM is the IPAM status of the node
	//
	// +optional
	IPAM IPAMStatus `json:"ipam,omitempty"`
}

NodeStatus is the status of a node

func (*NodeStatus) DeepCopy added in v1.6.0

func (in *NodeStatus) DeepCopy() *NodeStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeStatus.

func (*NodeStatus) DeepCopyInto added in v1.6.0

func (in *NodeStatus) DeepCopyInto(out *NodeStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Timestamp

type Timestamp struct {
	time.Time
}

Timestamp is a wrapper of time.Time so that we can create our own implementation of DeepCopyInto.

func NewTimestamp

func NewTimestamp() Timestamp

NewTimestamp creates a new Timestamp with the current time.Now()

func (*Timestamp) DeepCopy

func (in *Timestamp) DeepCopy() *Timestamp

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Timestamp.

func (*Timestamp) DeepCopyInto

func (t *Timestamp) DeepCopyInto(out *Timestamp)

DeepCopyInto creates a deep-copy of the Time value. The underlying time.Time type is effectively immutable in the time API, so it is safe to copy-by-assign, despite the presence of (unexported) Pointer fields.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL