Documentation ¶
Overview ¶
Package v2 is the v2 version of the API. +groupName=cilium.io
Index ¶
- Constants
- Variables
- func CreateCustomResourceDefinitions(clientset apiextensionsclient.Interface) error
- func Resource(resource string) schema.GroupResource
- type AddressPair
- type AddressPairList
- type AllocationIP
- type AllowedIdentityList
- type AllowedIdentityTuple
- type AwsSubnet
- type AwsVPC
- type CiliumEndpoint
- type CiliumEndpointList
- type CiliumIdentity
- type CiliumIdentityList
- type CiliumNetworkPolicy
- func (r *CiliumNetworkPolicy) AnnotationsEquals(o *CiliumNetworkPolicy) bool
- func (in *CiliumNetworkPolicy) DeepCopy() *CiliumNetworkPolicy
- func (in *CiliumNetworkPolicy) DeepCopyInto(out *CiliumNetworkPolicy)
- func (in *CiliumNetworkPolicy) DeepCopyObject() runtime.Object
- func (r *CiliumNetworkPolicy) GetControllerName() string
- func (r *CiliumNetworkPolicy) GetIdentityLabels() labels.LabelArray
- func (r *CiliumNetworkPolicy) GetPolicyStatus(nodeName string) CiliumNetworkPolicyNodeStatus
- func (r *CiliumNetworkPolicy) Parse() (api.Rules, error)
- func (r *CiliumNetworkPolicy) RequiresDerivative() bool
- func (r *CiliumNetworkPolicy) SetDerivedPolicyStatus(derivativePolicyName string, status CiliumNetworkPolicyNodeStatus)
- func (r *CiliumNetworkPolicy) SetPolicyStatus(nodeName string, cnpns CiliumNetworkPolicyNodeStatus)
- func (r *CiliumNetworkPolicy) SpecEquals(o *CiliumNetworkPolicy) bool
- func (r *CiliumNetworkPolicy) String() string
- type CiliumNetworkPolicyList
- type CiliumNetworkPolicyNodeStatus
- type CiliumNetworkPolicyStatus
- type CiliumNode
- type CiliumNodeList
- type ControllerList
- type ControllerStatus
- type ControllerStatusStatus
- type DeprecatedEndpointStatus
- type ENI
- type ENISpec
- type ENIStatus
- type EncryptionSpec
- type EndpointIdentity
- type EndpointNetworking
- type EndpointPolicy
- type EndpointPolicyDirection
- type EndpointStatus
- type HealthAddressingSpec
- type IPAMSpec
- type IPAMStatus
- type IdentityStatus
- type NodeAddress
- type NodeSpec
- type NodeStatus
- type Timestamp
Constants ¶
const ( // CustomResourceDefinitionGroup is the name of the third party resource group CustomResourceDefinitionGroup = k8sconst.GroupName // CustomResourceDefinitionVersion is the current version of the resource CustomResourceDefinitionVersion = "v2" // CustomResourceDefinitionSchemaVersion is semver-conformant version of CRD schema // Used to determine if CRD needs to be updated in cluster CustomResourceDefinitionSchemaVersion = "1.15.1" // CustomResourceDefinitionSchemaVersionKey is key to label which holds the CRD schema version CustomResourceDefinitionSchemaVersionKey = "io.cilium.k8s.crd.schema.version" // CNPKindDefinition is the kind name for Cilium Network Policy CNPKindDefinition = "CiliumNetworkPolicy" )
const EndpointStatusLogEntries = 5
EndpointStatusLogEntries is the maximum number of log entries in EndpointStatus.Log
Variables ¶
var ( // SchemeBuilder is needed by DeepCopy generator. SchemeBuilder runtime.SchemeBuilder // AddToScheme adds all types of this clientset into the given scheme. // This allows composition of clientsets, like in: // // import ( // "k8s.io/client-go/kubernetes" // clientsetscheme "k8s.io/client-go/kuberentes/scheme" // aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme" // ) // // kclientset, _ := kubernetes.NewForConfig(c) // aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme) AddToScheme = localSchemeBuilder.AddToScheme )
var ( CNPCRV = apiextensionsv1beta1.CustomResourceValidation{ OpenAPIV3Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Properties: properties, }, } CIDR = apiextensionsv1beta1.JSONSchemaProps{ Description: "CIDR is a CIDR prefix / IP Block.", Type: "string", OneOf: []apiextensionsv1beta1.JSONSchemaProps{ { Pattern: `^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4]` + `[0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$`, }, { Pattern: `^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))` + `|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)` + `|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))` + `|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))` + `|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))` + `|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))` + `|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))` + `|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))` + `(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$`, }, }, } CIDRRule = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "CIDRRule is a rule that specifies a CIDR prefix to/from which outside " + "communication is allowed, along with an optional list of subnets within that CIDR " + "prefix to/from which outside communication is not allowed.", Required: []string{ "cidr", }, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "cidr": CIDR, "except": { Description: "ExceptCIDRs is a list of IP blocks which the endpoint subject to " + "the rule is not allowed to initiate connections to. These CIDR prefixes " + "should be contained within Cidr. These exceptions are only applied to the " + "Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any " + "other CIDRRules.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &CIDR, }, }, }, } EgressRule = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "EgressRule contains all rule types which can be applied at egress, i.e. " + "network traffic that originates inside the endpoint and exits the endpoint " + "selected by the endpointSelector.\n\n- All members of this structure are optional. " + "If omitted or empty, the\n member will have no effect on the rule.\n\n- For now, " + "combining ToPorts and ToCIDR in the same rule is not supported\n and such rules " + "will be rejected. In the future, this will be supported and\n if if multiple " + "members of the structure are specified, then all members\n must match in order " + "for the rule to take effect.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "toCIDR": { Description: "ToCIDR is a list of IP blocks which the endpoint subject to the " + "rule is allowed to initiate connections. This will match on the " + "destination IP address of outgoing connections. Adding a prefix into " + "ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are " + "allowed between ToCIDR and ToCIDRSet.\n\nExample: Any endpoint with the " + "label \"app=database-proxy\" is allowed to initiate connections to " + "10.2.3.0/24", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &CIDR, }, }, "toCIDRSet": { Description: "ToCIDRSet is a list of IP blocks which the endpoint subject to " + "the rule is allowed to initiate connections to in addition to connections " + "which are allowed via FromEndpoints, along with a list of subnets " + "contained within their corresponding IP block to which traffic should not " + "be allowed. This will match on the destination IP address of outgoing " + "connections. Adding a prefix into ToCIDR or into ToCIDRSet with no " + "ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and " + "ToCIDRSet.\n\nExample: Any endpoint with the label \"app=database-proxy\" " + "is allowed to initiate connections to 10.2.3.0/24 except from IPs in " + "subnet 10.2.3.0/28.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &CIDRRule, }, }, "toEntities": { Description: "ToEntities is a list of special entities to which the endpoint " + "subject to the rule is allowed to initiate connections. Supported " + "entities are `world`, `cluster` and `host`", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "string", }, }, }, "toPorts": { Description: "ToPorts is a list of destination ports identified by port number " + "and protocol which the endpoint subject to the rule is allowed to connect " + "to.\n\nExample: Any endpoint with the label \"role=frontend\" is allowed " + "to initiate connections to destination port 8080/tcp", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRule, }, }, "toServices": { Description: "ToServices is a list of services to which the endpoint subject " + "to the rule is allowed to initiate connections.\n\nExample: Any endpoint " + "with the label \"app=backend-app\" is allowed to initiate connections to " + "all cidrs backing the \"external-service\" service", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &Service, }, }, "toEndpoints": { Description: "ToEndpoints is a list of endpoints identified by an " + "EndpointSelector to which the endpoint subject to the rule" + "is allowed to communicate.\n\nExample: Any endpoint with the label " + "\"role=frontend\" can be consumed by any endpoint carrying the label " + "\"role=backend\".", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &EndpointSelector, }, }, "toRequires": { Description: "ToRequires is a list of additional constraints which must be " + "met in order for the selected endpoints to be able to reach other " + "endpoints. These additional constraints do not by themselves grant access " + "privileges and must always be accompanied with at least one matching " + "FromEndpoints.\n\nExample: Any Endpoint with the label \"team=A\" " + "requires any endpoint to which it communicates to also carry the label " + "\"team=A\".", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &EndpointSelector, }, }, "toGroups": { Type: "array", Description: `ToGroups is a list of constraints that will gather data from third-party providers and create a new derived policy.`, Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "aws": AWSGroup, }, }, }, }, "toFQDNs": { Description: `ToFQDNs is a list of rules matching fqdns that endpoint is allowed to communicate with`, Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &FQDNRule, }, }, }, } FQDNRule = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "matchName": MatchFQDNName, "matchPattern": MatchFQDNPattern, }, } MatchFQDNName = apiextensionsv1beta1.JSONSchemaProps{ Description: `MatchName matches fqdn name`, Type: "string", Pattern: fqdnNameRegex, } MatchFQDNPattern = apiextensionsv1beta1.JSONSchemaProps{ Description: `MatchPattern matches fqdn by pattern`, Type: "string", Pattern: fqdnPatternRegex, } AWSGroup = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "securityGroupsIds": { Description: `SecurityGroupsIds is the list of AWS security group IDs that will filter the instances IPs from the AWS API`, Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "string", }, }, }, "securityGroupsNames": { Description: `SecurityGroupsNames is the list of AWS security group names that will filter the instances IPs from the AWS API`, Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "string", }, }, }, "region": { Description: `Region is the key that will filter the AWS EC2 instances in the given region`, Type: "string", }, }, } EndpointSelector = initEndpointSelector() IngressRule = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "IngressRule contains all rule types which can be applied at ingress, " + "i.e. network traffic that originates outside of the endpoint and is entering " + "the endpoint selected by the endpointSelector.\n\n- All members of this structure " + "are optional. If omitted or empty, the\n member will have no effect on the rule." + "\n\n- If multiple members are set, all of them need to match in order for\n " + "the rule to take effect. The exception to this rule is FromRequires field;\n " + "the effects of any Requires field in any rule will apply to all other\n rules " + "as well.\n\n- For now, combining ToPorts, FromCIDR, and FromEndpoints in the same " + "rule\n is not supported and any such rules will be rejected. In the future, " + "this\n will be supported and if multiple members of this structure are specified," + "\n then all members must match in order for the rule to take effect. The\n " + "exception to this rule is the Requires field, the effects of any Requires\n " + "field in any rule will apply to all other rules as well.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "fromCIDR": { Description: "FromCIDR is a list of IP blocks which the endpoint subject to " + "the rule is allowed to receive connections from. This will match on the " + "source IP address of incoming connections. Adding a prefix into FromCIDR " + "or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are " + "allowed between FromCIDR and FromCIDRSet.\n\nExample: Any endpoint with " + "the label \"app=my-legacy-pet\" is allowed to receive connections from " + "10.3.9.1", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &CIDR, }, }, "fromCIDRSet": { Description: "FromCIDRSet is a list of IP blocks which the endpoint subject to " + "the rule is allowed to receive connections from in addition to " + "FromEndpoints, along with a list of subnets contained within their " + "corresponding IP block from which traffic should not be allowed. This " + "will match on the source IP address of incoming connections. Adding a " + "prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is " + "equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet." + "\n\nExample: Any endpoint with the label \"app=my-legacy-pet\" is allowed " + "to receive connections from 10.0.0.0/8 except from IPs in subnet " + "10.96.0.0/12.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &CIDRRule, }, }, "fromEndpoints": { Description: "FromEndpoints is a list of endpoints identified by an " + "EndpointSelector which are allowed to communicate with the endpoint " + "subject to the rule.\n\nExample: Any endpoint with the label " + "\"role=backend\" can be consumed by any endpoint carrying the label " + "\"role=frontend\".", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &EndpointSelector, }, }, "fromEntities": { Description: "FromEntities is a list of special entities which the endpoint " + "subject to the rule is allowed to receive connections from. Supported " + "entities are `world`, `cluster`, `host`, and `init`", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "string", }, }, }, "fromRequires": { Description: "FromRequires is a list of additional constraints which must be " + "met in order for the selected endpoints to be reachable. These additional " + "constraints do no by itself grant access privileges and must always be " + "accompanied with at least one matching FromEndpoints.\n\nExample: Any " + "Endpoint with the label \"team=A\" requires consuming endpoint to also " + "carry the label \"team=A\".", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &EndpointSelector, }, }, "toPorts": { Description: "ToPorts is a list of destination ports identified by port number " + "and protocol which the endpoint subject to the rule is allowed to receive " + "connections on.\n\nExample: Any endpoint with the label \"app=httpd\" can " + "only accept incoming connections on port 80/tcp.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRule, }, }, }, } K8sServiceNamespace = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "K8sServiceNamespace is an abstraction for the k8s service + namespace " + "types.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "namespace": { Type: "string", }, "serviceName": { Type: "string", }, }, } L7Rules = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "L7Rules is a union of port level rule types. Mixing of different port " + "level rule types is disallowed, so exactly one of the following must be set. If " + "none are specified, then no additional port level rules are applied.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "http": { Description: "HTTP specific rules.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRuleHTTP, }, }, "kafka": { Description: "Kafka-specific rules.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRuleKafka, }, }, "l7proto": { Description: "Parser type name that uses Key-Value pair rules.", Type: "string", }, "l7": { Description: "Generic Key-Value pair rules.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRuleL7, }, }, "dns": { Description: "DNS specific rules", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortRuleDNS, }, }, }, } PortRuleDNS = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "matchName": MatchFQDNName, "matchPattern": MatchFQDNPattern, }, } Label = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "Label is the cilium's representation of a container label.", Required: []string{ "key", }, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "key": { Type: "string", }, "source": { Description: "Source can be one of the values present in const.go " + "(e.g.: LabelSourceContainer)", Type: "string", }, "value": { Type: "string", }, }, } LabelSelector = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "A label selector is a label query over a set of resources. The result " + "of matchLabels and matchExpressions are ANDed. An empty label selector matches " + "all objects. A null label selector matches no objects.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "matchLabels": { Description: "matchLabels is a map of {key,value} pairs. A single {key,value} " + "in the matchLabels map is equivalent to an element of matchExpressions, " + "whose key field is \"key\", the operator is \"In\", and the values array " + "contains only \"value\". The requirements are ANDed.", Type: "object", }, "matchExpressions": { Description: "matchExpressions is a list of label selector requirements. " + "The requirements are ANDed.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &LabelSelectorRequirement, }, }, }, } LabelSelectorRequirement = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "A label selector requirement is a selector that contains values, a key, " + "and an operator that relates the key and values.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "key": { Description: "key is the label key that the selector applies to.", Type: "string", }, "operator": { Description: "operator represents a key's relationship to a set of values. " + "Valid operators are In, NotIn, Exists and DoesNotExist.", Type: "string", Enum: []apiextensionsv1beta1.JSON{ { Raw: []byte(`"In"`), }, { Raw: []byte(`"NotIn"`), }, { Raw: []byte(`"Exists"`), }, { Raw: []byte(`"DoesNotExist"`), }, }, }, "values": { Description: "values is an array of string values. If the operator is In or " + "NotIn, the values array must be non-empty. If the operator is Exists or " + "DoesNotExist, the values array must be empty. This array is replaced " + "during a strategic merge patch.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "string", }, }, }, }, Required: []string{"key", "operator"}, } PortProtocol = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "PortProtocol specifies an L4 port with an optional transport protocol", Required: []string{ "port", }, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "port": { Description: "Port is an L4 port number. For now the string will be strictly " + "parsed as a single uint16. In the future, this field may support ranges " + "in the form \"1024-2048", Type: "string", Pattern: `^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|` + `[1-5][0-9]{4}|[0-9]{1,4})$`, }, "protocol": { Description: `Protocol is the L4 protocol. If omitted or empty, any protocol ` + `matches. Accepted values: "TCP", "UDP", ""/"ANY"\n\nMatching on ` + `ICMP is not supported.`, Type: "string", Enum: []apiextensionsv1beta1.JSON{ { Raw: []byte(`"TCP"`), }, { Raw: []byte(`"UDP"`), }, { Raw: []byte(`"ANY"`), }, }, }, }, } PortRule = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "PortRule is a list of ports/protocol combinations with optional Layer 7 " + "rules which must be met.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "ports": { Description: "Ports is a list of L4 port/protocol\n\nIf omitted or empty but " + "RedirectPort is set, then all ports of the endpoint subject to either the " + "ingress or egress rule are being redirected.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &PortProtocol, }, }, "redirectPort": { Description: "RedirectPort is the L4 port which, if set, all traffic matching " + "the Ports is being redirected to. Whatever listener behind that port " + "becomes responsible to enforce the port rules and is also responsible to " + "reinject all traffic back and ensure it reaches its original destination.", Type: "integer", Format: "uint16", }, "rules": initPortRule(), }, } PortRuleHTTP = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "PortRuleHTTP is a list of HTTP protocol constraints. All fields are " + "optional, if all fields are empty or missing, the rule does not have any effect." + "\n\nAll fields of this type are extended POSIX regex as defined by " + "IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) " + "matched against the path of an incoming request. Currently it can contain " + "characters disallowed from the conventional \"path\" part of a URL as defined by " + "RFC 3986.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "headers": { Description: "Headers is a list of HTTP headers which must be present in the " + "request. If omitted or empty, requests are allowed regardless of headers " + "present.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &apiextensionsv1beta1.JSONSchemaProps{ Type: "string", }, }, }, "host": { Description: "Host is an extended POSIX regex matched against the host header " + "of a request, e.g. \"foo.com\"\n\nIf omitted or empty, the value of the " + "host header is ignored.", Type: "string", Format: "idn-hostname", }, "method": { Description: "Method is an extended POSIX regex matched against the method of " + "a request, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\n" + "If omitted or empty, all methods are allowed.", Type: "string", }, "path": { Description: "Path is an extended POSIX regex matched against the path of a " + "request. Currently it can contain characters disallowed from the " + "conventional \"path\" part of a URL as defined by RFC 3986.\n\n" + "If omitted or empty, all paths are all allowed.", Type: "string", }, }, } PortRuleKafka = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "PortRuleKafka is a list of Kafka protocol constraints. All fields are " + "optional, if all fields are empty or missing, the rule will match all Kafka " + "messages.", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "role": { Description: "Role is a case-insensitive string and describes a group of API keys" + "necessary to perform certain higher level Kafka operations such as" + "\"produce\" or \"consume\". An APIGroup automatically expands into all APIKeys" + "required to perform the specified higher level operation." + "The following values are supported:" + "- \"produce\": Allow producing to the topics specified in the rule" + "- \"consume\": Allow consuming from the topics specified in the rule" + "This field is incompatible with the APIKey field, either APIKey or Role" + "may be specified. If omitted or empty, the field has no effect and the " + "logic of the APIKey field applies.", Type: "string", Enum: []apiextensionsv1beta1.JSON{ { Raw: []byte(`"produce"`), }, { Raw: []byte(`"consume"`), }, }, }, "apiKey": { Description: "APIKey is a case-insensitive string matched against the key of " + "a request, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", " + "et al Reference: https://kafka.apache.org/protocol#protocol_api_keys\n\n" + "If omitted or empty, all keys are allowed.", Type: "string", }, "apiVersion": { Description: "APIVersion is the version matched against the api version of the " + "Kafka message. If set, it has to be a string representing a positive " + "integer.\n\nIf omitted or empty, all versions are allowed.", Type: "string", }, "clientID": { Description: "ClientID is the client identifier as provided in the request.\n\n" + "From Kafka protocol documentation: This is a user supplied identifier for " + "the client application. The user can use any identifier they like and it " + "will be used when logging errors, monitoring aggregates, etc. For " + "example, one might want to monitor not just the requests per second " + "overall, but the number coming from each client application (each of " + "which could reside on multiple servers). This id acts as a logical " + "grouping across all requests from a particular client.\n\nIf omitted or " + "empty, all client identifiers are allowed.", Type: "string", }, "topic": { Description: "Topic is the topic name contained in the message. If a Kafka " + "request contains multiple topics, then all topics must be allowed or the " + "message will be rejected.\n\nThis constraint is ignored if the matched " + "request message type doesn't contain any topic. Maximum size of Topic can " + "be 249 characters as per recent Kafka spec and allowed characters are " + "a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths " + "of 255, but in Kafka 0.10 version the length was changed from 255 to 249. " + "For compatibility reasons we are using 255\n\nIf omitted or empty, all " + "topics are allowed.", Type: "string", MaxLength: getInt64(255), }, }, } PortRuleL7 = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "PortRuleL7 is a map of {key,value} pairs which is passed to the " + "parser referenced in l7proto. It is up to the parser to define what to " + "do with the map data. If omitted or empty, all requests are allowed. " + "Both keys and values must be strings.", } Rule = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "Rule is a policy rule which must be applied to all endpoints which match " + "the labels contained in the endpointSelector\n\nEach rule is split into an " + "ingress section which contains all rules applicable at ingress, and an egress " + "section applicable at egress. For rule types such as `L4Rule` and `CIDR` which " + "can be applied at both ingress and egress, both ingress and egress side have to " + "either specifically allow the connection or one side has to be omitted.\n\n" + "Either ingress, egress, or both can be provided. If both ingress and egress are " + "omitted, the rule has no effect.", Required: []string{ "endpointSelector", }, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "Description": { Description: "Description is a free form string, it can be used by the creator " + "of the rule to store human readable explanation of the purpose of this " + "rule. Rules cannot be identified by comment.", Type: "string", }, "egress": { Description: "Egress is a list of EgressRule which are enforced at egress. If " + "omitted or empty, this rule does not apply at egress.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &EgressRule, }, }, "endpointSelector": initRuleEndpointSelector(), "ingress": { Description: "Ingress is a list of IngressRule which are enforced at ingress. " + "If omitted or empty, this rule does not apply at ingress.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &IngressRule, }, }, "labels": { Description: "Labels is a list of optional strings which can be used to " + "re-identify the rule or to store metadata. It is possible to lookup or " + "delete strings based on labels. Labels are not required to be unique, " + "multiple rules can have overlapping or identical labels.", Type: "array", Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{ Schema: &Label, }, }, }, } Service = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "Service wraps around selectors for services", Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "k8sService": K8sServiceNamespace, "k8sServiceSelector": initK8sServiceSelector(), }, } ServiceSelector = apiextensionsv1beta1.JSONSchemaProps{ Type: "object", Description: "ServiceSelector is a label selector for k8s services", Required: []string{ "selector", }, Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{ "selector": EndpointSelector, "namespace": { Type: "string", }, }, } )
var SchemeGroupVersion = schema.GroupVersion{ Group: CustomResourceDefinitionGroup, Version: CustomResourceDefinitionVersion, }
SchemeGroupVersion is group version used to register these objects
Functions ¶
func CreateCustomResourceDefinitions ¶
func CreateCustomResourceDefinitions(clientset apiextensionsclient.Interface) error
CreateCustomResourceDefinitions creates our CRD objects in the kubernetes cluster
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type AddressPair ¶
AddressPair is is a par of IPv4 and/or IPv6 address +k8s:deepcopy-gen=false
type AddressPairList ¶
type AddressPairList []*AddressPair
AddressPairList is a list of address pairs +k8s:deepcopy-gen=false
func (AddressPairList) Sort ¶
func (a AddressPairList) Sort()
Sort sorts an AddressPairList by IPv4 and IPv6 address
type AllocationIP ¶ added in v1.6.0
type AllocationIP struct { // Owner is the owner of the IP. This field is set if the IP has been // allocated. It will be set to the pod name or another identifier // representing the usage of the IP // // The owner field is left blank for an entry in Spec.IPAM.Pool and // filled out as the IP is used and also added to Status.IPAM.Used. // // +optional Owner string `json:"owner,omitempty"` // Resource is set for both available and allocated IPs, it represents // what resource the IP is associated with, e.g. in combination with // AWS ENI, this will refer to the ID of the ENI // // +optional Resource string `json:"resource,omitempty"` }
AllocationIP is an IP which is available for allocation, or already has been allocated
func (*AllocationIP) DeepCopy ¶ added in v1.6.0
func (in *AllocationIP) DeepCopy() *AllocationIP
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllocationIP.
func (*AllocationIP) DeepCopyInto ¶ added in v1.6.0
func (in *AllocationIP) DeepCopyInto(out *AllocationIP)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AllowedIdentityList ¶
type AllowedIdentityList []AllowedIdentityTuple
AllowedIdentityList is a list of AllowedIdentityTuple +k8s:deepcopy-gen=false
func (AllowedIdentityList) Sort ¶
func (a AllowedIdentityList) Sort()
Sort sorts a list AllowedIdentityTuple by numeric identity, port and protocol
type AllowedIdentityTuple ¶
type AllowedIdentityTuple struct { Identity uint64 `json:"identity,omitempty"` IdentityLabels map[string]string `json:"identity-labels,omitempty"` DestPort uint16 `json:"dest-port,omitempty"` Protocol uint8 `json:"protocol,omitempty"` }
AllowedIdentityTuple specifies an allowed peer by identity, destination port and protocol +k8s:deepcopy-gen=false
type AwsSubnet ¶ added in v1.6.0
type AwsSubnet struct { // ID is the ID of the subnet ID string `json:"id,omitempty"` // CIDR is the CIDR range associated with the subnet CIDR string `json:"cidr,omitempty"` }
AwsSubnet stores information regarding an AWS subnet
func (*AwsSubnet) DeepCopy ¶ added in v1.6.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsSubnet.
func (*AwsSubnet) DeepCopyInto ¶ added in v1.6.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type AwsVPC ¶ added in v1.6.0
type AwsVPC struct { /// ID is the ID of a VPC ID string `json:"id,omitempty"` // PrimaryCIDR is the primary CIDR of the VPC PrimaryCIDR string `json:"primary-cidr,omitempty"` // CIDRs is the list of CIDR ranges associated with the VPC CIDRs []string `json:"cidrs,omitempty"` }
AwsVPC stores information regarding an AWS VPC
func (*AwsVPC) DeepCopy ¶ added in v1.6.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsVPC.
func (*AwsVPC) DeepCopyInto ¶ added in v1.6.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CiliumEndpoint ¶
type CiliumEndpoint struct { // +k8s:openapi-gen=false metav1.TypeMeta `json:",inline"` // +k8s:openapi-gen=false metav1.ObjectMeta `json:"metadata"` Status EndpointStatus `json:"status"` }
CiliumEndpoint is the status of a Cilium policy rule +k8s:openapi-gen=false
func (*CiliumEndpoint) DeepCopy ¶
func (in *CiliumEndpoint) DeepCopy() *CiliumEndpoint
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumEndpoint.
func (*CiliumEndpoint) DeepCopyInto ¶
func (in *CiliumEndpoint) DeepCopyInto(out *CiliumEndpoint)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumEndpoint) DeepCopyObject ¶
func (in *CiliumEndpoint) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CiliumEndpointList ¶
type CiliumEndpointList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` // Items is a list of CiliumEndpoint Items []CiliumEndpoint `json:"items"` }
CiliumEndpointList is a list of CiliumEndpoint objects +k8s:openapi-gen=false
func (*CiliumEndpointList) DeepCopy ¶
func (in *CiliumEndpointList) DeepCopy() *CiliumEndpointList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumEndpointList.
func (*CiliumEndpointList) DeepCopyInto ¶
func (in *CiliumEndpointList) DeepCopyInto(out *CiliumEndpointList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumEndpointList) DeepCopyObject ¶
func (in *CiliumEndpointList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CiliumIdentity ¶ added in v1.6.0
type CiliumIdentity struct { // +k8s:openapi-gen=false metav1.TypeMeta `json:",inline"` // +k8s:openapi-gen=false metav1.ObjectMeta `json:"metadata"` // SecurityLabels is the source-of-truth set of labels for this identity. SecurityLabels map[string]string `json:"security-labels"` Status IdentityStatus `json:"status"` }
CiliumIdentity is a CRD that represents an identity managed by Cilium. It is intended as a backing store for identity allocation, acting as the global coordination backend, and can be used in place of a KVStore (such as etcd). The name of the CRD is the numeric identity and the labels on the CRD object are the the kubernetes sourced labels seen by cilium. This is currently the only label source possible when running under kubernetes. Non-kubernetes labels are filtered but all labels, from all sources, are places in the SecurityLabels field. These also include the source and are used to define the identity. The labels under metav1.ObjectMeta can be used when searching for CiliumIdentity instances that include particular labels. This can be done with invocations such as:
kubectl get ciliumid -l 'foo=bar'
Each node using a ciliumidentity updates the status field with it's name and a timestamp when it first allocates or uses an identity, and periodically after that. It deletes its entry when no longer using this identity. cilium-operator uses the list of nodes in status to reference count users of this identity, and to expire stale usage.
func (*CiliumIdentity) DeepCopy ¶ added in v1.6.0
func (in *CiliumIdentity) DeepCopy() *CiliumIdentity
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumIdentity.
func (*CiliumIdentity) DeepCopyInto ¶ added in v1.6.0
func (in *CiliumIdentity) DeepCopyInto(out *CiliumIdentity)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumIdentity) DeepCopyObject ¶ added in v1.6.0
func (in *CiliumIdentity) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CiliumIdentityList ¶ added in v1.6.0
type CiliumIdentityList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` // Items is a list of CiliumIdentity Items []CiliumIdentity `json:"items"` }
+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
CiliumIdentityList is a list of CiliumIdentity objects
func (*CiliumIdentityList) DeepCopy ¶ added in v1.6.0
func (in *CiliumIdentityList) DeepCopy() *CiliumIdentityList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumIdentityList.
func (*CiliumIdentityList) DeepCopyInto ¶ added in v1.6.0
func (in *CiliumIdentityList) DeepCopyInto(out *CiliumIdentityList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumIdentityList) DeepCopyObject ¶ added in v1.6.0
func (in *CiliumIdentityList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CiliumNetworkPolicy ¶
type CiliumNetworkPolicy struct { // +k8s:openapi-gen=false metav1.TypeMeta `json:",inline"` // +k8s:openapi-gen=false metav1.ObjectMeta `json:"metadata"` // Spec is the desired Cilium specific rule specification. Spec *api.Rule `json:"spec,omitempty"` // Specs is a list of desired Cilium specific rule specification. Specs api.Rules `json:"specs,omitempty"` // Status is the status of the Cilium policy rule // +optional Status CiliumNetworkPolicyStatus `json:"status"` }
CiliumNetworkPolicy is a Kubernetes third-party resource with an extended version of NetworkPolicy
func (*CiliumNetworkPolicy) AnnotationsEquals ¶
func (r *CiliumNetworkPolicy) AnnotationsEquals(o *CiliumNetworkPolicy) bool
AnnotationsEquals returns true if ObjectMeta.Annotations of each CiliumNetworkPolicy are equivalent (i.e., they contain equivalent key-value pairs).
func (*CiliumNetworkPolicy) DeepCopy ¶
func (in *CiliumNetworkPolicy) DeepCopy() *CiliumNetworkPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicy.
func (*CiliumNetworkPolicy) DeepCopyInto ¶
func (in *CiliumNetworkPolicy) DeepCopyInto(out *CiliumNetworkPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumNetworkPolicy) DeepCopyObject ¶
func (in *CiliumNetworkPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*CiliumNetworkPolicy) GetControllerName ¶
func (r *CiliumNetworkPolicy) GetControllerName() string
GetControllerName returns the unique name for the controller manager.
func (*CiliumNetworkPolicy) GetIdentityLabels ¶
func (r *CiliumNetworkPolicy) GetIdentityLabels() labels.LabelArray
GetIdentityLabels returns all rule labels in the CiliumNetworkPolicy.
func (*CiliumNetworkPolicy) GetPolicyStatus ¶
func (r *CiliumNetworkPolicy) GetPolicyStatus(nodeName string) CiliumNetworkPolicyNodeStatus
GetPolicyStatus returns the CiliumNetworkPolicyNodeStatus corresponding to nodeName in the provided CiliumNetworkPolicy. If Nodes within the rule's Status is nil, returns an empty CiliumNetworkPolicyNodeStatus.
func (*CiliumNetworkPolicy) Parse ¶
func (r *CiliumNetworkPolicy) Parse() (api.Rules, error)
Parse parses a CiliumNetworkPolicy and returns a list of cilium policy rules.
func (*CiliumNetworkPolicy) RequiresDerivative ¶
func (r *CiliumNetworkPolicy) RequiresDerivative() bool
RequiresDerivative return true if the CNP has any rule that will create a new derivative rule.
func (*CiliumNetworkPolicy) SetDerivedPolicyStatus ¶
func (r *CiliumNetworkPolicy) SetDerivedPolicyStatus(derivativePolicyName string, status CiliumNetworkPolicyNodeStatus)
SetDerivedPolicyStatus set the derivative policy status for the given derivative policy name.
func (*CiliumNetworkPolicy) SetPolicyStatus ¶
func (r *CiliumNetworkPolicy) SetPolicyStatus(nodeName string, cnpns CiliumNetworkPolicyNodeStatus)
SetPolicyStatus sets the given policy status for the given nodes' map
func (*CiliumNetworkPolicy) SpecEquals ¶
func (r *CiliumNetworkPolicy) SpecEquals(o *CiliumNetworkPolicy) bool
SpecEquals returns true if the spec and specs metadata is the sa
func (*CiliumNetworkPolicy) String ¶
func (r *CiliumNetworkPolicy) String() string
type CiliumNetworkPolicyList ¶
type CiliumNetworkPolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` // Items is a list of CiliumNetworkPolicy Items []CiliumNetworkPolicy `json:"items"` }
CiliumNetworkPolicyList is a list of CiliumNetworkPolicy objects +k8s:openapi-gen=false
func (*CiliumNetworkPolicyList) DeepCopy ¶
func (in *CiliumNetworkPolicyList) DeepCopy() *CiliumNetworkPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyList.
func (*CiliumNetworkPolicyList) DeepCopyInto ¶
func (in *CiliumNetworkPolicyList) DeepCopyInto(out *CiliumNetworkPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumNetworkPolicyList) DeepCopyObject ¶
func (in *CiliumNetworkPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CiliumNetworkPolicyNodeStatus ¶
type CiliumNetworkPolicyNodeStatus struct { // OK is true when the policy has been parsed and imported successfully // into the in-memory policy repository on the node. OK bool `json:"ok,omitempty"` // Error describes any error that occurred when parsing or importing the // policy, or realizing the policy for the endpoints to which it applies // on the node. Error string `json:"error,omitempty"` // LastUpdated contains the last time this status was updated LastUpdated Timestamp `json:"lastUpdated,omitempty"` // Revision is the policy revision of the repository which first implemented // this policy. Revision uint64 `json:"localPolicyRevision,omitempty"` // Enforcing is set to true once all endpoints present at the time the // policy has been imported are enforcing this policy. Enforcing bool `json:"enforcing,omitempty"` // Annotations corresponds to the Annotations in the ObjectMeta of the CNP // that have been realized on the node for CNP. That is, if a CNP has been // imported and has been assigned annotation X=Y by the user, // Annotations in CiliumNetworkPolicyNodeStatus will be X=Y once the // CNP that was imported corresponding to Annotation X=Y has been realized on // the node. Annotations map[string]string `json:"annotations,omitempty"` }
CiliumNetworkPolicyNodeStatus is the status of a Cilium policy rule for a specific node
func (*CiliumNetworkPolicyNodeStatus) DeepCopy ¶
func (in *CiliumNetworkPolicyNodeStatus) DeepCopy() *CiliumNetworkPolicyNodeStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyNodeStatus.
func (*CiliumNetworkPolicyNodeStatus) DeepCopyInto ¶
func (in *CiliumNetworkPolicyNodeStatus) DeepCopyInto(out *CiliumNetworkPolicyNodeStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CiliumNetworkPolicyStatus ¶
type CiliumNetworkPolicyStatus struct { // Nodes is the Cilium policy status for each node Nodes map[string]CiliumNetworkPolicyNodeStatus `json:"nodes,omitempty"` // DerivativePolicies is the status of all policies derived from the Cilium // policy DerivativePolicies map[string]CiliumNetworkPolicyNodeStatus `json:"derivativePolicies,omitempty"` }
CiliumNetworkPolicyStatus is the status of a Cilium policy rule
func (*CiliumNetworkPolicyStatus) DeepCopy ¶
func (in *CiliumNetworkPolicyStatus) DeepCopy() *CiliumNetworkPolicyStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyStatus.
func (*CiliumNetworkPolicyStatus) DeepCopyInto ¶
func (in *CiliumNetworkPolicyStatus) DeepCopyInto(out *CiliumNetworkPolicyStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CiliumNode ¶ added in v1.6.0
type CiliumNode struct { // +k8s:openapi-gen=false metav1.TypeMeta `json:",inline"` // +k8s:openapi-gen=false metav1.ObjectMeta `json:"metadata"` // Spec defines the desired specification/configuration of the node Spec NodeSpec `json:"spec"` // Status defines the realized specification/configuration and status // of the node Status NodeStatus `json:"status"` }
CiliumNode represents a node managed by Cilium. It contains a specification to control various node specific configuration aspects and a status section to represent the status of the node
func (*CiliumNode) DeepCopy ¶ added in v1.6.0
func (in *CiliumNode) DeepCopy() *CiliumNode
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNode.
func (*CiliumNode) DeepCopyInto ¶ added in v1.6.0
func (in *CiliumNode) DeepCopyInto(out *CiliumNode)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumNode) DeepCopyObject ¶ added in v1.6.0
func (in *CiliumNode) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type CiliumNodeList ¶ added in v1.6.0
type CiliumNodeList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata"` // Items is a list of CiliumNode Items []CiliumNode `json:"items"` }
+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
CiliumNodeList is a list of CiliumNode objects
func (*CiliumNodeList) DeepCopy ¶ added in v1.6.0
func (in *CiliumNodeList) DeepCopy() *CiliumNodeList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNodeList.
func (*CiliumNodeList) DeepCopyInto ¶ added in v1.6.0
func (in *CiliumNodeList) DeepCopyInto(out *CiliumNodeList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*CiliumNodeList) DeepCopyObject ¶ added in v1.6.0
func (in *CiliumNodeList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ControllerList ¶
type ControllerList []ControllerStatus
ControllerList is a list of ControllerStatus +k8s:deepcopy-gen=false
func (ControllerList) Sort ¶
func (c ControllerList) Sort()
Sort sorts the ControllerList by controller name
type ControllerStatus ¶
type ControllerStatus struct { // Name is the name of the controller Name string `json:"name,omitempty"` // Configuration is the controller configuration Configuration *models.ControllerStatusConfiguration `json:"configuration,omitempty"` // Status is the status of the controller Status ControllerStatusStatus `json:"status,omitempty"` // UUID is the UUID of the controller UUID string `json:"uuid,omitempty"` }
ControllerStatus is the status of a failing controller +k8s:deepcopy-gen=false
type ControllerStatusStatus ¶
type ControllerStatusStatus struct { ConsecutiveFailureCount int64 `json:"consecutive-failure-count,omitempty"` FailureCount int64 `json:"failure-count,omitempty"` LastFailureMsg string `json:"last-failure-msg,omitempty"` LastFailureTimestamp string `json:"last-failure-timestamp,omitempty"` LastSuccessTimestamp string `json:"last-success-timestamp,omitempty"` SuccessCount int64 `json:"success-count,omitempty"` }
ControllerStatusStatus is the detailed status section of a controller +k8s:deepcopy-gen=false
type DeprecatedEndpointStatus ¶
type DeprecatedEndpointStatus struct { Controllers ControllerList `json:"controllers,omitempty"` Identity *EndpointIdentity `json:"identity,omitempty"` Log []*models.EndpointStatusChange `json:"log,omitempty"` Networking *EndpointNetworking `json:"networking,omitempty"` State string `json:"state,omitempty"` // These fields are no longer populated Realized *deprecatedEndpointConfigurationSpec `json:"realized,omitempty"` Labels *deprecatedLabelConfigurationStatus `json:"labels,omitempty"` Policy *models.EndpointPolicyStatus `json:"policy,omitempty"` ExternalIdentifiers *models.EndpointIdentifiers `json:"external-identifiers,omitempty"` Health *models.EndpointHealth `json:"health,omitempty"` }
DeprecatedEndpointStatus is the original endpoint status provided for backwards compatibility.
See EndpointStatus for descriptions of fields +k8s:deepcopy-gen=false
type ENI ¶ added in v1.6.0
type ENI struct { // ID is the ENI ID // // +optional ID string `json:"id,omitempty"` // IP is the primary IP of the ENI // // +optional IP string `json:"ip,omitempty"` // MAC is the mac address of the ENI // // +optional MAC string `json:"mac,omitempty"` // AvailabilityZone is the availability zone of the ENI // // +optional AvailabilityZone string `json:"availability-zone,omitempty"` // Description is the description field of the ENI // // +optional Description string `json:"description,omitempty"` // Number is the interface index, it used in combination with // FirstInterfaceIndex // // +optional Number int `json:"number,omitempty"` // Subnet is the subnet the ENI is associated with // // +optional Subnet AwsSubnet `json:"subnet,omitempty"` // VPC is the VPC information to which the ENI is attached to // // +optional VPC AwsVPC `json:"vpc,omitempty"` // Addresses is the list of all IPs associated with the ENI, including // all secondary addresses // // +optional Addresses []string `json:"addresses,omitempty"` // SecurityGroups are the security groups associated with the ENI SecurityGroups []string `json:"security-groups,omitempty"` }
ENI represents an AWS Elastic Network Interface
More details: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
func (*ENI) DeepCopy ¶ added in v1.6.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ENI.
func (*ENI) DeepCopyInto ¶ added in v1.6.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ENISpec ¶ added in v1.6.0
type ENISpec struct { // InstanceID is the AWS InstanceId of the node. The InstanceID is used // to retrieve AWS metadata for the node. InstanceID string `json:"instance-id,omitempty"` // InstanceType is the AWS EC2 instance type, e.g. "m5.large" InstanceType string `json:"instance-type,omitempty"` // MinAllocate is the minimum number of IPs that must be allocated when // the node is first bootstrapped. It defines the minimum base socket // of addresses that must be available. After reaching this watermark, // the PreAllocate and MaxAboveWatermark logic takes over to continue // allocating IPs. // // +optional MinAllocate int `json:"min-allocate,omitempty"` // PreAllocate defines the number of IP addresses that must be // available for allocation in the IPAMspec. It defines the buffer of // addresses available immediately without requiring cilium-operator to // get involved. // // +optional PreAllocate int `json:"pre-allocate,omitempty"` // MaxAboveWatermark is the maximum number of addresses to allocate // beyond the addresses needed to reach the PreAllocate watermark. // Going above the watermark can help reduce the number of API calls to // allocate IPs, e.g. when a new ENI is allocated, as many secondary // IPs as possible are allocated. Limiting the amount can help reduce // waste of IPs. // // +optional MaxAboveWatermark int `json:"max-above-watermark,omitempty"` // FirstInterfaceIndex is the index of the first ENI to use for IP // allocation, e.g. if the node has eth0, eth1, eth2 and // FirstInterfaceIndex is set to 1, then only eth1 and eth2 will be // used for IP allocation, eth0 will be ignored for PodIP allocation. // // +optional FirstInterfaceIndex int `json:"first-interface-index,omitempty"` // SecurityGroups is the list of security groups to attach to any ENI // that is created and attached to the instance. // // +optional SecurityGroups []string `json:"security-groups,omitempty"` // SubnetTags is the list of tags to use when evaluating what AWS // subnets to use for ENI and IP allocation // // +optional SubnetTags map[string]string `json:"subnet-tags,omitempty"` // VpcID is the VPC ID to use when allocating ENIs VpcID string `json:"vpc-id,omitempty"` // AvailabilityZone is the availability zone to use when allocating // ENIs AvailabilityZone string `json:"availability-zone,omitempty"` // DeleteOnTermination defines that the ENI should be deleted when the // associated instance is terminated // // +optional DeleteOnTermination bool `json:"delete-on-termination,omitempty"` }
ENISpec is the ENI specification of a node. This specification is considered by the cilium-operator to act as an IPAM operator and makes ENI IPs available via the IPAMSpec section.
The ENI specification can either be provided explicitly by the user or the cilium agent running on the node can be instructed to create the CiliumNode custom resource along with an ENI specification when the node registers itself to the Kubernetes cluster.
func (*ENISpec) DeepCopy ¶ added in v1.6.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ENISpec.
func (*ENISpec) DeepCopyInto ¶ added in v1.6.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ENIStatus ¶ added in v1.6.0
type ENIStatus struct { // ENIs is the list of ENIs on the node // // +optional ENIs map[string]ENI `json:"enis,omitempty"` }
ENIStatus is the status of ENI addressing of the node
func (*ENIStatus) DeepCopy ¶ added in v1.6.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ENIStatus.
func (*ENIStatus) DeepCopyInto ¶ added in v1.6.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EncryptionSpec ¶ added in v1.6.0
type EncryptionSpec struct { // Key is the index to the key to use for encryption or 0 if encryption // is disabled // // +optional Key int `json:"key,omitempty"` }
EncryptionSpec defines the encryption relevant configuration of a node
func (*EncryptionSpec) DeepCopy ¶ added in v1.6.0
func (in *EncryptionSpec) DeepCopy() *EncryptionSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionSpec.
func (*EncryptionSpec) DeepCopyInto ¶ added in v1.6.0
func (in *EncryptionSpec) DeepCopyInto(out *EncryptionSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EndpointIdentity ¶
type EndpointIdentity struct { // ID is the numeric identity of the endpoint ID int64 `json:"id,omitempty"` // Labels is the list of labels associated with the identity Labels []string `json:"labels,omitempty"` // Deprecated fields LabelsSHA256 string `json:"labelsSHA256,omitempty"` }
EndpointIdentity is the identity information of an endpoint
func (*EndpointIdentity) DeepCopy ¶ added in v1.6.0
func (in *EndpointIdentity) DeepCopy() *EndpointIdentity
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointIdentity.
func (*EndpointIdentity) DeepCopyInto ¶ added in v1.6.0
func (in *EndpointIdentity) DeepCopyInto(out *EndpointIdentity)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EndpointNetworking ¶
type EndpointNetworking struct { // IP4/6 addresses assigned to this Endpoint Addressing AddressPairList `json:"addressing"` // NodeIP is the IP of the node the endpoint is running on. The IP must // be reachable between nodes. NodeIP string `json:"node,omitempty"` // Deprecated fields HostAddressing *models.NodeAddressing `json:"host-addressing,omitempty"` HostMac string `json:"host-mac,omitempty"` InterfaceIndex int64 `json:"interface-index,omitempty"` InterfaceName string `json:"interface-name,omitempty"` Mac string `json:"mac,omitempty"` }
EndpointNetworking is the addressing information of an endpoint
func (*EndpointNetworking) DeepCopy ¶ added in v1.6.0
func (in *EndpointNetworking) DeepCopy() *EndpointNetworking
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointNetworking.
func (*EndpointNetworking) DeepCopyInto ¶ added in v1.6.0
func (in *EndpointNetworking) DeepCopyInto(out *EndpointNetworking)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EndpointPolicy ¶
type EndpointPolicy struct { Ingress *EndpointPolicyDirection `json:"ingress,omitempty"` Egress *EndpointPolicyDirection `json:"egress,omitempty"` }
EndpointPolicy represents the endpoint's policy by listing all allowed ingress and egress identities in combination with L4 port and protocol +k8s:deepcopy-gen=false
type EndpointPolicyDirection ¶
type EndpointPolicyDirection struct { Enforcing bool `json:"enforcing"` Allowed AllowedIdentityList `json:"allowed,omitempty"` Removing AllowedIdentityList `json:"removing,omitempty"` Adding AllowedIdentityList `json:"adding,omitempty"` }
EndpointPolicyDirection is the list of allowed identities per direction +k8s:deepcopy-gen=false
type EndpointStatus ¶
type EndpointStatus struct { // The cilium-agent-local ID of the endpoint ID int64 `json:"id,omitempty"` // Controllers is the list of failing controllers for this endpoint Controllers ControllerList `json:"controllers,omitempty"` // ExternalIdentifiers is a set of identifiers to identify the endpoint // apart from the pod name. This includes container runtime IDs. ExternalIdentifiers *models.EndpointIdentifiers `json:"external-identifiers,omitempty"` // Summary overall endpoint & subcomponent health Health *models.EndpointHealth `json:"health,omitempty"` // Identity is the security identity associated with the endpoint Identity *EndpointIdentity `json:"identity,omitempty"` // Log is the list of the last few warning and error log entries Log []*models.EndpointStatusChange `json:"log,omitempty"` // Networking properties of the endpoint // // +optional Networking *EndpointNetworking `json:"networking,omitempty"` // Encryption is the encryption configuration of the node // // +optional Encryption EncryptionSpec `json:"encryption,omitempty"` Policy *EndpointPolicy `json:"policy,omitempty"` // State is the state of the endpoint // // States are: // - creating // - waiting-for-identity // - not-ready // - waiting-to-regenerate // - regenerating // - restoring // - ready // - disconnecting // - disconnected State string `json:"state,omitempty"` // Deprecated fields Spec *deprecatedEndpointConfigurationSpec `json:"spec,omitempty"` Status *DeprecatedEndpointStatus `json:"status,omitempty"` }
EndpointStatus is the status of a Cilium endpoint The custom deepcopy function below is a workaround. We can generate a deepcopy for EndpointStatus but not for the various models.* types it includes. We can't generate functions for classes in other packages, nor can we change the models.Endpoint type to use proxy types we define here. +k8s:deepcopy-gen=false
func (*EndpointStatus) DeepCopyInto ¶
func (m *EndpointStatus) DeepCopyInto(out *EndpointStatus)
DeepCopyInto is an inefficient hack to allow reusing models.Endpoint in the CiliumEndpoint CRD.
func (*EndpointStatus) MarshalBinary ¶
func (m *EndpointStatus) MarshalBinary() ([]byte, error)
MarshalBinary interface implementation
func (*EndpointStatus) UnmarshalBinary ¶
func (m *EndpointStatus) UnmarshalBinary(b []byte) error
UnmarshalBinary interface implementation
type HealthAddressingSpec ¶ added in v1.6.0
type HealthAddressingSpec struct { // IPv4 is the IPv4 address of the IPv4 health endpoint // // +optional IPv4 string `json:"ipv4,omitempty"` // IPv6 is the IPv6 address of the IPv4 health endpoint // // +optional IPv6 string `json:"ipv6,omitempty"` }
HealthAddressingSpec is the addressing information required to do connectivity health checking
func (*HealthAddressingSpec) DeepCopy ¶ added in v1.6.0
func (in *HealthAddressingSpec) DeepCopy() *HealthAddressingSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthAddressingSpec.
func (*HealthAddressingSpec) DeepCopyInto ¶ added in v1.6.0
func (in *HealthAddressingSpec) DeepCopyInto(out *HealthAddressingSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IPAMSpec ¶ added in v1.6.0
type IPAMSpec struct { // Pool is the list of IPs available to the node for allocation. When // an IP is used, the IP will remain on this list but will be added to // Status.IPAM.Used // // +optional Pool map[string]AllocationIP `json:"pool,omitempty"` // PodCIDRs is the list of CIDRs available to the node for allocation. // When an IP is used, the IP will be added to Status.IPAM.Used // // +optional PodCIDRs []string `json:"podCIDRs,omitempty"` }
IPAMSpec is the IPAM specification of the node
func (*IPAMSpec) DeepCopy ¶ added in v1.6.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPAMSpec.
func (*IPAMSpec) DeepCopyInto ¶ added in v1.6.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IPAMStatus ¶ added in v1.6.0
type IPAMStatus struct { // Used lists all IPs out of Spec.IPAM.Pool which have been allocated // and are in use. // // +optional Used map[string]AllocationIP `json:"used,omitempty"` }
IPAMStatus is the IPAM status of a node
func (*IPAMStatus) DeepCopy ¶ added in v1.6.0
func (in *IPAMStatus) DeepCopy() *IPAMStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPAMStatus.
func (*IPAMStatus) DeepCopyInto ¶ added in v1.6.0
func (in *IPAMStatus) DeepCopyInto(out *IPAMStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IdentityStatus ¶ added in v1.6.0
IdentityStatus is the status of an identity
func (*IdentityStatus) DeepCopy ¶ added in v1.6.0
func (in *IdentityStatus) DeepCopy() *IdentityStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityStatus.
func (*IdentityStatus) DeepCopyInto ¶ added in v1.6.0
func (in *IdentityStatus) DeepCopyInto(out *IdentityStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type NodeAddress ¶ added in v1.6.0
type NodeAddress struct { // Type is the type of the node address Type addressing.AddressType `json:"type,omitempty"` // IP is an IP of a node IP string `json:"ip,omitempty"` }
NodeAddress is a node address
func (*NodeAddress) DeepCopy ¶ added in v1.6.0
func (in *NodeAddress) DeepCopy() *NodeAddress
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeAddress.
func (*NodeAddress) DeepCopyInto ¶ added in v1.6.0
func (in *NodeAddress) DeepCopyInto(out *NodeAddress)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type NodeSpec ¶ added in v1.6.0
type NodeSpec struct { // Addresses is the list of all node addresses // // +optional Addresses []NodeAddress `json:"addresses,omitempty"` // HealthAddressing is the addressing information for health // connectivity checking // // +optional HealthAddressing HealthAddressingSpec `json:"health,omitempty"` // Encryption is the encryption configuration of the node // // +optional Encryption EncryptionSpec `json:"encryption,omitempty"` // ENI is the AWS ENI specific configuration // // +optional ENI ENISpec `json:"eni,omitempty"` // IPAM is the address management specification. This section can be // populated by a user or it can be automatically populated by an IPAM // operator // // +optional IPAM IPAMSpec `json:"ipam,omitempty"` }
NodeSpec is the configuration specific to a node
func (*NodeSpec) DeepCopy ¶ added in v1.6.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeSpec.
func (*NodeSpec) DeepCopyInto ¶ added in v1.6.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type NodeStatus ¶ added in v1.6.0
type NodeStatus struct { // ENI is the AWS ENi specific status of the node // // +optional ENI ENIStatus `json:"eni,omitempty"` // IPAM is the IPAM status of the node // // +optional IPAM IPAMStatus `json:"ipam,omitempty"` }
NodeStatus is the status of a node
func (*NodeStatus) DeepCopy ¶ added in v1.6.0
func (in *NodeStatus) DeepCopy() *NodeStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeStatus.
func (*NodeStatus) DeepCopyInto ¶ added in v1.6.0
func (in *NodeStatus) DeepCopyInto(out *NodeStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Timestamp ¶
Timestamp is a wrapper of time.Time so that we can create our own implementation of DeepCopyInto.
func NewTimestamp ¶
func NewTimestamp() Timestamp
NewTimestamp creates a new Timestamp with the current time.Now()
func (*Timestamp) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Timestamp.
func (*Timestamp) DeepCopyInto ¶
DeepCopyInto creates a deep-copy of the Time value. The underlying time.Time type is effectively immutable in the time API, so it is safe to copy-by-assign, despite the presence of (unexported) Pointer fields.