v1alpha1

package
v0.1.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Apr 18, 2024 License: Apache-2.0 Imports: 4 Imported by: 9

Documentation

Overview

All fields in this package are required unless Explicitly marked optional +kubebuilder:validation:Required

All fields in this package are required unless Explicitly marked optional +kubebuilder:validation:Required

Package v1alpha1 contains API Schema definitions for the policy.networking.k8s.io API group. +kubebuilder:object:generate=true +groupName=policy.networking.k8s.io

All fields in this package are required unless Explicitly marked optional +kubebuilder:validation:Required

Index

Constants

View Source 
const GroupName = "policy.networking.k8s.io"

GroupName specifies the group name used to register the objects.

Variables

View Source 
var (
	// localSchemeBuilder and AddToScheme will stay in k8s.io/kubernetes.
	SchemeBuilder runtime.SchemeBuilder

	// Depreciated: use Install instead
	AddToScheme = localSchemeBuilder.AddToScheme
	Install     = localSchemeBuilder.AddToScheme
)
View Source 
var GroupVersion = v1.GroupVersion{Group: GroupName, Version: "v1alpha1"}

GroupVersion specifies the group and the version used to register the objects.

View Source 
var SchemeGroupVersion = schema.GroupVersion{Group: GroupName, Version: "v1alpha1"}

SchemeGroupVersion is group version used to register these objects Deprecated: use GroupVersion instead.

Functions

func Resource 

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

Types

type AdminNetworkPolicy 

type AdminNetworkPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata"`

	// Specification of the desired behavior of AdminNetworkPolicy.
	Spec AdminNetworkPolicySpec `json:"spec"`

	// Status is the status to be reported by the implementation.
	// +optional
	Status AdminNetworkPolicyStatus `json:"status,omitempty"`
}

+genclient +genclient:nonNamespaced +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:shortName=anp,scope=Cluster +kubebuilder:printcolumn:name="Priority",type=string,JSONPath=".spec.priority" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object AdminNetworkPolicy is a cluster level resource that is part of the AdminNetworkPolicy API.

func (*AdminNetworkPolicy) DeepCopy 

func (in *AdminNetworkPolicy) DeepCopy() *AdminNetworkPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicy.

func (*AdminNetworkPolicy) DeepCopyInto 

func (in *AdminNetworkPolicy) DeepCopyInto(out *AdminNetworkPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AdminNetworkPolicy) DeepCopyObject 

func (in *AdminNetworkPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type AdminNetworkPolicyEgressPeer added in v0.1.3 

type AdminNetworkPolicyEgressPeer struct {
	// Namespaces defines a way to select all pods within a set of Namespaces.
	// Note that host-networked pods are not included in this type of peer.
	//
	// Support: Core
	//
	// +optional
	Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
	// Pods defines a way to select a set of pods in
	// a set of namespaces. Note that host-networked pods
	// are not included in this type of peer.
	//
	// Support: Core
	//
	// +optional
	Pods *NamespacedPod `json:"pods,omitempty"`
	// Nodes defines a way to select a set of nodes in
	// the cluster. This field follows standard label selector
	// semantics; if present but empty, it selects all Nodes.
	//
	// Support: Extended
	//
	// <network-policy-api:experimental>
	// +optional
	Nodes *metav1.LabelSelector `json:"nodes,omitempty"`
	// Networks defines a way to select peers via CIDR blocks.
	// This is intended for representing entities that live outside the cluster,
	// which can't be selected by pods, namespaces and nodes peers, but note
	// that cluster-internal traffic will be checked against the rule as
	// well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow
	// or deny all IPv4 pod-to-pod traffic as well. If you don't want that,
	// add a rule that Passes all pod traffic before the Networks rule.
	//
	// Each item in Networks should be provided in the CIDR format and should be
	// IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8".
	//
	// Networks can have upto 25 CIDRs specified.
	//
	// Support: Extended
	//
	// <network-policy-api:experimental>
	// +optional
	// +listType=set
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:MaxItems=25
	Networks []CIDR `json:"networks,omitempty"`
}

AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. Exactly one of the selector pointers must be set for a given peer. If a consumer observes none of its fields are set, they must assume an unknown option has been specified and fail closed. +kubebuilder:validation:MaxProperties=1 +kubebuilder:validation:MinProperties=1

func (*AdminNetworkPolicyEgressPeer) DeepCopy added in v0.1.3 

func (in *AdminNetworkPolicyEgressPeer) DeepCopy() *AdminNetworkPolicyEgressPeer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicyEgressPeer.

func (*AdminNetworkPolicyEgressPeer) DeepCopyInto added in v0.1.3 

func (in *AdminNetworkPolicyEgressPeer) DeepCopyInto(out *AdminNetworkPolicyEgressPeer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdminNetworkPolicyEgressRule 

type AdminNetworkPolicyEgressRule struct {
	// Name is an identifier for this rule, that may be no more than 100 characters
	// in length. This field should be used by the implementation to help
	// improve observability, readability and error-reporting for any applied
	// AdminNetworkPolicies.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:validation:MaxLength=100
	Name string `json:"name,omitempty"`

	// Action specifies the effect this rule will have on matching traffic.
	// Currently the following actions are supported:
	// Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy)
	// Deny: denies the selected traffic
	// Pass: instructs the selected traffic to skip any remaining ANP rules, and
	// then pass execution to any NetworkPolicies that select the pod.
	// If the pod is not selected by any NetworkPolicies then execution
	// is passed to any BaselineAdminNetworkPolicies that select the pod.
	//
	// Support: Core
	//
	Action AdminNetworkPolicyRuleAction `json:"action"`

	// To is the List of destinations whose traffic this rule applies to.
	// If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
	// traffic then the specified action is applied.
	// This field must be defined and contain at least one item.
	//
	// Support: Core
	//
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:MaxItems=100
	To []AdminNetworkPolicyEgressPeer `json:"to"`

	// Ports allows for matching traffic based on port and protocols.
	// This field is a list of destination ports for the outgoing egress traffic.
	// If Ports is not set then the rule does not filter traffic via port.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:validation:MaxItems=100
	Ports *[]AdminNetworkPolicyPort `json:"ports,omitempty"`
}

AdminNetworkPolicyEgressRule describes an action to take on a particular set of traffic originating from pods selected by a AdminNetworkPolicy's Subject field. <network-policy-api:experimental:validation> +kubebuilder:validation:XValidation:rule="!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) && has(self.ports) && self.ports.exists(port, has(port.namedPort)))",message="networks/nodes peer cannot be set with namedPorts since there are no namedPorts for networks/nodes"

func (*AdminNetworkPolicyEgressRule) DeepCopy 

func (in *AdminNetworkPolicyEgressRule) DeepCopy() *AdminNetworkPolicyEgressRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicyEgressRule.

func (*AdminNetworkPolicyEgressRule) DeepCopyInto 

func (in *AdminNetworkPolicyEgressRule) DeepCopyInto(out *AdminNetworkPolicyEgressRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdminNetworkPolicyIngressPeer added in v0.1.3 

type AdminNetworkPolicyIngressPeer struct {
	// Namespaces defines a way to select all pods within a set of Namespaces.
	// Note that host-networked pods are not included in this type of peer.
	//
	// Support: Core
	//
	// +optional
	Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
	// Pods defines a way to select a set of pods in
	// a set of namespaces. Note that host-networked pods
	// are not included in this type of peer.
	//
	// Support: Core
	//
	// +optional
	Pods *NamespacedPod `json:"pods,omitempty"`
}

AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. Exactly one of the selector pointers must be set for a given peer. If a consumer observes none of its fields are set, they must assume an unknown option has been specified and fail closed. +kubebuilder:validation:MaxProperties=1 +kubebuilder:validation:MinProperties=1

func (*AdminNetworkPolicyIngressPeer) DeepCopy added in v0.1.3 

func (in *AdminNetworkPolicyIngressPeer) DeepCopy() *AdminNetworkPolicyIngressPeer

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicyIngressPeer.

func (*AdminNetworkPolicyIngressPeer) DeepCopyInto added in v0.1.3 

func (in *AdminNetworkPolicyIngressPeer) DeepCopyInto(out *AdminNetworkPolicyIngressPeer)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdminNetworkPolicyIngressRule 

type AdminNetworkPolicyIngressRule struct {
	// Name is an identifier for this rule, that may be no more than 100 characters
	// in length. This field should be used by the implementation to help
	// improve observability, readability and error-reporting for any applied
	// AdminNetworkPolicies.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:validation:MaxLength=100
	Name string `json:"name,omitempty"`

	// Action specifies the effect this rule will have on matching traffic.
	// Currently the following actions are supported:
	// Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy)
	// Deny: denies the selected traffic
	// Pass: instructs the selected traffic to skip any remaining ANP rules, and
	// then pass execution to any NetworkPolicies that select the pod.
	// If the pod is not selected by any NetworkPolicies then execution
	// is passed to any BaselineAdminNetworkPolicies that select the pod.
	//
	// Support: Core
	//
	Action AdminNetworkPolicyRuleAction `json:"action"`

	// From is the list of sources whose traffic this rule applies to.
	// If any AdminNetworkPolicyIngressPeer matches the source of incoming
	// traffic then the specified action is applied.
	// This field must be defined and contain at least one item.
	//
	// Support: Core
	//
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:MaxItems=100
	From []AdminNetworkPolicyIngressPeer `json:"from"`

	// Ports allows for matching traffic based on port and protocols.
	// This field is a list of ports which should be matched on
	// the pods selected for this policy i.e the subject of the policy.
	// So it matches on the destination port for the ingress traffic.
	// If Ports is not set then the rule does not filter traffic via port.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:validation:MaxItems=100
	Ports *[]AdminNetworkPolicyPort `json:"ports,omitempty"`
}

AdminNetworkPolicyIngressRule describes an action to take on a particular set of traffic destined for pods selected by an AdminNetworkPolicy's Subject field.

func (*AdminNetworkPolicyIngressRule) DeepCopy 

func (in *AdminNetworkPolicyIngressRule) DeepCopy() *AdminNetworkPolicyIngressRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicyIngressRule.

func (*AdminNetworkPolicyIngressRule) DeepCopyInto 

func (in *AdminNetworkPolicyIngressRule) DeepCopyInto(out *AdminNetworkPolicyIngressRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdminNetworkPolicyList 

type AdminNetworkPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []AdminNetworkPolicy `json:"items"`
}

AdminNetworkPolicyList contains a list of AdminNetworkPolicy

func (*AdminNetworkPolicyList) DeepCopy 

func (in *AdminNetworkPolicyList) DeepCopy() *AdminNetworkPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicyList.

func (*AdminNetworkPolicyList) DeepCopyInto 

func (in *AdminNetworkPolicyList) DeepCopyInto(out *AdminNetworkPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AdminNetworkPolicyList) DeepCopyObject 

func (in *AdminNetworkPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type AdminNetworkPolicyPort 

type AdminNetworkPolicyPort struct {
	// Port selects a port on a pod(s) based on number.
	//
	// Support: Core
	//
	// +optional
	PortNumber *Port `json:"portNumber,omitempty"`

	// NamedPort selects a port on a pod(s) based on name.
	//
	// Support: Extended
	//
	// <network-policy-api:experimental>
	// +optional
	NamedPort *string `json:"namedPort,omitempty"`

	// PortRange selects a port range on a pod(s) based on provided start and end
	// values.
	//
	// Support: Core
	//
	// +optional
	PortRange *PortRange `json:"portRange,omitempty"`
}

AdminNetworkPolicyPort describes how to select network ports on pod(s). Exactly one field must be set. +kubebuilder:validation:MaxProperties=1 +kubebuilder:validation:MinProperties=1

func (*AdminNetworkPolicyPort) DeepCopy 

func (in *AdminNetworkPolicyPort) DeepCopy() *AdminNetworkPolicyPort

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicyPort.

func (*AdminNetworkPolicyPort) DeepCopyInto 

func (in *AdminNetworkPolicyPort) DeepCopyInto(out *AdminNetworkPolicyPort)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdminNetworkPolicyRuleAction 

type AdminNetworkPolicyRuleAction string

AdminNetworkPolicyRuleAction string describes the AdminNetworkPolicy action type.

Support: Core

+enum +kubebuilder:validation:Enum={"Allow", "Deny", "Pass"} 

const (
	// AdminNetworkPolicyRuleActionAllow indicates that matching traffic will be
	// allowed regardless of NetworkPolicy and BaselineAdminNetworkPolicy
	// rules. Users cannot block traffic which has been matched by an "Allow"
	// rule in an AdminNetworkPolicy.
	AdminNetworkPolicyRuleActionAllow AdminNetworkPolicyRuleAction = "Allow"
	// AdminNetworkPolicyRuleActionDeny indicates that matching traffic will be
	// denied before being checked against NetworkPolicy or
	// BaselineAdminNetworkPolicy rules. Pods will never receive traffic which
	// has been matched by a "Deny" rule in an AdminNetworkPolicy.
	AdminNetworkPolicyRuleActionDeny AdminNetworkPolicyRuleAction = "Deny"
	// AdminNetworkPolicyRuleActionPass indicates that matching traffic will
	// bypass further AdminNetworkPolicy processing (ignoring rules with lower
	// precedence) and be allowed or denied based on NetworkPolicy and
	// BaselineAdminNetworkPolicy rules.
	AdminNetworkPolicyRuleActionPass AdminNetworkPolicyRuleAction = "Pass"
)

type AdminNetworkPolicySpec 

type AdminNetworkPolicySpec struct {
	// Priority is a value from 0 to 1000. Rules with lower priority values have
	// higher precedence, and are checked before rules with higher priority values.
	// All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or
	// BaselineAdminNetworkPolicy rules
	// The behavior is undefined if two ANP objects have same priority.
	//
	// Support: Core
	//
	// +kubebuilder:validation:Minimum=0
	// +kubebuilder:validation:Maximum=1000
	Priority int32 `json:"priority"`

	// Subject defines the pods to which this AdminNetworkPolicy applies.
	// Note that host-networked pods are not included in subject selection.
	//
	// Support: Core
	//
	Subject AdminNetworkPolicySubject `json:"subject"`

	// Ingress is the list of Ingress rules to be applied to the selected pods.
	// A total of 100 rules will be allowed in each ANP instance.
	// The relative precedence of ingress rules within a single ANP object (all of
	// which share the priority) will be determined by the order in which the rule
	// is written. Thus, a rule that appears at the top of the ingress rules
	// would take the highest precedence.
	// ANPs with no ingress rules do not affect ingress traffic.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:validation:MaxItems=100
	Ingress []AdminNetworkPolicyIngressRule `json:"ingress,omitempty"`

	// Egress is the list of Egress rules to be applied to the selected pods.
	// A total of 100 rules will be allowed in each ANP instance.
	// The relative precedence of egress rules within a single ANP object (all of
	// which share the priority) will be determined by the order in which the rule
	// is written. Thus, a rule that appears at the top of the egress rules
	// would take the highest precedence.
	// ANPs with no egress rules do not affect egress traffic.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:validation:MaxItems=100
	Egress []AdminNetworkPolicyEgressRule `json:"egress,omitempty"`
}

AdminNetworkPolicySpec defines the desired state of AdminNetworkPolicy.

func (*AdminNetworkPolicySpec) DeepCopy 

func (in *AdminNetworkPolicySpec) DeepCopy() *AdminNetworkPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicySpec.

func (*AdminNetworkPolicySpec) DeepCopyInto 

func (in *AdminNetworkPolicySpec) DeepCopyInto(out *AdminNetworkPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdminNetworkPolicyStatus 

type AdminNetworkPolicyStatus struct {
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions" patchStrategy:"merge" patchMergeKey:"type"`
}

AdminNetworkPolicyStatus defines the observed state of AdminNetworkPolicy.

func (*AdminNetworkPolicyStatus) DeepCopy 

func (in *AdminNetworkPolicyStatus) DeepCopy() *AdminNetworkPolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicyStatus.

func (*AdminNetworkPolicyStatus) DeepCopyInto 

func (in *AdminNetworkPolicyStatus) DeepCopyInto(out *AdminNetworkPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AdminNetworkPolicySubject 

type AdminNetworkPolicySubject struct {
	// Namespaces is used to select pods via namespace selectors.
	// +optional
	Namespaces *metav1.LabelSelector `json:"namespaces,omitempty"`
	// Pods is used to select pods via namespace AND pod selectors.
	// +optional
	Pods *NamespacedPod `json:"pods,omitempty"`
}

AdminNetworkPolicySubject defines what resources the policy applies to. Exactly one field must be set. +kubebuilder:validation:MaxProperties=1 +kubebuilder:validation:MinProperties=1

func (*AdminNetworkPolicySubject) DeepCopy 

func (in *AdminNetworkPolicySubject) DeepCopy() *AdminNetworkPolicySubject

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AdminNetworkPolicySubject.

func (*AdminNetworkPolicySubject) DeepCopyInto 

func (in *AdminNetworkPolicySubject) DeepCopyInto(out *AdminNetworkPolicySubject)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type BaselineAdminNetworkPolicy 

type BaselineAdminNetworkPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata"`

	// Specification of the desired behavior of BaselineAdminNetworkPolicy.
	Spec BaselineAdminNetworkPolicySpec `json:"spec"`

	// Status is the status to be reported by the implementation.
	// +optional
	Status BaselineAdminNetworkPolicyStatus `json:"status,omitempty"`
}

+genclient +genclient:nonNamespaced +kubebuilder:object:root=true +kubebuilder:subresource:status +kubebuilder:resource:shortName=banp,scope=Cluster +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp" +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object +kubebuilder:validation:XValidation:rule="self.metadata.name == 'default'",message="Only one baseline admin network policy with metadata.name=\"default\" can be created in the cluster" BaselineAdminNetworkPolicy is a cluster level resource that is part of the AdminNetworkPolicy API.

func (*BaselineAdminNetworkPolicy) DeepCopy 

func (in *BaselineAdminNetworkPolicy) DeepCopy() *BaselineAdminNetworkPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineAdminNetworkPolicy.

func (*BaselineAdminNetworkPolicy) DeepCopyInto 

func (in *BaselineAdminNetworkPolicy) DeepCopyInto(out *BaselineAdminNetworkPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*BaselineAdminNetworkPolicy) DeepCopyObject 

func (in *BaselineAdminNetworkPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type BaselineAdminNetworkPolicyEgressRule 

type BaselineAdminNetworkPolicyEgressRule struct {
	// Name is an identifier for this rule, that may be no more than 100 characters
	// in length. This field should be used by the implementation to help
	// improve observability, readability and error-reporting for any applied
	// BaselineAdminNetworkPolicies.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:validation:MaxLength=100
	Name string `json:"name,omitempty"`

	// Action specifies the effect this rule will have on matching traffic.
	// Currently the following actions are supported:
	// Allow: allows the selected traffic
	// Deny: denies the selected traffic
	//
	// Support: Core
	//
	Action BaselineAdminNetworkPolicyRuleAction `json:"action"`

	// To is the list of destinations whose traffic this rule applies to.
	// If any AdminNetworkPolicyEgressPeer matches the destination of outgoing
	// traffic then the specified action is applied.
	// This field must be defined and contain at least one item.
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:MaxItems=100
	//
	// Support: Core
	//
	To []AdminNetworkPolicyEgressPeer `json:"to"`

	// Ports allows for matching traffic based on port and protocols.
	// This field is a list of destination ports for the outgoing egress traffic.
	// If Ports is not set then the rule does not filter traffic via port.
	// +optional
	// +kubebuilder:validation:MaxItems=100
	Ports *[]AdminNetworkPolicyPort `json:"ports,omitempty"`
}

BaselineAdminNetworkPolicyEgressRule describes an action to take on a particular set of traffic originating from pods selected by a BaselineAdminNetworkPolicy's Subject field. <network-policy-api:experimental:validation> +kubebuilder:validation:XValidation:rule="!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) && has(self.ports) && self.ports.exists(port, has(port.namedPort)))",message="networks/nodes peer cannot be set with namedPorts since there are no namedPorts for networks/nodes"

func (*BaselineAdminNetworkPolicyEgressRule) DeepCopy 

func (in *BaselineAdminNetworkPolicyEgressRule) DeepCopy() *BaselineAdminNetworkPolicyEgressRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineAdminNetworkPolicyEgressRule.

func (*BaselineAdminNetworkPolicyEgressRule) DeepCopyInto 

func (in *BaselineAdminNetworkPolicyEgressRule) DeepCopyInto(out *BaselineAdminNetworkPolicyEgressRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type BaselineAdminNetworkPolicyIngressRule 

type BaselineAdminNetworkPolicyIngressRule struct {
	// Name is an identifier for this rule, that may be no more than 100 characters
	// in length. This field should be used by the implementation to help
	// improve observability, readability and error-reporting for any applied
	// BaselineAdminNetworkPolicies.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:validation:MaxLength=100
	Name string `json:"name,omitempty"`

	// Action specifies the effect this rule will have on matching traffic.
	// Currently the following actions are supported:
	// Allow: allows the selected traffic
	// Deny: denies the selected traffic
	//
	// Support: Core
	//
	Action BaselineAdminNetworkPolicyRuleAction `json:"action"`

	// From is the list of sources whose traffic this rule applies to.
	// If any AdminNetworkPolicyIngressPeer matches the source of incoming
	// traffic then the specified action is applied.
	// This field must be defined and contain at least one item.
	//
	// Support: Core
	//
	// +kubebuilder:validation:MinItems=1
	// +kubebuilder:validation:MaxItems=100
	From []AdminNetworkPolicyIngressPeer `json:"from"`

	// Ports allows for matching traffic based on port and protocols.
	// This field is a list of ports which should be matched on
	// the pods selected for this policy i.e the subject of the policy.
	// So it matches on the destination port for the ingress traffic.
	// If Ports is not set then the rule does not filter traffic via port.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:validation:MaxItems=100
	Ports *[]AdminNetworkPolicyPort `json:"ports,omitempty"`
}

BaselineAdminNetworkPolicyIngressRule describes an action to take on a particular set of traffic destined for pods selected by a BaselineAdminNetworkPolicy's Subject field.

func (*BaselineAdminNetworkPolicyIngressRule) DeepCopy 

func (in *BaselineAdminNetworkPolicyIngressRule) DeepCopy() *BaselineAdminNetworkPolicyIngressRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineAdminNetworkPolicyIngressRule.

func (*BaselineAdminNetworkPolicyIngressRule) DeepCopyInto 

func (in *BaselineAdminNetworkPolicyIngressRule) DeepCopyInto(out *BaselineAdminNetworkPolicyIngressRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type BaselineAdminNetworkPolicyList 

type BaselineAdminNetworkPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []BaselineAdminNetworkPolicy `json:"items"`
}

BaselineAdminNetworkPolicyList contains a list of BaselineAdminNetworkPolicy

func (*BaselineAdminNetworkPolicyList) DeepCopy 

func (in *BaselineAdminNetworkPolicyList) DeepCopy() *BaselineAdminNetworkPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineAdminNetworkPolicyList.

func (*BaselineAdminNetworkPolicyList) DeepCopyInto 

func (in *BaselineAdminNetworkPolicyList) DeepCopyInto(out *BaselineAdminNetworkPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*BaselineAdminNetworkPolicyList) DeepCopyObject 

func (in *BaselineAdminNetworkPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type BaselineAdminNetworkPolicyRuleAction 

type BaselineAdminNetworkPolicyRuleAction string

BaselineAdminNetworkPolicyRuleAction string describes the BaselineAdminNetworkPolicy action type.

Support: Core

+enum +kubebuilder:validation:Enum={"Allow", "Deny"} 

const (
	// BaselineAdminNetworkPolicyRuleActionDeny enables admins to deny traffic.
	BaselineAdminNetworkPolicyRuleActionDeny BaselineAdminNetworkPolicyRuleAction = "Deny"
	// BaselineAdminNetworkPolicyRuleActionAllow enables admins to allow certain traffic.
	BaselineAdminNetworkPolicyRuleActionAllow BaselineAdminNetworkPolicyRuleAction = "Allow"
)

type BaselineAdminNetworkPolicySpec 

type BaselineAdminNetworkPolicySpec struct {
	// Subject defines the pods to which this BaselineAdminNetworkPolicy applies.
	// Note that host-networked pods are not included in subject selection.
	//
	// Support: Core
	//
	Subject AdminNetworkPolicySubject `json:"subject"`

	// Ingress is the list of Ingress rules to be applied to the selected pods
	// if they are not matched by any AdminNetworkPolicy or NetworkPolicy rules.
	// A total of 100 Ingress rules will be allowed in each BANP instance.
	// The relative precedence of ingress rules within a single BANP object
	// will be determined by the order in which the rule is written.
	// Thus, a rule that appears at the top of the ingress rules
	// would take the highest precedence.
	// BANPs with no ingress rules do not affect ingress traffic.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:validation:MaxItems=100
	Ingress []BaselineAdminNetworkPolicyIngressRule `json:"ingress,omitempty"`

	// Egress is the list of Egress rules to be applied to the selected pods if
	// they are not matched by any AdminNetworkPolicy or NetworkPolicy rules.
	// A total of 100 Egress rules will be allowed in each BANP instance.
	// The relative precedence of egress rules within a single BANP object
	// will be determined by the order in which the rule is written.
	// Thus, a rule that appears at the top of the egress rules
	// would take the highest precedence.
	// BANPs with no egress rules do not affect egress traffic.
	//
	// Support: Core
	//
	// +optional
	// +kubebuilder:validation:MaxItems=100
	Egress []BaselineAdminNetworkPolicyEgressRule `json:"egress,omitempty"`
}

BaselineAdminNetworkPolicySpec defines the desired state of BaselineAdminNetworkPolicy.

func (*BaselineAdminNetworkPolicySpec) DeepCopy 

func (in *BaselineAdminNetworkPolicySpec) DeepCopy() *BaselineAdminNetworkPolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineAdminNetworkPolicySpec.

func (*BaselineAdminNetworkPolicySpec) DeepCopyInto 

func (in *BaselineAdminNetworkPolicySpec) DeepCopyInto(out *BaselineAdminNetworkPolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type BaselineAdminNetworkPolicyStatus 

type BaselineAdminNetworkPolicyStatus struct {
	// +patchMergeKey=type
	// +patchStrategy=merge
	// +listType=map
	// +listMapKey=type
	Conditions []metav1.Condition `json:"conditions" patchStrategy:"merge" patchMergeKey:"type"`
}

BaselineAdminNetworkPolicyStatus defines the observed state of BaselineAdminNetworkPolicy.

func (*BaselineAdminNetworkPolicyStatus) DeepCopy 

func (in *BaselineAdminNetworkPolicyStatus) DeepCopy() *BaselineAdminNetworkPolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new BaselineAdminNetworkPolicyStatus.

func (*BaselineAdminNetworkPolicyStatus) DeepCopyInto 

func (in *BaselineAdminNetworkPolicyStatus) DeepCopyInto(out *BaselineAdminNetworkPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CIDR added in v0.1.3 

type CIDR string

CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). This string must be validated by implementations using net.ParseCIDR TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. +kubebuilder:validation:XValidation:rule="self.contains(':') != self.contains('.')",message="CIDR must be either an IPv4 or IPv6 address. IPv4 address embedded in IPv6 addresses are not supported" +kubebuilder:validation:MaxLength=43

type NamespacedPod added in v0.1.3 

type NamespacedPod struct {
	// NamespaceSelector follows standard label selector semantics; if empty,
	// it selects all Namespaces.
	NamespaceSelector metav1.LabelSelector `json:"namespaceSelector"`

	// PodSelector is used to explicitly select pods within a namespace; if empty,
	// it selects all Pods.
	PodSelector metav1.LabelSelector `json:"podSelector"`
}

NamespacedPod allows the user to select a given set of pod(s) in selected namespace(s).

func (*NamespacedPod) DeepCopy added in v0.1.3 

func (in *NamespacedPod) DeepCopy() *NamespacedPod

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespacedPod.

func (*NamespacedPod) DeepCopyInto added in v0.1.3 

func (in *NamespacedPod) DeepCopyInto(out *NamespacedPod)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Port 

type Port struct {
	// Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
	// match. If not specified, this field defaults to TCP.
	//
	// Support: Core
	//
	Protocol v1.Protocol `json:"protocol"`

	// Number defines a network port value.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=65535
	//
	// Support: Core
	//
	Port int32 `json:"port"`
}

func (*Port) DeepCopy 

func (in *Port) DeepCopy() *Port

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Port.

func (*Port) DeepCopyInto 

func (in *Port) DeepCopyInto(out *Port)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PortRange 

type PortRange struct {
	// Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must
	// match. If not specified, this field defaults to TCP.
	//
	// Support: Core
	//
	Protocol v1.Protocol `json:"protocol,omitempty"`

	// Start defines a network port that is the start of a port range, the Start
	// value must be less than End.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=65535
	//
	// Support: Core
	//
	Start int32 `json:"start"`

	// End defines a network port that is the end of a port range, the End value
	// must be greater than Start.
	// +kubebuilder:validation:Minimum=1
	// +kubebuilder:validation:Maximum=65535
	//
	// Support: Core
	//
	End int32 `json:"end"`
}

PortRange defines an inclusive range of ports from the the assigned Start value to End value.

func (*PortRange) DeepCopy 

func (in *PortRange) DeepCopy() *PortRange

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRange.

func (*PortRange) DeepCopyInto 

func (in *PortRange) DeepCopyInto(out *PortRange)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.