From 67c30d243fb923250e0ccceafccc1dd8b67c0609 Mon Sep 17 00:00:00 2001 From: clux Date: Sat, 16 Dec 2023 04:15:59 +0000 Subject: [PATCH 1/3] CiliumNetworkPolicy test this doesn't work because it doesn't use the spec/status model Signed-off-by: clux --- justfile | 7 + tests/ciliumnetpol-crd.yaml | 5230 +++++++++++++++++++++++++++++++++++ tests/ciliumnetpol.yaml | 15 + 3 files changed, 5252 insertions(+) create mode 100644 tests/ciliumnetpol-crd.yaml create mode 100644 tests/ciliumnetpol.yaml diff --git a/justfile b/justfile index 237c3c6..8c32c72 100644 --- a/justfile +++ b/justfile @@ -85,5 +85,12 @@ test-istio-destrule: # NB: this currently fails because of an empty status object with preserve-unknown-fields cargo test --test runner -- --nocapture +test-cilium-netpol: + kubectl apply --server-side -f tests/ciliumnetpol-crd.yaml + cargo run --bin kopium -- -A ciliumnetworkpolicies.cilium.io > tests/gen.rs + echo "pub type CR = CiliumNetworkPolicy;" >> tests/gen.rs + kubectl apply -f tests/ciliumnetpol.yaml + cargo test --test runner -- --nocapture + release: cargo release minor --execute diff --git a/tests/ciliumnetpol-crd.yaml b/tests/ciliumnetpol-crd.yaml new file mode 100644 index 0000000..6530024 --- /dev/null +++ b/tests/ciliumnetpol-crd.yaml @@ -0,0 +1,5230 @@ +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.13.0 + name: ciliumnetworkpolicies.cilium.io +spec: + group: cilium.io + names: + categories: + - cilium + - ciliumpolicy + kind: CiliumNetworkPolicy + listKind: CiliumNetworkPolicyList + plural: ciliumnetworkpolicies + shortNames: + - cnp + - ciliumnp + singular: ciliumnetworkpolicy + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v2 + schema: + openAPIV3Schema: + description: CiliumNetworkPolicy is a Kubernetes third-party resource with + an extended version of NetworkPolicy. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec is the desired Cilium specific rule specification. + oneOf: + - properties: + endpointSelector: {} + required: + - endpointSelector + - properties: + nodeSelector: {} + required: + - nodeSelector + properties: + description: + description: Description is a free form string, it can be used by + the creator of the rule to store human readable explanation of the + purpose of this rule. Rules cannot be identified by comment. + type: string + egress: + description: Egress is a list of EgressRule which are enforced at + egress. If omitted or empty, this rule does not apply at egress. + items: + description: "EgressRule contains all rule types which can be applied + at egress, i.e. network traffic that originates inside the endpoint + and exits the endpoint selected by the endpointSelector. \n - + All members of this structure are optional. If omitted or empty, + the member will have no effect on the rule. \n - If multiple members + of the structure are specified, then all members must match in + order for the rule to take effect. The exception to this rule + is the ToRequires member; the effects of any Requires field in + any rule will apply to all other rules as well. \n - ToEndpoints, + ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually + exclusive. Only one of these members may be present within an + individual rule." + properties: + authentication: + description: Authentication is the required authentication type + for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode for + the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + icmps: + description: "ICMPs is a list of ICMP rule identified by type + number which the endpoint subject to the rule is allowed to + connect to. \n Example: Any endpoint with the label \"app=httpd\" + is allowed to initiate type 8 ICMP connections." + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: Family is a IP address version. Currently, + we support `IPv4` and `IPv6`. `IPv4` is set as + default. + enum: + - IPv4 + - IPv6 + type: string + type: + description: Type is a ICMP-type. It should be 0-255 + (8bit). + maximum: 255 + minimum: 0 + type: integer + required: + - type + type: object + type: array + type: object + type: array + toCIDR: + description: "ToCIDR is a list of IP blocks which the endpoint + subject to the rule is allowed to initiate connections. Only + connections destined for outside of the cluster and not targeting + the host will be subject to CIDR rules. This will match on + the destination IP address of outgoing connections. Adding + a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs + is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. + \n Example: Any endpoint with the label \"app=database-proxy\" + is allowed to initiate connections to 10.2.3.0/24" + items: + description: 'CIDR specifies a block of IP addresses. Example: + 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + toCIDRSet: + description: "ToCIDRSet is a list of IP blocks which the endpoint + subject to the rule is allowed to initiate connections to + in addition to connections which are allowed via ToEndpoints, + along with a list of subnets contained within their corresponding + IP block to which traffic should not be allowed. This will + match on the destination IP address of outgoing connections. + Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs + is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. + \n Example: Any endpoint with the label \"app=database-proxy\" + is allowed to initiate connections to 10.2.3.0/24 except from + IPs in subnet 10.2.3.0/28." + items: + description: CIDRRule is a rule that specifies a CIDR prefix + to/from which outside communication is allowed, along with + an optional list of subnets within that CIDR prefix to/from + which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + cidrGroupRef: + description: CIDRGroupRef is a reference to a CiliumCIDRGroup + object. A CiliumCIDRGroup contains a list of CIDRs that + the endpoint, subject to the rule, can (Ingress) or + cannot (IngressDeny) receive connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + except: + description: ExceptCIDRs is a list of IP blocks which + the endpoint subject to the rule is not allowed to initiate + connections to. These CIDR prefixes should be contained + within Cidr, using ExceptCIDRs together with CIDRGroupRef + is not supported yet. These exceptions are only applied + to the Cidr in this CIDRRule, and do not apply to any + other CIDR prefixes in any other CIDRRules. + items: + description: 'CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + type: object + type: array + toEndpoints: + description: "ToEndpoints is a list of endpoints identified + by an EndpointSelector to which the endpoints subject to the + rule are allowed to communicate. \n Example: Any endpoint + with the label \"role=frontend\" can communicate with any + endpoint carrying the label \"role=backend\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + toEntities: + description: ToEntities is a list of special entities to which + the endpoint subject to the rule is allowed to initiate connections. + Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, + `init`, `health`,`unmanaged` and `all`. + items: + description: Entity specifies the class of receiver/sender + endpoints that do not have individual identities. Entities + are used to describe "outside of cluster", "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toFQDNs: + description: 'ToFQDN allows whitelisting DNS names in place + of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s + are added to the same EgressRule object as ToCIDRSet entries, + and behave accordingly. Any L4 and L7 rules within this EgressRule + will also apply to these IPs. The DNS -> IP mapping is re-resolved + periodically from within the cilium-agent, and the IPs in + the DNS response are effected in the policy for selected pods + as-is (i.e. the list of IPs is not modified in any way). Note: + An explicit rule to allow for DNS traffic is needed for the + pods, as ToFQDN counts as an egress rule and will enforce + egress policy when PolicyEnforcment=default. Note: If the + resolved IPs are IPs within the kubernetes cluster, the ToFQDN + rule will not apply to that IP. Note: ToFQDN cannot occur + in the same policy as other To* rules.' + items: + properties: + matchName: + description: MatchName matches literal DNS names. A trailing + "." is automatically added when missing. + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: "MatchPattern allows using wildcards to match + DNS names. All wildcards are case insensitive. The wildcards + are: - \"*\" matches 0 or more DNS valid characters, + and may occur anywhere in the pattern. As a special + case a \"*\" as the leftmost character, without a following + \".\" matches all subdomains as well as the name to + the right. A trailing \".\" is automatically added when + missing. \n Examples: `*.cilium.io` matches subomains + of cilium at that level www.cilium.io and blog.cilium.io + match, cilium.io and google.com do not `*cilium.io` + matches cilium.io and all subdomains ends with \"cilium.io\" + except those containing \".\" separator, subcilium.io + and sub-cilium.io match, www.cilium.io and blog.cilium.io + does not sub*.cilium.io matches subdomains of cilium + where the subdomain component begins with \"sub\" sub.cilium.io + and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, + cilium.io and google.com do not" + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + toGroups: + description: "ToGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is supported, + and the rule can select by multiple sub directives: \n Example: + toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: ToGroups structure to store all kinds of new + integrations that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toPorts: + description: "ToPorts is a list of destination ports identified + by port number and protocol which the endpoint subject to + the rule is allowed to connect to. \n Example: Any endpoint + with the label \"role=frontend\" is allowed to initiate connections + to destination port 8080/tcp" + items: + description: PortRule is a list of ports/protocol combinations + with optional Layer 7 rules which must be met. + properties: + listener: + description: listener specifies the name of a custom Envoy + listener to which this traffic should be redirected + to. + properties: + envoyConfig: + description: EnvoyConfig is a reference to the CEC + or CCNP resource in which the listener is defined. + properties: + kind: + description: Kind is the resource type being referred + to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig + for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, + respectively. The only case this is currently + explicitly needed is when referring to a CiliumClusterwideEnvoyConfig + from CiliumNetworkPolicy, as using a namespaced + listener from a cluster scoped policy is not + allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: Name is the resource name of the + CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig + where the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + required: + - envoyConfig + - name + type: object + originatingTLS: + description: OriginatingTLS is the TLS context for the + connections originated by the L7 proxy. For egress + policy this specifies the client-side TLS parameters + for the upstream connection originating from the L7 + proxy to the remote destination. For ingress policy + this specifies the client-side TLS parameters for the + connection from the L7 proxy to the local endpoint. + properties: + certificate: + description: Certificate is the file name or k8s secret + item name for the certificate chain. If omitted, + 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: PrivateKey is the file name or k8s secret + item name for the private key matching the certificate + chain. If omitted, 'tls.key' is assumed, if it exists. + If given, the item must exist. + type: string + secret: + description: 'Secret is the secret that contains the + certificates and private key for the TLS context. + By default, Cilium will search in this secret for + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - + ''tls.key'' - Which represents the private key matching + the public key certificate.' + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: Namespace is the namespace in which + the secret exists. Context of use determines + the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: TrustedCA is the file name or k8s secret + item name for the trusted CA. If omitted, 'ca.crt' + is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + port: + description: Port is an L4 port number. For now + the string will be strictly parsed as a single + uint16. In the future, this field may support + ranges in the form "1024-2048 Port can also be + a port name, which must contain at least one [a-z], + and may also contain [0-9] and '-' anywhere except + adjacent to another '-' or in the beginning or + the end. + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: "Protocol is the L4 protocol. If omitted + or empty, any protocol matches. Accepted values: + \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching + on ICMP is not supported. \n Named port specified + for a container may narrow this down, but may + not contradict this." + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + rules: + description: Rules is a list of additional port level + rules which must be met in order for the PortRule to + allow the traffic. If omitted or empty, no layer 7 rules + are enforced. + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed DNS + lookups. + properties: + matchName: + description: MatchName matches literal DNS names. + A trailing "." is automatically added when + missing. + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: "MatchPattern allows using wildcards + to match DNS names. All wildcards are case + insensitive. The wildcards are: - \"*\" matches + 0 or more DNS valid characters, and may occur + anywhere in the pattern. As a special case + a \"*\" as the leftmost character, without + a following \".\" matches all subdomains as + well as the name to the right. A trailing + \".\" is automatically added when missing. + \n Examples: `*.cilium.io` matches subomains + of cilium at that level www.cilium.io and + blog.cilium.io match, cilium.io and google.com + do not `*cilium.io` matches cilium.io and + all subdomains ends with \"cilium.io\" except + those containing \".\" separator, subcilium.io + and sub-cilium.io match, www.cilium.io and + blog.cilium.io does not sub*.cilium.io matches + subdomains of cilium where the subdomain component + begins with \"sub\" sub.cilium.io and subdomain.cilium.io + match, www.cilium.io, blog.cilium.io, cilium.io + and google.com do not" + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: "PortRuleHTTP is a list of HTTP protocol + constraints. All fields are optional, if all fields + are empty or missing, the rule does not have any + effect. \n All fields of this type are extended + POSIX regex as defined by IEEE Std 1003.1, (i.e + this follows the egrep/unix syntax, not the perl + syntax) matched against the path of an incoming + request. Currently it can contain characters disallowed + from the conventional \"path\" part of a URL as + defined by RFC 3986." + properties: + headerMatches: + description: HeaderMatches is a list of HTTP + headers which must be present and match against + the given values. Mismatch field can be used + to specify what to do when there is no match. + items: + description: HeaderMatch extends the HeaderValue + for matching requirement of a named header + field against an immediate string, a secret + value, or a regex. If none of the optional + fields is present, then the header value + is not matched, only presence of the header + is enough. + properties: + mismatch: + description: Mismatch identifies what + to do in case there is no match. The + default is to drop the request. Otherwise + the overall rule is still considered + as matching, but the mismatches are + logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + type: string + secret: + description: Secret refers to a secret + that contains the value to be matched + against. The secret must only contain + one entry. If the referred secret does + not exist, and there is no "Value" specified, + the match will fail. + properties: + name: + description: Name is the name of the + secret. + type: string + namespace: + description: Namespace is the namespace + in which the secret exists. Context + of use determines the default value + if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: Value matches the exact value + of the header. Can be specified either + alone or together with "Secret"; will + be used as the header value if the secret + can not be found in the latter case. + type: string + required: + - name + type: object + type: array + headers: + description: Headers is a list of HTTP headers + which must be present in the request. If omitted + or empty, requests are allowed regardless + of headers present. + items: + type: string + type: array + host: + description: "Host is an extended POSIX regex + matched against the host header of a request, + e.g. \"foo.com\" \n If omitted or empty, the + value of the host header is ignored." + format: idn-hostname + type: string + method: + description: "Method is an extended POSIX regex + matched against the method of a request, e.g. + \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", + ... \n If omitted or empty, all methods are + allowed." + type: string + path: + description: "Path is an extended POSIX regex + matched against the path of a request. Currently + it can contain characters disallowed from + the conventional \"path\" part of a URL as + defined by RFC 3986. \n If omitted or empty, + all paths are all allowed." + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: PortRule is a list of Kafka protocol + constraints. All fields are optional, if all fields + are empty or missing, the rule will match all + Kafka messages. + properties: + apiKey: + description: "APIKey is a case-insensitive string + matched against the key of a request, e.g. + \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", + et al Reference: https://kafka.apache.org/protocol#protocol_api_keys + \n If omitted or empty, and if Role is not + specified, then all keys are allowed." + type: string + apiVersion: + description: "APIVersion is the version matched + against the api version of the Kafka message. + If set, it has to be a string representing + a positive integer. \n If omitted or empty, + all versions are allowed." + type: string + clientID: + description: "ClientID is the client identifier + as provided in the request. \n From Kafka + protocol documentation: This is a user supplied + identifier for the client application. The + user can use any identifier they like and + it will be used when logging errors, monitoring + aggregates, etc. For example, one might want + to monitor not just the requests per second + overall, but the number coming from each client + application (each of which could reside on + multiple servers). This id acts as a logical + grouping across all requests from a particular + client. \n If omitted or empty, all client + identifiers are allowed." + type: string + role: + description: "Role is a case-insensitive string + and describes a group of API keys necessary + to perform certain higher-level Kafka operations + such as \"produce\" or \"consume\". A Role + automatically expands into all APIKeys required + to perform the specified higher-level operation. + \n The following values are supported: - \"produce\": + Allow producing to the topics specified in + the rule - \"consume\": Allow consuming from + the topics specified in the rule \n This field + is incompatible with the APIKey field, i.e + APIKey and Role cannot both be specified in + the same rule. \n If omitted or empty, and + if APIKey is not specified, then all keys + are allowed." + enum: + - produce + - consume + type: string + topic: + description: "Topic is the topic name contained + in the message. If a Kafka request contains + multiple topics, then all topics must be allowed + or the message will be rejected. \n This constraint + is ignored if the matched request message + type doesn't contain any topic. Maximum size + of Topic can be 249 characters as per recent + Kafka spec and allowed characters are a-z, + A-Z, 0-9, -, . and _. \n Older Kafka versions + had longer topic lengths of 255, but in Kafka + 0.10 version the length was changed from 255 + to 249. For compatibility reasons we are using + 255. \n If omitted or empty, all topics are + allowed." + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: PortRuleL7 is a list of key-value pairs + interpreted by a L7 protocol as protocol constraints. + All fields are optional, if all fields are empty + or missing, the rule does not have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: ServerNames is a list of allowed TLS SNI + values. If not empty, then TLS must be present and one + of the provided SNIs must be indicated in the TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: TerminatingTLS is the TLS context for the + connection terminated by the L7 proxy. For egress policy + this specifies the server-side TLS parameters to be + applied on the connections originated from the local + endpoint and terminated by the L7 proxy. For ingress + policy this specifies the server-side TLS parameters + to be applied on the connections originated from a remote + source and terminated by the L7 proxy. + properties: + certificate: + description: Certificate is the file name or k8s secret + item name for the certificate chain. If omitted, + 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: PrivateKey is the file name or k8s secret + item name for the private key matching the certificate + chain. If omitted, 'tls.key' is assumed, if it exists. + If given, the item must exist. + type: string + secret: + description: 'Secret is the secret that contains the + certificates and private key for the TLS context. + By default, Cilium will search in this secret for + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - + ''tls.key'' - Which represents the private key matching + the public key certificate.' + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: Namespace is the namespace in which + the secret exists. Context of use determines + the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: TrustedCA is the file name or k8s secret + item name for the trusted CA. If omitted, 'ca.crt' + is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + toRequires: + description: "ToRequires is a list of additional constraints + which must be met in order for the selected endpoints to be + able to connect to other endpoints. These additional constraints + do no by itself grant access privileges and must always be + accompanied with at least one matching ToEndpoints. \n Example: + Any Endpoint with the label \"team=A\" requires any endpoint + to which it communicates to also carry the label \"team=A\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + toServices: + description: "ToServices is a list of services to which the + endpoint subject to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services + without selectors. \n Example: Any endpoint with the label + \"app=backend-app\" is allowed to initiate connections to + all cidrs backing the \"external-service\" service" + items: + description: Service wraps around selectors for services + properties: + k8sService: + description: K8sService selects service by name and namespace + pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by k8s + labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector for + k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + required: + - selector + type: object + type: object + type: array + type: object + type: array + egressDeny: + description: EgressDeny is a list of EgressDenyRule which are enforced + at egress. Any rule inserted here will be denied regardless of the + allowed egress rules in the 'egress' field. If omitted or empty, + this rule does not apply at egress. + items: + description: "EgressDenyRule contains all rule types which can be + applied at egress, i.e. network traffic that originates inside + the endpoint and exits the endpoint selected by the endpointSelector. + \n - All members of this structure are optional. If omitted or + empty, the member will have no effect on the rule. \n - If multiple + members of the structure are specified, then all members must + match in order for the rule to take effect. The exception to this + rule is the ToRequires member; the effects of any Requires field + in any rule will apply to all other rules as well. \n - ToEndpoints, + ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually + exclusive. Only one of these members may be present within an + individual rule." + properties: + icmps: + description: "ICMPs is a list of ICMP rule identified by type + number which the endpoint subject to the rule is not allowed + to connect to. \n Example: Any endpoint with the label \"app=httpd\" + is not allowed to initiate type 8 ICMP connections." + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: Family is a IP address version. Currently, + we support `IPv4` and `IPv6`. `IPv4` is set as + default. + enum: + - IPv4 + - IPv6 + type: string + type: + description: Type is a ICMP-type. It should be 0-255 + (8bit). + maximum: 255 + minimum: 0 + type: integer + required: + - type + type: object + type: array + type: object + type: array + toCIDR: + description: "ToCIDR is a list of IP blocks which the endpoint + subject to the rule is allowed to initiate connections. Only + connections destined for outside of the cluster and not targeting + the host will be subject to CIDR rules. This will match on + the destination IP address of outgoing connections. Adding + a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs + is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. + \n Example: Any endpoint with the label \"app=database-proxy\" + is allowed to initiate connections to 10.2.3.0/24" + items: + description: 'CIDR specifies a block of IP addresses. Example: + 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + toCIDRSet: + description: "ToCIDRSet is a list of IP blocks which the endpoint + subject to the rule is allowed to initiate connections to + in addition to connections which are allowed via ToEndpoints, + along with a list of subnets contained within their corresponding + IP block to which traffic should not be allowed. This will + match on the destination IP address of outgoing connections. + Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs + is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. + \n Example: Any endpoint with the label \"app=database-proxy\" + is allowed to initiate connections to 10.2.3.0/24 except from + IPs in subnet 10.2.3.0/28." + items: + description: CIDRRule is a rule that specifies a CIDR prefix + to/from which outside communication is allowed, along with + an optional list of subnets within that CIDR prefix to/from + which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + cidrGroupRef: + description: CIDRGroupRef is a reference to a CiliumCIDRGroup + object. A CiliumCIDRGroup contains a list of CIDRs that + the endpoint, subject to the rule, can (Ingress) or + cannot (IngressDeny) receive connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + except: + description: ExceptCIDRs is a list of IP blocks which + the endpoint subject to the rule is not allowed to initiate + connections to. These CIDR prefixes should be contained + within Cidr, using ExceptCIDRs together with CIDRGroupRef + is not supported yet. These exceptions are only applied + to the Cidr in this CIDRRule, and do not apply to any + other CIDR prefixes in any other CIDRRules. + items: + description: 'CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + type: object + type: array + toEndpoints: + description: "ToEndpoints is a list of endpoints identified + by an EndpointSelector to which the endpoints subject to the + rule are allowed to communicate. \n Example: Any endpoint + with the label \"role=frontend\" can communicate with any + endpoint carrying the label \"role=backend\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + toEntities: + description: ToEntities is a list of special entities to which + the endpoint subject to the rule is allowed to initiate connections. + Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, + `init`, `health`,`unmanaged` and `all`. + items: + description: Entity specifies the class of receiver/sender + endpoints that do not have individual identities. Entities + are used to describe "outside of cluster", "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toGroups: + description: "ToGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is supported, + and the rule can select by multiple sub directives: \n Example: + toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: ToGroups structure to store all kinds of new + integrations that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toPorts: + description: "ToPorts is a list of destination ports identified + by port number and protocol which the endpoint subject to + the rule is not allowed to connect to. \n Example: Any endpoint + with the label \"role=frontend\" is not allowed to initiate + connections to destination port 8080/tcp" + items: + description: PortDenyRule is a list of ports/protocol that + should be used for deny policies. This structure lacks the + L7Rules since it's not supported in deny policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + port: + description: Port is an L4 port number. For now + the string will be strictly parsed as a single + uint16. In the future, this field may support + ranges in the form "1024-2048 Port can also be + a port name, which must contain at least one [a-z], + and may also contain [0-9] and '-' anywhere except + adjacent to another '-' or in the beginning or + the end. + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: "Protocol is the L4 protocol. If omitted + or empty, any protocol matches. Accepted values: + \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching + on ICMP is not supported. \n Named port specified + for a container may narrow this down, but may + not contradict this." + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + toRequires: + description: "ToRequires is a list of additional constraints + which must be met in order for the selected endpoints to be + able to connect to other endpoints. These additional constraints + do no by itself grant access privileges and must always be + accompanied with at least one matching ToEndpoints. \n Example: + Any Endpoint with the label \"team=A\" requires any endpoint + to which it communicates to also carry the label \"team=A\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + toServices: + description: "ToServices is a list of services to which the + endpoint subject to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services + without selectors. \n Example: Any endpoint with the label + \"app=backend-app\" is allowed to initiate connections to + all cidrs backing the \"external-service\" service" + items: + description: Service wraps around selectors for services + properties: + k8sService: + description: K8sService selects service by name and namespace + pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by k8s + labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector for + k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + required: + - selector + type: object + type: object + type: array + type: object + type: array + endpointSelector: + description: EndpointSelector selects all endpoints which should be + subject to this rule. EndpointSelector and NodeSelector cannot be + both empty and are mutually exclusive. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + ingress: + description: Ingress is a list of IngressRule which are enforced at + ingress. If omitted or empty, this rule does not apply at ingress. + items: + description: "IngressRule contains all rule types which can be applied + at ingress, i.e. network traffic that originates outside of the + endpoint and is entering the endpoint selected by the endpointSelector. + \n - All members of this structure are optional. If omitted or + empty, the member will have no effect on the rule. \n - If multiple + members are set, all of them need to match in order for the rule + to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all + other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet + and FromEntities are mutually exclusive. Only one of these members + may be present within an individual rule." + properties: + authentication: + description: Authentication is the required authentication type + for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode for + the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + fromCIDR: + description: "FromCIDR is a list of IP blocks which the endpoint + subject to the rule is allowed to receive connections from. + Only connections which do *not* originate from the cluster + or from the local host are subject to CIDR rules. In order + to allow in-cluster connectivity, use the FromEndpoints field. + \ This will match on the source IP address of incoming connections. + Adding a prefix into FromCIDR or into FromCIDRSet with no + ExcludeCIDRs is equivalent. Overlaps are allowed between + FromCIDR and FromCIDRSet. \n Example: Any endpoint with the + label \"app=my-legacy-pet\" is allowed to receive connections + from 10.3.9.1" + items: + description: 'CIDR specifies a block of IP addresses. Example: + 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + fromCIDRSet: + description: "FromCIDRSet is a list of IP blocks which the endpoint + subject to the rule is allowed to receive connections from + in addition to FromEndpoints, along with a list of subnets + contained within their corresponding IP block from which traffic + should not be allowed. This will match on the source IP address + of incoming connections. Adding a prefix into FromCIDR or + into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps + are allowed between FromCIDR and FromCIDRSet. \n Example: + Any endpoint with the label \"app=my-legacy-pet\" is allowed + to receive connections from 10.0.0.0/8 except from IPs in + subnet 10.96.0.0/12." + items: + description: CIDRRule is a rule that specifies a CIDR prefix + to/from which outside communication is allowed, along with + an optional list of subnets within that CIDR prefix to/from + which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + cidrGroupRef: + description: CIDRGroupRef is a reference to a CiliumCIDRGroup + object. A CiliumCIDRGroup contains a list of CIDRs that + the endpoint, subject to the rule, can (Ingress) or + cannot (IngressDeny) receive connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + except: + description: ExceptCIDRs is a list of IP blocks which + the endpoint subject to the rule is not allowed to initiate + connections to. These CIDR prefixes should be contained + within Cidr, using ExceptCIDRs together with CIDRGroupRef + is not supported yet. These exceptions are only applied + to the Cidr in this CIDRRule, and do not apply to any + other CIDR prefixes in any other CIDRRules. + items: + description: 'CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + type: object + type: array + fromEndpoints: + description: "FromEndpoints is a list of endpoints identified + by an EndpointSelector which are allowed to communicate with + the endpoint subject to the rule. \n Example: Any endpoint + with the label \"role=backend\" can be consumed by any endpoint + carrying the label \"role=frontend\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + fromEntities: + description: FromEntities is a list of special entities which + the endpoint subject to the rule is allowed to receive connections + from. Supported entities are `world`, `cluster` and `host` + items: + description: Entity specifies the class of receiver/sender + endpoints that do not have individual identities. Entities + are used to describe "outside of cluster", "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromRequires: + description: "FromRequires is a list of additional constraints + which must be met in order for the selected endpoints to be + reachable. These additional constraints do no by itself grant + access privileges and must always be accompanied with at least + one matching FromEndpoints. \n Example: Any Endpoint with + the label \"team=A\" requires consuming endpoint to also carry + the label \"team=A\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + icmps: + description: "ICMPs is a list of ICMP rule identified by type + number which the endpoint subject to the rule is allowed to + receive connections on. \n Example: Any endpoint with the + label \"app=httpd\" can only accept incoming type 8 ICMP connections." + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: Family is a IP address version. Currently, + we support `IPv4` and `IPv6`. `IPv4` is set as + default. + enum: + - IPv4 + - IPv6 + type: string + type: + description: Type is a ICMP-type. It should be 0-255 + (8bit). + maximum: 255 + minimum: 0 + type: integer + required: + - type + type: object + type: array + type: object + type: array + toPorts: + description: "ToPorts is a list of destination ports identified + by port number and protocol which the endpoint subject to + the rule is allowed to receive connections on. \n Example: + Any endpoint with the label \"app=httpd\" can only accept + incoming connections on port 80/tcp." + items: + description: PortRule is a list of ports/protocol combinations + with optional Layer 7 rules which must be met. + properties: + listener: + description: listener specifies the name of a custom Envoy + listener to which this traffic should be redirected + to. + properties: + envoyConfig: + description: EnvoyConfig is a reference to the CEC + or CCNP resource in which the listener is defined. + properties: + kind: + description: Kind is the resource type being referred + to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig + for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, + respectively. The only case this is currently + explicitly needed is when referring to a CiliumClusterwideEnvoyConfig + from CiliumNetworkPolicy, as using a namespaced + listener from a cluster scoped policy is not + allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: Name is the resource name of the + CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig + where the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + required: + - envoyConfig + - name + type: object + originatingTLS: + description: OriginatingTLS is the TLS context for the + connections originated by the L7 proxy. For egress + policy this specifies the client-side TLS parameters + for the upstream connection originating from the L7 + proxy to the remote destination. For ingress policy + this specifies the client-side TLS parameters for the + connection from the L7 proxy to the local endpoint. + properties: + certificate: + description: Certificate is the file name or k8s secret + item name for the certificate chain. If omitted, + 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: PrivateKey is the file name or k8s secret + item name for the private key matching the certificate + chain. If omitted, 'tls.key' is assumed, if it exists. + If given, the item must exist. + type: string + secret: + description: 'Secret is the secret that contains the + certificates and private key for the TLS context. + By default, Cilium will search in this secret for + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - + ''tls.key'' - Which represents the private key matching + the public key certificate.' + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: Namespace is the namespace in which + the secret exists. Context of use determines + the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: TrustedCA is the file name or k8s secret + item name for the trusted CA. If omitted, 'ca.crt' + is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + port: + description: Port is an L4 port number. For now + the string will be strictly parsed as a single + uint16. In the future, this field may support + ranges in the form "1024-2048 Port can also be + a port name, which must contain at least one [a-z], + and may also contain [0-9] and '-' anywhere except + adjacent to another '-' or in the beginning or + the end. + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: "Protocol is the L4 protocol. If omitted + or empty, any protocol matches. Accepted values: + \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching + on ICMP is not supported. \n Named port specified + for a container may narrow this down, but may + not contradict this." + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + rules: + description: Rules is a list of additional port level + rules which must be met in order for the PortRule to + allow the traffic. If omitted or empty, no layer 7 rules + are enforced. + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed DNS + lookups. + properties: + matchName: + description: MatchName matches literal DNS names. + A trailing "." is automatically added when + missing. + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: "MatchPattern allows using wildcards + to match DNS names. All wildcards are case + insensitive. The wildcards are: - \"*\" matches + 0 or more DNS valid characters, and may occur + anywhere in the pattern. As a special case + a \"*\" as the leftmost character, without + a following \".\" matches all subdomains as + well as the name to the right. A trailing + \".\" is automatically added when missing. + \n Examples: `*.cilium.io` matches subomains + of cilium at that level www.cilium.io and + blog.cilium.io match, cilium.io and google.com + do not `*cilium.io` matches cilium.io and + all subdomains ends with \"cilium.io\" except + those containing \".\" separator, subcilium.io + and sub-cilium.io match, www.cilium.io and + blog.cilium.io does not sub*.cilium.io matches + subdomains of cilium where the subdomain component + begins with \"sub\" sub.cilium.io and subdomain.cilium.io + match, www.cilium.io, blog.cilium.io, cilium.io + and google.com do not" + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: "PortRuleHTTP is a list of HTTP protocol + constraints. All fields are optional, if all fields + are empty or missing, the rule does not have any + effect. \n All fields of this type are extended + POSIX regex as defined by IEEE Std 1003.1, (i.e + this follows the egrep/unix syntax, not the perl + syntax) matched against the path of an incoming + request. Currently it can contain characters disallowed + from the conventional \"path\" part of a URL as + defined by RFC 3986." + properties: + headerMatches: + description: HeaderMatches is a list of HTTP + headers which must be present and match against + the given values. Mismatch field can be used + to specify what to do when there is no match. + items: + description: HeaderMatch extends the HeaderValue + for matching requirement of a named header + field against an immediate string, a secret + value, or a regex. If none of the optional + fields is present, then the header value + is not matched, only presence of the header + is enough. + properties: + mismatch: + description: Mismatch identifies what + to do in case there is no match. The + default is to drop the request. Otherwise + the overall rule is still considered + as matching, but the mismatches are + logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + type: string + secret: + description: Secret refers to a secret + that contains the value to be matched + against. The secret must only contain + one entry. If the referred secret does + not exist, and there is no "Value" specified, + the match will fail. + properties: + name: + description: Name is the name of the + secret. + type: string + namespace: + description: Namespace is the namespace + in which the secret exists. Context + of use determines the default value + if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: Value matches the exact value + of the header. Can be specified either + alone or together with "Secret"; will + be used as the header value if the secret + can not be found in the latter case. + type: string + required: + - name + type: object + type: array + headers: + description: Headers is a list of HTTP headers + which must be present in the request. If omitted + or empty, requests are allowed regardless + of headers present. + items: + type: string + type: array + host: + description: "Host is an extended POSIX regex + matched against the host header of a request, + e.g. \"foo.com\" \n If omitted or empty, the + value of the host header is ignored." + format: idn-hostname + type: string + method: + description: "Method is an extended POSIX regex + matched against the method of a request, e.g. + \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", + ... \n If omitted or empty, all methods are + allowed." + type: string + path: + description: "Path is an extended POSIX regex + matched against the path of a request. Currently + it can contain characters disallowed from + the conventional \"path\" part of a URL as + defined by RFC 3986. \n If omitted or empty, + all paths are all allowed." + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: PortRule is a list of Kafka protocol + constraints. All fields are optional, if all fields + are empty or missing, the rule will match all + Kafka messages. + properties: + apiKey: + description: "APIKey is a case-insensitive string + matched against the key of a request, e.g. + \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", + et al Reference: https://kafka.apache.org/protocol#protocol_api_keys + \n If omitted or empty, and if Role is not + specified, then all keys are allowed." + type: string + apiVersion: + description: "APIVersion is the version matched + against the api version of the Kafka message. + If set, it has to be a string representing + a positive integer. \n If omitted or empty, + all versions are allowed." + type: string + clientID: + description: "ClientID is the client identifier + as provided in the request. \n From Kafka + protocol documentation: This is a user supplied + identifier for the client application. The + user can use any identifier they like and + it will be used when logging errors, monitoring + aggregates, etc. For example, one might want + to monitor not just the requests per second + overall, but the number coming from each client + application (each of which could reside on + multiple servers). This id acts as a logical + grouping across all requests from a particular + client. \n If omitted or empty, all client + identifiers are allowed." + type: string + role: + description: "Role is a case-insensitive string + and describes a group of API keys necessary + to perform certain higher-level Kafka operations + such as \"produce\" or \"consume\". A Role + automatically expands into all APIKeys required + to perform the specified higher-level operation. + \n The following values are supported: - \"produce\": + Allow producing to the topics specified in + the rule - \"consume\": Allow consuming from + the topics specified in the rule \n This field + is incompatible with the APIKey field, i.e + APIKey and Role cannot both be specified in + the same rule. \n If omitted or empty, and + if APIKey is not specified, then all keys + are allowed." + enum: + - produce + - consume + type: string + topic: + description: "Topic is the topic name contained + in the message. If a Kafka request contains + multiple topics, then all topics must be allowed + or the message will be rejected. \n This constraint + is ignored if the matched request message + type doesn't contain any topic. Maximum size + of Topic can be 249 characters as per recent + Kafka spec and allowed characters are a-z, + A-Z, 0-9, -, . and _. \n Older Kafka versions + had longer topic lengths of 255, but in Kafka + 0.10 version the length was changed from 255 + to 249. For compatibility reasons we are using + 255. \n If omitted or empty, all topics are + allowed." + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: PortRuleL7 is a list of key-value pairs + interpreted by a L7 protocol as protocol constraints. + All fields are optional, if all fields are empty + or missing, the rule does not have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: ServerNames is a list of allowed TLS SNI + values. If not empty, then TLS must be present and one + of the provided SNIs must be indicated in the TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: TerminatingTLS is the TLS context for the + connection terminated by the L7 proxy. For egress policy + this specifies the server-side TLS parameters to be + applied on the connections originated from the local + endpoint and terminated by the L7 proxy. For ingress + policy this specifies the server-side TLS parameters + to be applied on the connections originated from a remote + source and terminated by the L7 proxy. + properties: + certificate: + description: Certificate is the file name or k8s secret + item name for the certificate chain. If omitted, + 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: PrivateKey is the file name or k8s secret + item name for the private key matching the certificate + chain. If omitted, 'tls.key' is assumed, if it exists. + If given, the item must exist. + type: string + secret: + description: 'Secret is the secret that contains the + certificates and private key for the TLS context. + By default, Cilium will search in this secret for + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - + ''tls.key'' - Which represents the private key matching + the public key certificate.' + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: Namespace is the namespace in which + the secret exists. Context of use determines + the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: TrustedCA is the file name or k8s secret + item name for the trusted CA. If omitted, 'ca.crt' + is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + type: object + type: array + ingressDeny: + description: IngressDeny is a list of IngressDenyRule which are enforced + at ingress. Any rule inserted here will be denied regardless of + the allowed ingress rules in the 'ingress' field. If omitted or + empty, this rule does not apply at ingress. + items: + description: "IngressDenyRule contains all rule types which can + be applied at ingress, i.e. network traffic that originates outside + of the endpoint and is entering the endpoint selected by the endpointSelector. + \n - All members of this structure are optional. If omitted or + empty, the member will have no effect on the rule. \n - If multiple + members are set, all of them need to match in order for the rule + to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all + other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet + and FromEntities are mutually exclusive. Only one of these members + may be present within an individual rule." + properties: + fromCIDR: + description: "FromCIDR is a list of IP blocks which the endpoint + subject to the rule is allowed to receive connections from. + Only connections which do *not* originate from the cluster + or from the local host are subject to CIDR rules. In order + to allow in-cluster connectivity, use the FromEndpoints field. + \ This will match on the source IP address of incoming connections. + Adding a prefix into FromCIDR or into FromCIDRSet with no + ExcludeCIDRs is equivalent. Overlaps are allowed between + FromCIDR and FromCIDRSet. \n Example: Any endpoint with the + label \"app=my-legacy-pet\" is allowed to receive connections + from 10.3.9.1" + items: + description: 'CIDR specifies a block of IP addresses. Example: + 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + fromCIDRSet: + description: "FromCIDRSet is a list of IP blocks which the endpoint + subject to the rule is allowed to receive connections from + in addition to FromEndpoints, along with a list of subnets + contained within their corresponding IP block from which traffic + should not be allowed. This will match on the source IP address + of incoming connections. Adding a prefix into FromCIDR or + into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps + are allowed between FromCIDR and FromCIDRSet. \n Example: + Any endpoint with the label \"app=my-legacy-pet\" is allowed + to receive connections from 10.0.0.0/8 except from IPs in + subnet 10.96.0.0/12." + items: + description: CIDRRule is a rule that specifies a CIDR prefix + to/from which outside communication is allowed, along with + an optional list of subnets within that CIDR prefix to/from + which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + cidrGroupRef: + description: CIDRGroupRef is a reference to a CiliumCIDRGroup + object. A CiliumCIDRGroup contains a list of CIDRs that + the endpoint, subject to the rule, can (Ingress) or + cannot (IngressDeny) receive connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + except: + description: ExceptCIDRs is a list of IP blocks which + the endpoint subject to the rule is not allowed to initiate + connections to. These CIDR prefixes should be contained + within Cidr, using ExceptCIDRs together with CIDRGroupRef + is not supported yet. These exceptions are only applied + to the Cidr in this CIDRRule, and do not apply to any + other CIDR prefixes in any other CIDRRules. + items: + description: 'CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + type: object + type: array + fromEndpoints: + description: "FromEndpoints is a list of endpoints identified + by an EndpointSelector which are allowed to communicate with + the endpoint subject to the rule. \n Example: Any endpoint + with the label \"role=backend\" can be consumed by any endpoint + carrying the label \"role=frontend\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + fromEntities: + description: FromEntities is a list of special entities which + the endpoint subject to the rule is allowed to receive connections + from. Supported entities are `world`, `cluster` and `host` + items: + description: Entity specifies the class of receiver/sender + endpoints that do not have individual identities. Entities + are used to describe "outside of cluster", "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromRequires: + description: "FromRequires is a list of additional constraints + which must be met in order for the selected endpoints to be + reachable. These additional constraints do no by itself grant + access privileges and must always be accompanied with at least + one matching FromEndpoints. \n Example: Any Endpoint with + the label \"team=A\" requires consuming endpoint to also carry + the label \"team=A\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + icmps: + description: "ICMPs is a list of ICMP rule identified by type + number which the endpoint subject to the rule is not allowed + to receive connections on. \n Example: Any endpoint with the + label \"app=httpd\" can not accept incoming type 8 ICMP connections." + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: Family is a IP address version. Currently, + we support `IPv4` and `IPv6`. `IPv4` is set as + default. + enum: + - IPv4 + - IPv6 + type: string + type: + description: Type is a ICMP-type. It should be 0-255 + (8bit). + maximum: 255 + minimum: 0 + type: integer + required: + - type + type: object + type: array + type: object + type: array + toPorts: + description: "ToPorts is a list of destination ports identified + by port number and protocol which the endpoint subject to + the rule is not allowed to receive connections on. \n Example: + Any endpoint with the label \"app=httpd\" can not accept incoming + connections on port 80/tcp." + items: + description: PortDenyRule is a list of ports/protocol that + should be used for deny policies. This structure lacks the + L7Rules since it's not supported in deny policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + port: + description: Port is an L4 port number. For now + the string will be strictly parsed as a single + uint16. In the future, this field may support + ranges in the form "1024-2048 Port can also be + a port name, which must contain at least one [a-z], + and may also contain [0-9] and '-' anywhere except + adjacent to another '-' or in the beginning or + the end. + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: "Protocol is the L4 protocol. If omitted + or empty, any protocol matches. Accepted values: + \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching + on ICMP is not supported. \n Named port specified + for a container may narrow this down, but may + not contradict this." + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + type: object + type: array + labels: + description: Labels is a list of optional strings which can be used + to re-identify the rule or to store metadata. It is possible to + lookup or delete strings based on labels. Labels are not required + to be unique, multiple rules can have overlapping or identical labels. + items: + description: Label is the Cilium's representation of a container + label. + properties: + key: + type: string + source: + description: 'Source can be one of the above values (e.g.: LabelSourceContainer).' + type: string + value: + type: string + required: + - key + type: object + type: array + nodeSelector: + description: NodeSelector selects all nodes which should be subject + to this rule. EndpointSelector and NodeSelector cannot be both empty + and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + type: object + specs: + description: Specs is a list of desired Cilium specific rule specification. + items: + description: "Rule is a policy rule which must be applied to all endpoints + which match the labels contained in the endpointSelector \n Each rule + is split into an ingress section which contains all rules applicable + at ingress, and an egress section applicable at egress. For rule types + such as `L4Rule` and `CIDR` which can be applied at both ingress and + egress, both ingress and egress side have to either specifically allow + the connection or one side has to be omitted. \n Either ingress, egress, + or both can be provided. If both ingress and egress are omitted, the + rule has no effect." + oneOf: + - properties: + endpointSelector: {} + required: + - endpointSelector + - properties: + nodeSelector: {} + required: + - nodeSelector + properties: + description: + description: Description is a free form string, it can be used by + the creator of the rule to store human readable explanation of + the purpose of this rule. Rules cannot be identified by comment. + type: string + egress: + description: Egress is a list of EgressRule which are enforced at + egress. If omitted or empty, this rule does not apply at egress. + items: + description: "EgressRule contains all rule types which can be + applied at egress, i.e. network traffic that originates inside + the endpoint and exits the endpoint selected by the endpointSelector. + \n - All members of this structure are optional. If omitted + or empty, the member will have no effect on the rule. \n - If + multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception + to this rule is the ToRequires member; the effects of any Requires + field in any rule will apply to all other rules as well. \n + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and + ToGroups are mutually exclusive. Only one of these members may + be present within an individual rule." + properties: + authentication: + description: Authentication is the required authentication + type for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode + for the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + icmps: + description: "ICMPs is a list of ICMP rule identified by type + number which the endpoint subject to the rule is allowed + to connect to. \n Example: Any endpoint with the label \"app=httpd\" + is allowed to initiate type 8 ICMP connections." + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: Family is a IP address version. Currently, + we support `IPv4` and `IPv6`. `IPv4` is set + as default. + enum: + - IPv4 + - IPv6 + type: string + type: + description: Type is a ICMP-type. It should be + 0-255 (8bit). + maximum: 255 + minimum: 0 + type: integer + required: + - type + type: object + type: array + type: object + type: array + toCIDR: + description: "ToCIDR is a list of IP blocks which the endpoint + subject to the rule is allowed to initiate connections. + Only connections destined for outside of the cluster and + not targeting the host will be subject to CIDR rules. This + will match on the destination IP address of outgoing connections. + Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs + is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. + \n Example: Any endpoint with the label \"app=database-proxy\" + is allowed to initiate connections to 10.2.3.0/24" + items: + description: 'CIDR specifies a block of IP addresses. Example: + 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + toCIDRSet: + description: "ToCIDRSet is a list of IP blocks which the endpoint + subject to the rule is allowed to initiate connections to + in addition to connections which are allowed via ToEndpoints, + along with a list of subnets contained within their corresponding + IP block to which traffic should not be allowed. This will + match on the destination IP address of outgoing connections. + Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs + is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. + \n Example: Any endpoint with the label \"app=database-proxy\" + is allowed to initiate connections to 10.2.3.0/24 except + from IPs in subnet 10.2.3.0/28." + items: + description: CIDRRule is a rule that specifies a CIDR prefix + to/from which outside communication is allowed, along + with an optional list of subnets within that CIDR prefix + to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + cidrGroupRef: + description: CIDRGroupRef is a reference to a CiliumCIDRGroup + object. A CiliumCIDRGroup contains a list of CIDRs + that the endpoint, subject to the rule, can (Ingress) + or cannot (IngressDeny) receive connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + except: + description: ExceptCIDRs is a list of IP blocks which + the endpoint subject to the rule is not allowed to + initiate connections to. These CIDR prefixes should + be contained within Cidr, using ExceptCIDRs together + with CIDRGroupRef is not supported yet. These exceptions + are only applied to the Cidr in this CIDRRule, and + do not apply to any other CIDR prefixes in any other + CIDRRules. + items: + description: 'CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + type: object + type: array + toEndpoints: + description: "ToEndpoints is a list of endpoints identified + by an EndpointSelector to which the endpoints subject to + the rule are allowed to communicate. \n Example: Any endpoint + with the label \"role=frontend\" can communicate with any + endpoint carrying the label \"role=backend\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array + toEntities: + description: ToEntities is a list of special entities to which + the endpoint subject to the rule is allowed to initiate + connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, + `init`, `health`,`unmanaged` and `all`. + items: + description: Entity specifies the class of receiver/sender + endpoints that do not have individual identities. Entities + are used to describe "outside of cluster", "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toFQDNs: + description: 'ToFQDN allows whitelisting DNS names in place + of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s + are added to the same EgressRule object as ToCIDRSet entries, + and behave accordingly. Any L4 and L7 rules within this + EgressRule will also apply to these IPs. The DNS -> IP mapping + is re-resolved periodically from within the cilium-agent, + and the IPs in the DNS response are effected in the policy + for selected pods as-is (i.e. the list of IPs is not modified + in any way). Note: An explicit rule to allow for DNS traffic + is needed for the pods, as ToFQDN counts as an egress rule + and will enforce egress policy when PolicyEnforcment=default. + Note: If the resolved IPs are IPs within the kubernetes + cluster, the ToFQDN rule will not apply to that IP. Note: + ToFQDN cannot occur in the same policy as other To* rules.' + items: + properties: + matchName: + description: MatchName matches literal DNS names. A + trailing "." is automatically added when missing. + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: "MatchPattern allows using wildcards to + match DNS names. All wildcards are case insensitive. + The wildcards are: - \"*\" matches 0 or more DNS valid + characters, and may occur anywhere in the pattern. + As a special case a \"*\" as the leftmost character, + without a following \".\" matches all subdomains as + well as the name to the right. A trailing \".\" is + automatically added when missing. \n Examples: `*.cilium.io` + matches subomains of cilium at that level www.cilium.io + and blog.cilium.io match, cilium.io and google.com + do not `*cilium.io` matches cilium.io and all subdomains + ends with \"cilium.io\" except those containing \".\" + separator, subcilium.io and sub-cilium.io match, www.cilium.io + and blog.cilium.io does not sub*.cilium.io matches + subdomains of cilium where the subdomain component + begins with \"sub\" sub.cilium.io and subdomain.cilium.io + match, www.cilium.io, blog.cilium.io, cilium.io and + google.com do not" + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + toGroups: + description: "ToGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is + supported, and the rule can select by multiple sub directives: + \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: ToGroups structure to store all kinds of new + integrations that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toPorts: + description: "ToPorts is a list of destination ports identified + by port number and protocol which the endpoint subject to + the rule is allowed to connect to. \n Example: Any endpoint + with the label \"role=frontend\" is allowed to initiate + connections to destination port 8080/tcp" + items: + description: PortRule is a list of ports/protocol combinations + with optional Layer 7 rules which must be met. + properties: + listener: + description: listener specifies the name of a custom + Envoy listener to which this traffic should be redirected + to. + properties: + envoyConfig: + description: EnvoyConfig is a reference to the CEC + or CCNP resource in which the listener is defined. + properties: + kind: + description: Kind is the resource type being + referred to. Defaults to CiliumEnvoyConfig + or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy + and CiliumClusterwideNetworkPolicy, respectively. + The only case this is currently explicitly + needed is when referring to a CiliumClusterwideEnvoyConfig + from CiliumNetworkPolicy, as using a namespaced + listener from a cluster scoped policy is not + allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: Name is the resource name of the + CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig + where the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + required: + - envoyConfig + - name + type: object + originatingTLS: + description: OriginatingTLS is the TLS context for the + connections originated by the L7 proxy. For egress + policy this specifies the client-side TLS parameters + for the upstream connection originating from the L7 + proxy to the remote destination. For ingress policy + this specifies the client-side TLS parameters for + the connection from the L7 proxy to the local endpoint. + properties: + certificate: + description: Certificate is the file name or k8s + secret item name for the certificate chain. If + omitted, 'tls.crt' is assumed, if it exists. If + given, the item must exist. + type: string + privateKey: + description: PrivateKey is the file name or k8s + secret item name for the private key matching + the certificate chain. If omitted, 'tls.key' is + assumed, if it exists. If given, the item must + exist. + type: string + secret: + description: 'Secret is the secret that contains + the certificates and private key for the TLS context. + By default, Cilium will search in this secret + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: Namespace is the namespace in which + the secret exists. Context of use determines + the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: TrustedCA is the file name or k8s secret + item name for the trusted CA. If omitted, 'ca.crt' + is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + port: + description: Port is an L4 port number. For now + the string will be strictly parsed as a single + uint16. In the future, this field may support + ranges in the form "1024-2048 Port can also + be a port name, which must contain at least + one [a-z], and may also contain [0-9] and '-' + anywhere except adjacent to another '-' or in + the beginning or the end. + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: "Protocol is the L4 protocol. If + omitted or empty, any protocol matches. Accepted + values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" + \n Matching on ICMP is not supported. \n Named + port specified for a container may narrow this + down, but may not contradict this." + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + rules: + description: Rules is a list of additional port level + rules which must be met in order for the PortRule + to allow the traffic. If omitted or empty, no layer + 7 rules are enforced. + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed + DNS lookups. + properties: + matchName: + description: MatchName matches literal DNS + names. A trailing "." is automatically added + when missing. + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: "MatchPattern allows using wildcards + to match DNS names. All wildcards are case + insensitive. The wildcards are: - \"*\" + matches 0 or more DNS valid characters, + and may occur anywhere in the pattern. As + a special case a \"*\" as the leftmost character, + without a following \".\" matches all subdomains + as well as the name to the right. A trailing + \".\" is automatically added when missing. + \n Examples: `*.cilium.io` matches subomains + of cilium at that level www.cilium.io and + blog.cilium.io match, cilium.io and google.com + do not `*cilium.io` matches cilium.io and + all subdomains ends with \"cilium.io\" except + those containing \".\" separator, subcilium.io + and sub-cilium.io match, www.cilium.io and + blog.cilium.io does not sub*.cilium.io matches + subdomains of cilium where the subdomain + component begins with \"sub\" sub.cilium.io + and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com + do not" + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: "PortRuleHTTP is a list of HTTP protocol + constraints. All fields are optional, if all + fields are empty or missing, the rule does not + have any effect. \n All fields of this type + are extended POSIX regex as defined by IEEE + Std 1003.1, (i.e this follows the egrep/unix + syntax, not the perl syntax) matched against + the path of an incoming request. Currently it + can contain characters disallowed from the conventional + \"path\" part of a URL as defined by RFC 3986." + properties: + headerMatches: + description: HeaderMatches is a list of HTTP + headers which must be present and match + against the given values. Mismatch field + can be used to specify what to do when there + is no match. + items: + description: HeaderMatch extends the HeaderValue + for matching requirement of a named header + field against an immediate string, a secret + value, or a regex. If none of the optional + fields is present, then the header value + is not matched, only presence of the header + is enough. + properties: + mismatch: + description: Mismatch identifies what + to do in case there is no match. The + default is to drop the request. Otherwise + the overall rule is still considered + as matching, but the mismatches are + logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + type: string + secret: + description: Secret refers to a secret + that contains the value to be matched + against. The secret must only contain + one entry. If the referred secret + does not exist, and there is no "Value" + specified, the match will fail. + properties: + name: + description: Name is the name of + the secret. + type: string + namespace: + description: Namespace is the namespace + in which the secret exists. Context + of use determines the default + value if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: Value matches the exact + value of the header. Can be specified + either alone or together with "Secret"; + will be used as the header value if + the secret can not be found in the + latter case. + type: string + required: + - name + type: object + type: array + headers: + description: Headers is a list of HTTP headers + which must be present in the request. If + omitted or empty, requests are allowed regardless + of headers present. + items: + type: string + type: array + host: + description: "Host is an extended POSIX regex + matched against the host header of a request, + e.g. \"foo.com\" \n If omitted or empty, + the value of the host header is ignored." + format: idn-hostname + type: string + method: + description: "Method is an extended POSIX + regex matched against the method of a request, + e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", + \"DELETE\", ... \n If omitted or empty, + all methods are allowed." + type: string + path: + description: "Path is an extended POSIX regex + matched against the path of a request. Currently + it can contain characters disallowed from + the conventional \"path\" part of a URL + as defined by RFC 3986. \n If omitted or + empty, all paths are all allowed." + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: PortRule is a list of Kafka protocol + constraints. All fields are optional, if all + fields are empty or missing, the rule will match + all Kafka messages. + properties: + apiKey: + description: "APIKey is a case-insensitive + string matched against the key of a request, + e.g. \"produce\", \"fetch\", \"createtopic\", + \"deletetopic\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys + \n If omitted or empty, and if Role is not + specified, then all keys are allowed." + type: string + apiVersion: + description: "APIVersion is the version matched + against the api version of the Kafka message. + If set, it has to be a string representing + a positive integer. \n If omitted or empty, + all versions are allowed." + type: string + clientID: + description: "ClientID is the client identifier + as provided in the request. \n From Kafka + protocol documentation: This is a user supplied + identifier for the client application. The + user can use any identifier they like and + it will be used when logging errors, monitoring + aggregates, etc. For example, one might + want to monitor not just the requests per + second overall, but the number coming from + each client application (each of which could + reside on multiple servers). This id acts + as a logical grouping across all requests + from a particular client. \n If omitted + or empty, all client identifiers are allowed." + type: string + role: + description: "Role is a case-insensitive string + and describes a group of API keys necessary + to perform certain higher-level Kafka operations + such as \"produce\" or \"consume\". A Role + automatically expands into all APIKeys required + to perform the specified higher-level operation. + \n The following values are supported: - + \"produce\": Allow producing to the topics + specified in the rule - \"consume\": Allow + consuming from the topics specified in the + rule \n This field is incompatible with + the APIKey field, i.e APIKey and Role cannot + both be specified in the same rule. \n If + omitted or empty, and if APIKey is not specified, + then all keys are allowed." + enum: + - produce + - consume + type: string + topic: + description: "Topic is the topic name contained + in the message. If a Kafka request contains + multiple topics, then all topics must be + allowed or the message will be rejected. + \n This constraint is ignored if the matched + request message type doesn't contain any + topic. Maximum size of Topic can be 249 + characters as per recent Kafka spec and + allowed characters are a-z, A-Z, 0-9, -, + . and _. \n Older Kafka versions had longer + topic lengths of 255, but in Kafka 0.10 + version the length was changed from 255 + to 249. For compatibility reasons we are + using 255. \n If omitted or empty, all topics + are allowed." + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: PortRuleL7 is a list of key-value + pairs interpreted by a L7 protocol as protocol + constraints. All fields are optional, if all + fields are empty or missing, the rule does not + have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: ServerNames is a list of allowed TLS SNI + values. If not empty, then TLS must be present and + one of the provided SNIs must be indicated in the + TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: TerminatingTLS is the TLS context for the + connection terminated by the L7 proxy. For egress + policy this specifies the server-side TLS parameters + to be applied on the connections originated from the + local endpoint and terminated by the L7 proxy. For + ingress policy this specifies the server-side TLS + parameters to be applied on the connections originated + from a remote source and terminated by the L7 proxy. + properties: + certificate: + description: Certificate is the file name or k8s + secret item name for the certificate chain. If + omitted, 'tls.crt' is assumed, if it exists. If + given, the item must exist. + type: string + privateKey: + description: PrivateKey is the file name or k8s + secret item name for the private key matching + the certificate chain. If omitted, 'tls.key' is + assumed, if it exists. If given, the item must + exist. + type: string + secret: + description: 'Secret is the secret that contains + the certificates and private key for the TLS context. + By default, Cilium will search in this secret + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: Namespace is the namespace in which + the secret exists. Context of use determines + the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: TrustedCA is the file name or k8s secret + item name for the trusted CA. If omitted, 'ca.crt' + is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + toRequires: + description: "ToRequires is a list of additional constraints + which must be met in order for the selected endpoints to + be able to connect to other endpoints. These additional + constraints do no by itself grant access privileges and + must always be accompanied with at least one matching ToEndpoints. + \n Example: Any Endpoint with the label \"team=A\" requires + any endpoint to which it communicates to also carry the + label \"team=A\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array + toServices: + description: "ToServices is a list of services to which the + endpoint subject to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services + without selectors. \n Example: Any endpoint with the label + \"app=backend-app\" is allowed to initiate connections to + all cidrs backing the \"external-service\" service" + items: + description: Service wraps around selectors for services + properties: + k8sService: + description: K8sService selects service by name and + namespace pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by + k8s labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector + for k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + required: + - selector + type: object + type: object + type: array + type: object + type: array + egressDeny: + description: EgressDeny is a list of EgressDenyRule which are enforced + at egress. Any rule inserted here will be denied regardless of + the allowed egress rules in the 'egress' field. If omitted or + empty, this rule does not apply at egress. + items: + description: "EgressDenyRule contains all rule types which can + be applied at egress, i.e. network traffic that originates inside + the endpoint and exits the endpoint selected by the endpointSelector. + \n - All members of this structure are optional. If omitted + or empty, the member will have no effect on the rule. \n - If + multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception + to this rule is the ToRequires member; the effects of any Requires + field in any rule will apply to all other rules as well. \n + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and + ToGroups are mutually exclusive. Only one of these members may + be present within an individual rule." + properties: + icmps: + description: "ICMPs is a list of ICMP rule identified by type + number which the endpoint subject to the rule is not allowed + to connect to. \n Example: Any endpoint with the label \"app=httpd\" + is not allowed to initiate type 8 ICMP connections." + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: Family is a IP address version. Currently, + we support `IPv4` and `IPv6`. `IPv4` is set + as default. + enum: + - IPv4 + - IPv6 + type: string + type: + description: Type is a ICMP-type. It should be + 0-255 (8bit). + maximum: 255 + minimum: 0 + type: integer + required: + - type + type: object + type: array + type: object + type: array + toCIDR: + description: "ToCIDR is a list of IP blocks which the endpoint + subject to the rule is allowed to initiate connections. + Only connections destined for outside of the cluster and + not targeting the host will be subject to CIDR rules. This + will match on the destination IP address of outgoing connections. + Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs + is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. + \n Example: Any endpoint with the label \"app=database-proxy\" + is allowed to initiate connections to 10.2.3.0/24" + items: + description: 'CIDR specifies a block of IP addresses. Example: + 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + toCIDRSet: + description: "ToCIDRSet is a list of IP blocks which the endpoint + subject to the rule is allowed to initiate connections to + in addition to connections which are allowed via ToEndpoints, + along with a list of subnets contained within their corresponding + IP block to which traffic should not be allowed. This will + match on the destination IP address of outgoing connections. + Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs + is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. + \n Example: Any endpoint with the label \"app=database-proxy\" + is allowed to initiate connections to 10.2.3.0/24 except + from IPs in subnet 10.2.3.0/28." + items: + description: CIDRRule is a rule that specifies a CIDR prefix + to/from which outside communication is allowed, along + with an optional list of subnets within that CIDR prefix + to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + cidrGroupRef: + description: CIDRGroupRef is a reference to a CiliumCIDRGroup + object. A CiliumCIDRGroup contains a list of CIDRs + that the endpoint, subject to the rule, can (Ingress) + or cannot (IngressDeny) receive connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + except: + description: ExceptCIDRs is a list of IP blocks which + the endpoint subject to the rule is not allowed to + initiate connections to. These CIDR prefixes should + be contained within Cidr, using ExceptCIDRs together + with CIDRGroupRef is not supported yet. These exceptions + are only applied to the Cidr in this CIDRRule, and + do not apply to any other CIDR prefixes in any other + CIDRRules. + items: + description: 'CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + type: object + type: array + toEndpoints: + description: "ToEndpoints is a list of endpoints identified + by an EndpointSelector to which the endpoints subject to + the rule are allowed to communicate. \n Example: Any endpoint + with the label \"role=frontend\" can communicate with any + endpoint carrying the label \"role=backend\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array + toEntities: + description: ToEntities is a list of special entities to which + the endpoint subject to the rule is allowed to initiate + connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, + `init`, `health`,`unmanaged` and `all`. + items: + description: Entity specifies the class of receiver/sender + endpoints that do not have individual identities. Entities + are used to describe "outside of cluster", "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toGroups: + description: "ToGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is + supported, and the rule can select by multiple sub directives: + \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: ToGroups structure to store all kinds of new + integrations that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toPorts: + description: "ToPorts is a list of destination ports identified + by port number and protocol which the endpoint subject to + the rule is not allowed to connect to. \n Example: Any endpoint + with the label \"role=frontend\" is not allowed to initiate + connections to destination port 8080/tcp" + items: + description: PortDenyRule is a list of ports/protocol that + should be used for deny policies. This structure lacks + the L7Rules since it's not supported in deny policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + port: + description: Port is an L4 port number. For now + the string will be strictly parsed as a single + uint16. In the future, this field may support + ranges in the form "1024-2048 Port can also + be a port name, which must contain at least + one [a-z], and may also contain [0-9] and '-' + anywhere except adjacent to another '-' or in + the beginning or the end. + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: "Protocol is the L4 protocol. If + omitted or empty, any protocol matches. Accepted + values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" + \n Matching on ICMP is not supported. \n Named + port specified for a container may narrow this + down, but may not contradict this." + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + toRequires: + description: "ToRequires is a list of additional constraints + which must be met in order for the selected endpoints to + be able to connect to other endpoints. These additional + constraints do no by itself grant access privileges and + must always be accompanied with at least one matching ToEndpoints. + \n Example: Any Endpoint with the label \"team=A\" requires + any endpoint to which it communicates to also carry the + label \"team=A\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array + toServices: + description: "ToServices is a list of services to which the + endpoint subject to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services + without selectors. \n Example: Any endpoint with the label + \"app=backend-app\" is allowed to initiate connections to + all cidrs backing the \"external-service\" service" + items: + description: Service wraps around selectors for services + properties: + k8sService: + description: K8sService selects service by name and + namespace pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by + k8s labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector + for k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: A label selector requirement + is a selector that contains values, a key, + and an operator that relates the key and + values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and + DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. + If the operator is Exists or DoesNotExist, + the values array must be empty. This + array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is + "In", and the values array contains only "value". + The requirements are ANDed. + type: object + type: object + required: + - selector + type: object + type: object + type: array + type: object + type: array + endpointSelector: + description: EndpointSelector selects all endpoints which should + be subject to this rule. EndpointSelector and NodeSelector cannot + be both empty and are mutually exclusive. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + ingress: + description: Ingress is a list of IngressRule which are enforced + at ingress. If omitted or empty, this rule does not apply at ingress. + items: + description: "IngressRule contains all rule types which can be + applied at ingress, i.e. network traffic that originates outside + of the endpoint and is entering the endpoint selected by the + endpointSelector. \n - All members of this structure are optional. + If omitted or empty, the member will have no effect on the rule. + \n - If multiple members are set, all of them need to match + in order for the rule to take effect. The exception to this + rule is FromRequires field; the effects of any Requires field + in any rule will apply to all other rules as well. \n - FromEndpoints, + FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. + Only one of these members may be present within an individual + rule." + properties: + authentication: + description: Authentication is the required authentication + type for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode + for the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + fromCIDR: + description: "FromCIDR is a list of IP blocks which the endpoint + subject to the rule is allowed to receive connections from. + Only connections which do *not* originate from the cluster + or from the local host are subject to CIDR rules. In order + to allow in-cluster connectivity, use the FromEndpoints + field. This will match on the source IP address of incoming + connections. Adding a prefix into FromCIDR or into FromCIDRSet + with no ExcludeCIDRs is equivalent. Overlaps are allowed + between FromCIDR and FromCIDRSet. \n Example: Any endpoint + with the label \"app=my-legacy-pet\" is allowed to receive + connections from 10.3.9.1" + items: + description: 'CIDR specifies a block of IP addresses. Example: + 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + fromCIDRSet: + description: "FromCIDRSet is a list of IP blocks which the + endpoint subject to the rule is allowed to receive connections + from in addition to FromEndpoints, along with a list of + subnets contained within their corresponding IP block from + which traffic should not be allowed. This will match on + the source IP address of incoming connections. Adding a + prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs + is equivalent. Overlaps are allowed between FromCIDR and + FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" + is allowed to receive connections from 10.0.0.0/8 except + from IPs in subnet 10.96.0.0/12." + items: + description: CIDRRule is a rule that specifies a CIDR prefix + to/from which outside communication is allowed, along + with an optional list of subnets within that CIDR prefix + to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + cidrGroupRef: + description: CIDRGroupRef is a reference to a CiliumCIDRGroup + object. A CiliumCIDRGroup contains a list of CIDRs + that the endpoint, subject to the rule, can (Ingress) + or cannot (IngressDeny) receive connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + except: + description: ExceptCIDRs is a list of IP blocks which + the endpoint subject to the rule is not allowed to + initiate connections to. These CIDR prefixes should + be contained within Cidr, using ExceptCIDRs together + with CIDRGroupRef is not supported yet. These exceptions + are only applied to the Cidr in this CIDRRule, and + do not apply to any other CIDR prefixes in any other + CIDRRules. + items: + description: 'CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + type: object + type: array + fromEndpoints: + description: "FromEndpoints is a list of endpoints identified + by an EndpointSelector which are allowed to communicate + with the endpoint subject to the rule. \n Example: Any endpoint + with the label \"role=backend\" can be consumed by any endpoint + carrying the label \"role=frontend\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array + fromEntities: + description: FromEntities is a list of special entities which + the endpoint subject to the rule is allowed to receive connections + from. Supported entities are `world`, `cluster` and `host` + items: + description: Entity specifies the class of receiver/sender + endpoints that do not have individual identities. Entities + are used to describe "outside of cluster", "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromRequires: + description: "FromRequires is a list of additional constraints + which must be met in order for the selected endpoints to + be reachable. These additional constraints do no by itself + grant access privileges and must always be accompanied with + at least one matching FromEndpoints. \n Example: Any Endpoint + with the label \"team=A\" requires consuming endpoint to + also carry the label \"team=A\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array + icmps: + description: "ICMPs is a list of ICMP rule identified by type + number which the endpoint subject to the rule is allowed + to receive connections on. \n Example: Any endpoint with + the label \"app=httpd\" can only accept incoming type 8 + ICMP connections." + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: Family is a IP address version. Currently, + we support `IPv4` and `IPv6`. `IPv4` is set + as default. + enum: + - IPv4 + - IPv6 + type: string + type: + description: Type is a ICMP-type. It should be + 0-255 (8bit). + maximum: 255 + minimum: 0 + type: integer + required: + - type + type: object + type: array + type: object + type: array + toPorts: + description: "ToPorts is a list of destination ports identified + by port number and protocol which the endpoint subject to + the rule is allowed to receive connections on. \n Example: + Any endpoint with the label \"app=httpd\" can only accept + incoming connections on port 80/tcp." + items: + description: PortRule is a list of ports/protocol combinations + with optional Layer 7 rules which must be met. + properties: + listener: + description: listener specifies the name of a custom + Envoy listener to which this traffic should be redirected + to. + properties: + envoyConfig: + description: EnvoyConfig is a reference to the CEC + or CCNP resource in which the listener is defined. + properties: + kind: + description: Kind is the resource type being + referred to. Defaults to CiliumEnvoyConfig + or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy + and CiliumClusterwideNetworkPolicy, respectively. + The only case this is currently explicitly + needed is when referring to a CiliumClusterwideEnvoyConfig + from CiliumNetworkPolicy, as using a namespaced + listener from a cluster scoped policy is not + allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: Name is the resource name of the + CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig + where the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + required: + - envoyConfig + - name + type: object + originatingTLS: + description: OriginatingTLS is the TLS context for the + connections originated by the L7 proxy. For egress + policy this specifies the client-side TLS parameters + for the upstream connection originating from the L7 + proxy to the remote destination. For ingress policy + this specifies the client-side TLS parameters for + the connection from the L7 proxy to the local endpoint. + properties: + certificate: + description: Certificate is the file name or k8s + secret item name for the certificate chain. If + omitted, 'tls.crt' is assumed, if it exists. If + given, the item must exist. + type: string + privateKey: + description: PrivateKey is the file name or k8s + secret item name for the private key matching + the certificate chain. If omitted, 'tls.key' is + assumed, if it exists. If given, the item must + exist. + type: string + secret: + description: 'Secret is the secret that contains + the certificates and private key for the TLS context. + By default, Cilium will search in this secret + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: Namespace is the namespace in which + the secret exists. Context of use determines + the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: TrustedCA is the file name or k8s secret + item name for the trusted CA. If omitted, 'ca.crt' + is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + port: + description: Port is an L4 port number. For now + the string will be strictly parsed as a single + uint16. In the future, this field may support + ranges in the form "1024-2048 Port can also + be a port name, which must contain at least + one [a-z], and may also contain [0-9] and '-' + anywhere except adjacent to another '-' or in + the beginning or the end. + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: "Protocol is the L4 protocol. If + omitted or empty, any protocol matches. Accepted + values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" + \n Matching on ICMP is not supported. \n Named + port specified for a container may narrow this + down, but may not contradict this." + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + rules: + description: Rules is a list of additional port level + rules which must be met in order for the PortRule + to allow the traffic. If omitted or empty, no layer + 7 rules are enforced. + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed + DNS lookups. + properties: + matchName: + description: MatchName matches literal DNS + names. A trailing "." is automatically added + when missing. + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: "MatchPattern allows using wildcards + to match DNS names. All wildcards are case + insensitive. The wildcards are: - \"*\" + matches 0 or more DNS valid characters, + and may occur anywhere in the pattern. As + a special case a \"*\" as the leftmost character, + without a following \".\" matches all subdomains + as well as the name to the right. A trailing + \".\" is automatically added when missing. + \n Examples: `*.cilium.io` matches subomains + of cilium at that level www.cilium.io and + blog.cilium.io match, cilium.io and google.com + do not `*cilium.io` matches cilium.io and + all subdomains ends with \"cilium.io\" except + those containing \".\" separator, subcilium.io + and sub-cilium.io match, www.cilium.io and + blog.cilium.io does not sub*.cilium.io matches + subdomains of cilium where the subdomain + component begins with \"sub\" sub.cilium.io + and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com + do not" + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: "PortRuleHTTP is a list of HTTP protocol + constraints. All fields are optional, if all + fields are empty or missing, the rule does not + have any effect. \n All fields of this type + are extended POSIX regex as defined by IEEE + Std 1003.1, (i.e this follows the egrep/unix + syntax, not the perl syntax) matched against + the path of an incoming request. Currently it + can contain characters disallowed from the conventional + \"path\" part of a URL as defined by RFC 3986." + properties: + headerMatches: + description: HeaderMatches is a list of HTTP + headers which must be present and match + against the given values. Mismatch field + can be used to specify what to do when there + is no match. + items: + description: HeaderMatch extends the HeaderValue + for matching requirement of a named header + field against an immediate string, a secret + value, or a regex. If none of the optional + fields is present, then the header value + is not matched, only presence of the header + is enough. + properties: + mismatch: + description: Mismatch identifies what + to do in case there is no match. The + default is to drop the request. Otherwise + the overall rule is still considered + as matching, but the mismatches are + logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + type: string + secret: + description: Secret refers to a secret + that contains the value to be matched + against. The secret must only contain + one entry. If the referred secret + does not exist, and there is no "Value" + specified, the match will fail. + properties: + name: + description: Name is the name of + the secret. + type: string + namespace: + description: Namespace is the namespace + in which the secret exists. Context + of use determines the default + value if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: Value matches the exact + value of the header. Can be specified + either alone or together with "Secret"; + will be used as the header value if + the secret can not be found in the + latter case. + type: string + required: + - name + type: object + type: array + headers: + description: Headers is a list of HTTP headers + which must be present in the request. If + omitted or empty, requests are allowed regardless + of headers present. + items: + type: string + type: array + host: + description: "Host is an extended POSIX regex + matched against the host header of a request, + e.g. \"foo.com\" \n If omitted or empty, + the value of the host header is ignored." + format: idn-hostname + type: string + method: + description: "Method is an extended POSIX + regex matched against the method of a request, + e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", + \"DELETE\", ... \n If omitted or empty, + all methods are allowed." + type: string + path: + description: "Path is an extended POSIX regex + matched against the path of a request. Currently + it can contain characters disallowed from + the conventional \"path\" part of a URL + as defined by RFC 3986. \n If omitted or + empty, all paths are all allowed." + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: PortRule is a list of Kafka protocol + constraints. All fields are optional, if all + fields are empty or missing, the rule will match + all Kafka messages. + properties: + apiKey: + description: "APIKey is a case-insensitive + string matched against the key of a request, + e.g. \"produce\", \"fetch\", \"createtopic\", + \"deletetopic\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys + \n If omitted or empty, and if Role is not + specified, then all keys are allowed." + type: string + apiVersion: + description: "APIVersion is the version matched + against the api version of the Kafka message. + If set, it has to be a string representing + a positive integer. \n If omitted or empty, + all versions are allowed." + type: string + clientID: + description: "ClientID is the client identifier + as provided in the request. \n From Kafka + protocol documentation: This is a user supplied + identifier for the client application. The + user can use any identifier they like and + it will be used when logging errors, monitoring + aggregates, etc. For example, one might + want to monitor not just the requests per + second overall, but the number coming from + each client application (each of which could + reside on multiple servers). This id acts + as a logical grouping across all requests + from a particular client. \n If omitted + or empty, all client identifiers are allowed." + type: string + role: + description: "Role is a case-insensitive string + and describes a group of API keys necessary + to perform certain higher-level Kafka operations + such as \"produce\" or \"consume\". A Role + automatically expands into all APIKeys required + to perform the specified higher-level operation. + \n The following values are supported: - + \"produce\": Allow producing to the topics + specified in the rule - \"consume\": Allow + consuming from the topics specified in the + rule \n This field is incompatible with + the APIKey field, i.e APIKey and Role cannot + both be specified in the same rule. \n If + omitted or empty, and if APIKey is not specified, + then all keys are allowed." + enum: + - produce + - consume + type: string + topic: + description: "Topic is the topic name contained + in the message. If a Kafka request contains + multiple topics, then all topics must be + allowed or the message will be rejected. + \n This constraint is ignored if the matched + request message type doesn't contain any + topic. Maximum size of Topic can be 249 + characters as per recent Kafka spec and + allowed characters are a-z, A-Z, 0-9, -, + . and _. \n Older Kafka versions had longer + topic lengths of 255, but in Kafka 0.10 + version the length was changed from 255 + to 249. For compatibility reasons we are + using 255. \n If omitted or empty, all topics + are allowed." + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: PortRuleL7 is a list of key-value + pairs interpreted by a L7 protocol as protocol + constraints. All fields are optional, if all + fields are empty or missing, the rule does not + have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: ServerNames is a list of allowed TLS SNI + values. If not empty, then TLS must be present and + one of the provided SNIs must be indicated in the + TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: TerminatingTLS is the TLS context for the + connection terminated by the L7 proxy. For egress + policy this specifies the server-side TLS parameters + to be applied on the connections originated from the + local endpoint and terminated by the L7 proxy. For + ingress policy this specifies the server-side TLS + parameters to be applied on the connections originated + from a remote source and terminated by the L7 proxy. + properties: + certificate: + description: Certificate is the file name or k8s + secret item name for the certificate chain. If + omitted, 'tls.crt' is assumed, if it exists. If + given, the item must exist. + type: string + privateKey: + description: PrivateKey is the file name or k8s + secret item name for the private key matching + the certificate chain. If omitted, 'tls.key' is + assumed, if it exists. If given, the item must + exist. + type: string + secret: + description: 'Secret is the secret that contains + the certificates and private key for the TLS context. + By default, Cilium will search in this secret + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: Namespace is the namespace in which + the secret exists. Context of use determines + the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: TrustedCA is the file name or k8s secret + item name for the trusted CA. If omitted, 'ca.crt' + is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + type: object + type: array + ingressDeny: + description: IngressDeny is a list of IngressDenyRule which are + enforced at ingress. Any rule inserted here will be denied regardless + of the allowed ingress rules in the 'ingress' field. If omitted + or empty, this rule does not apply at ingress. + items: + description: "IngressDenyRule contains all rule types which can + be applied at ingress, i.e. network traffic that originates + outside of the endpoint and is entering the endpoint selected + by the endpointSelector. \n - All members of this structure + are optional. If omitted or empty, the member will have no effect + on the rule. \n - If multiple members are set, all of them need + to match in order for the rule to take effect. The exception + to this rule is FromRequires field; the effects of any Requires + field in any rule will apply to all other rules as well. \n + - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are + mutually exclusive. Only one of these members may be present + within an individual rule." + properties: + fromCIDR: + description: "FromCIDR is a list of IP blocks which the endpoint + subject to the rule is allowed to receive connections from. + Only connections which do *not* originate from the cluster + or from the local host are subject to CIDR rules. In order + to allow in-cluster connectivity, use the FromEndpoints + field. This will match on the source IP address of incoming + connections. Adding a prefix into FromCIDR or into FromCIDRSet + with no ExcludeCIDRs is equivalent. Overlaps are allowed + between FromCIDR and FromCIDRSet. \n Example: Any endpoint + with the label \"app=my-legacy-pet\" is allowed to receive + connections from 10.3.9.1" + items: + description: 'CIDR specifies a block of IP addresses. Example: + 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + fromCIDRSet: + description: "FromCIDRSet is a list of IP blocks which the + endpoint subject to the rule is allowed to receive connections + from in addition to FromEndpoints, along with a list of + subnets contained within their corresponding IP block from + which traffic should not be allowed. This will match on + the source IP address of incoming connections. Adding a + prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs + is equivalent. Overlaps are allowed between FromCIDR and + FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" + is allowed to receive connections from 10.0.0.0/8 except + from IPs in subnet 10.96.0.0/12." + items: + description: CIDRRule is a rule that specifies a CIDR prefix + to/from which outside communication is allowed, along + with an optional list of subnets within that CIDR prefix + to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + cidrGroupRef: + description: CIDRGroupRef is a reference to a CiliumCIDRGroup + object. A CiliumCIDRGroup contains a list of CIDRs + that the endpoint, subject to the rule, can (Ingress) + or cannot (IngressDeny) receive connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + except: + description: ExceptCIDRs is a list of IP blocks which + the endpoint subject to the rule is not allowed to + initiate connections to. These CIDR prefixes should + be contained within Cidr, using ExceptCIDRs together + with CIDRGroupRef is not supported yet. These exceptions + are only applied to the Cidr in this CIDRRule, and + do not apply to any other CIDR prefixes in any other + CIDRRules. + items: + description: 'CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32' + pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$|^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ + type: string + type: array + type: object + type: array + fromEndpoints: + description: "FromEndpoints is a list of endpoints identified + by an EndpointSelector which are allowed to communicate + with the endpoint subject to the rule. \n Example: Any endpoint + with the label \"role=backend\" can be consumed by any endpoint + carrying the label \"role=frontend\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array + fromEntities: + description: FromEntities is a list of special entities which + the endpoint subject to the rule is allowed to receive connections + from. Supported entities are `world`, `cluster` and `host` + items: + description: Entity specifies the class of receiver/sender + endpoints that do not have individual identities. Entities + are used to describe "outside of cluster", "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromRequires: + description: "FromRequires is a list of additional constraints + which must be met in order for the selected endpoints to + be reachable. These additional constraints do no by itself + grant access privileges and must always be accompanied with + at least one matching FromEndpoints. \n Example: Any Endpoint + with the label \"team=A\" requires consuming endpoint to + also carry the label \"team=A\"." + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array + icmps: + description: "ICMPs is a list of ICMP rule identified by type + number which the endpoint subject to the rule is not allowed + to receive connections on. \n Example: Any endpoint with + the label \"app=httpd\" can not accept incoming type 8 ICMP + connections." + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: Family is a IP address version. Currently, + we support `IPv4` and `IPv6`. `IPv4` is set + as default. + enum: + - IPv4 + - IPv6 + type: string + type: + description: Type is a ICMP-type. It should be + 0-255 (8bit). + maximum: 255 + minimum: 0 + type: integer + required: + - type + type: object + type: array + type: object + type: array + toPorts: + description: "ToPorts is a list of destination ports identified + by port number and protocol which the endpoint subject to + the rule is not allowed to receive connections on. \n Example: + Any endpoint with the label \"app=httpd\" can not accept + incoming connections on port 80/tcp." + items: + description: PortDenyRule is a list of ports/protocol that + should be used for deny policies. This structure lacks + the L7Rules since it's not supported in deny policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + port: + description: Port is an L4 port number. For now + the string will be strictly parsed as a single + uint16. In the future, this field may support + ranges in the form "1024-2048 Port can also + be a port name, which must contain at least + one [a-z], and may also contain [0-9] and '-' + anywhere except adjacent to another '-' or in + the beginning or the end. + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: "Protocol is the L4 protocol. If + omitted or empty, any protocol matches. Accepted + values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" + \n Matching on ICMP is not supported. \n Named + port specified for a container may narrow this + down, but may not contradict this." + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + type: object + type: array + labels: + description: Labels is a list of optional strings which can be used + to re-identify the rule or to store metadata. It is possible to + lookup or delete strings based on labels. Labels are not required + to be unique, multiple rules can have overlapping or identical + labels. + items: + description: Label is the Cilium's representation of a container + label. + properties: + key: + type: string + source: + description: 'Source can be one of the above values (e.g.: + LabelSourceContainer).' + type: string + value: + type: string + required: + - key + type: object + type: array + nodeSelector: + description: NodeSelector selects all nodes which should be subject + to this rule. EndpointSelector and NodeSelector cannot be both + empty and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the + key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + type: object + type: array + status: + description: Status is the status of the Cilium policy rule + properties: + derivativePolicies: + additionalProperties: + description: CiliumNetworkPolicyNodeStatus is the status of a Cilium + policy rule for a specific node. + properties: + annotations: + additionalProperties: + type: string + description: Annotations corresponds to the Annotations in the + ObjectMeta of the CNP that have been realized on the node + for CNP. That is, if a CNP has been imported and has been + assigned annotation X=Y by the user, Annotations in CiliumNetworkPolicyNodeStatus + will be X=Y once the CNP that was imported corresponding to + Annotation X=Y has been realized on the node. + type: object + enforcing: + description: Enforcing is set to true once all endpoints present + at the time the policy has been imported are enforcing this + policy. + type: boolean + error: + description: Error describes any error that occurred when parsing + or importing the policy, or realizing the policy for the endpoints + to which it applies on the node. + type: string + lastUpdated: + description: LastUpdated contains the last time this status + was updated + format: date-time + type: string + localPolicyRevision: + description: Revision is the policy revision of the repository + which first implemented this policy. + format: int64 + type: integer + ok: + description: OK is true when the policy has been parsed and + imported successfully into the in-memory policy repository + on the node. + type: boolean + type: object + description: DerivativePolicies is the status of all policies derived + from the Cilium policy + type: object + nodes: + additionalProperties: + description: CiliumNetworkPolicyNodeStatus is the status of a Cilium + policy rule for a specific node. + properties: + annotations: + additionalProperties: + type: string + description: Annotations corresponds to the Annotations in the + ObjectMeta of the CNP that have been realized on the node + for CNP. That is, if a CNP has been imported and has been + assigned annotation X=Y by the user, Annotations in CiliumNetworkPolicyNodeStatus + will be X=Y once the CNP that was imported corresponding to + Annotation X=Y has been realized on the node. + type: object + enforcing: + description: Enforcing is set to true once all endpoints present + at the time the policy has been imported are enforcing this + policy. + type: boolean + error: + description: Error describes any error that occurred when parsing + or importing the policy, or realizing the policy for the endpoints + to which it applies on the node. + type: string + lastUpdated: + description: LastUpdated contains the last time this status + was updated + format: date-time + type: string + localPolicyRevision: + description: Revision is the policy revision of the repository + which first implemented this policy. + format: int64 + type: integer + ok: + description: OK is true when the policy has been parsed and + imported successfully into the in-memory policy repository + on the node. + type: boolean + type: object + description: Nodes is the Cilium policy status for each node + type: object + type: object + required: + - metadata + type: object + served: true + storage: true + subresources: + status: {} diff --git a/tests/ciliumnetpol.yaml b/tests/ciliumnetpol.yaml new file mode 100644 index 0000000..86b44be --- /dev/null +++ b/tests/ciliumnetpol.yaml @@ -0,0 +1,15 @@ +apiVersion: "cilium.io/v2" +kind: CiliumNetworkPolicy +metadata: + name: "gen" +specs: + - endpointSelector: + matchLabels: {} + egress: + - toEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": default + ingress: + - fromEndpoints: + - matchLabels: + "k8s:io.kubernetes.pod.namespace": default From 021a4df74ff2017792f69b5a3a0b4349edf89ea4 Mon Sep 17 00:00:00 2001 From: clux Date: Sat, 16 Dec 2023 04:32:03 +0000 Subject: [PATCH 2/3] failing tests so it does not get merged Signed-off-by: clux --- .github/workflows/ci.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 755b2e4..3fef5e4 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -25,6 +25,8 @@ jobs: # Test reasonably complicated CRDs; promethesurules and servicemonitors - run: just test-pr - run: just test-sm + # Cilium with a non/spec-status model + - run: just test-cilium-netpol # Test a fake CRD with multiple versions - run: just test-mv # Test argocd Application From 33d168d4e2373838d393a4680e3ff526f4384440 Mon Sep 17 00:00:00 2001 From: clux Date: Sat, 16 Dec 2023 04:39:52 +0000 Subject: [PATCH 3/3] it works if you don't use specs Signed-off-by: clux --- justfile | 2 +- .../{ciliumnetpol.yaml => ciliumnetpol-broken.yaml} | 0 tests/ciliumnetpol-working.yaml | 13 +++++++++++++ 3 files changed, 14 insertions(+), 1 deletion(-) rename tests/{ciliumnetpol.yaml => ciliumnetpol-broken.yaml} (100%) create mode 100644 tests/ciliumnetpol-working.yaml diff --git a/justfile b/justfile index 8c32c72..baeead3 100644 --- a/justfile +++ b/justfile @@ -89,7 +89,7 @@ test-cilium-netpol: kubectl apply --server-side -f tests/ciliumnetpol-crd.yaml cargo run --bin kopium -- -A ciliumnetworkpolicies.cilium.io > tests/gen.rs echo "pub type CR = CiliumNetworkPolicy;" >> tests/gen.rs - kubectl apply -f tests/ciliumnetpol.yaml + kubectl apply -f tests/ciliumnetpol-working.yaml cargo test --test runner -- --nocapture release: diff --git a/tests/ciliumnetpol.yaml b/tests/ciliumnetpol-broken.yaml similarity index 100% rename from tests/ciliumnetpol.yaml rename to tests/ciliumnetpol-broken.yaml diff --git a/tests/ciliumnetpol-working.yaml b/tests/ciliumnetpol-working.yaml new file mode 100644 index 0000000..fb93ee6 --- /dev/null +++ b/tests/ciliumnetpol-working.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: gen +spec: + endpointSelector: {} + egress: + - toEndpoints: + - {} + ingress: + - fromEndpoints: + - {}