695 lines
45 KiB
JSON
695 lines
45 KiB
JSON
|
{
|
||
|
"properties": {
|
||
|
"apiVersion": {
|
||
|
"description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"kind": {
|
||
|
"description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"metadata": {
|
||
|
"type": "object"
|
||
|
},
|
||
|
"spec": {
|
||
|
"properties": {
|
||
|
"applyOnForward": {
|
||
|
"description": "ApplyOnForward indicates to apply the rules in this policy on forward traffic.",
|
||
|
"type": "boolean"
|
||
|
},
|
||
|
"doNotTrack": {
|
||
|
"description": "DoNotTrack indicates whether packets matched by the rules in this policy should go through the data plane's connection tracking, such as Linux conntrack. If True, the rules in this policy are applied before any data plane connection tracking, and packets allowed by this policy are marked as not to be tracked.",
|
||
|
"type": "boolean"
|
||
|
},
|
||
|
"egress": {
|
||
|
"description": "The ordered set of egress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.",
|
||
|
"items": {
|
||
|
"description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.",
|
||
|
"properties": {
|
||
|
"action": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"destination": {
|
||
|
"description": "Destination contains the match criteria that apply to destination entity.",
|
||
|
"properties": {
|
||
|
"namespaceSelector": {
|
||
|
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"nets": {
|
||
|
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notNets": {
|
||
|
"description": "NotNets is the negated version of the Nets field.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notPorts": {
|
||
|
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
|
||
|
"items": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notSelector": {
|
||
|
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"ports": {
|
||
|
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
|
||
|
"items": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"selector": {
|
||
|
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"serviceAccounts": {
|
||
|
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
|
||
|
"properties": {
|
||
|
"names": {
|
||
|
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"selector": {
|
||
|
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
|
||
|
"type": "string"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"services": {
|
||
|
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
|
||
|
"properties": {
|
||
|
"name": {
|
||
|
"description": "Name specifies the name of a Kubernetes Service to match.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"namespace": {
|
||
|
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
|
||
|
"type": "string"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"http": {
|
||
|
"description": "HTTP contains match criteria that apply to HTTP requests.",
|
||
|
"properties": {
|
||
|
"methods": {
|
||
|
"description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"paths": {
|
||
|
"description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.",
|
||
|
"items": {
|
||
|
"description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: <path>: which matches the path exactly or prefix: <path-prefix>: which matches the path prefix",
|
||
|
"properties": {
|
||
|
"exact": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"prefix": {
|
||
|
"type": "string"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"type": "array"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"icmp": {
|
||
|
"description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".",
|
||
|
"properties": {
|
||
|
"code": {
|
||
|
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
|
||
|
"type": "integer"
|
||
|
},
|
||
|
"type": {
|
||
|
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
|
||
|
"type": "integer"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"ipVersion": {
|
||
|
"description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.",
|
||
|
"type": "integer"
|
||
|
},
|
||
|
"metadata": {
|
||
|
"description": "Metadata contains additional information for this rule",
|
||
|
"properties": {
|
||
|
"annotations": {
|
||
|
"additionalProperties": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"description": "Annotations is a set of key value pairs that give extra information about the rule",
|
||
|
"type": "object"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"notICMP": {
|
||
|
"description": "NotICMP is the negated version of the ICMP field.",
|
||
|
"properties": {
|
||
|
"code": {
|
||
|
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
|
||
|
"type": "integer"
|
||
|
},
|
||
|
"type": {
|
||
|
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
|
||
|
"type": "integer"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"notProtocol": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"description": "NotProtocol is the negated version of the Protocol field.",
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"protocol": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.",
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"source": {
|
||
|
"description": "Source contains the match criteria that apply to source entity.",
|
||
|
"properties": {
|
||
|
"namespaceSelector": {
|
||
|
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"nets": {
|
||
|
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notNets": {
|
||
|
"description": "NotNets is the negated version of the Nets field.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notPorts": {
|
||
|
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
|
||
|
"items": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notSelector": {
|
||
|
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"ports": {
|
||
|
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
|
||
|
"items": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"selector": {
|
||
|
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"serviceAccounts": {
|
||
|
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
|
||
|
"properties": {
|
||
|
"names": {
|
||
|
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"selector": {
|
||
|
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
|
||
|
"type": "string"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"services": {
|
||
|
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
|
||
|
"properties": {
|
||
|
"name": {
|
||
|
"description": "Name specifies the name of a Kubernetes Service to match.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"namespace": {
|
||
|
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
|
||
|
"type": "string"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
}
|
||
|
},
|
||
|
"required": [
|
||
|
"action"
|
||
|
],
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"ingress": {
|
||
|
"description": "The ordered set of ingress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.",
|
||
|
"items": {
|
||
|
"description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.",
|
||
|
"properties": {
|
||
|
"action": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"destination": {
|
||
|
"description": "Destination contains the match criteria that apply to destination entity.",
|
||
|
"properties": {
|
||
|
"namespaceSelector": {
|
||
|
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"nets": {
|
||
|
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notNets": {
|
||
|
"description": "NotNets is the negated version of the Nets field.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notPorts": {
|
||
|
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
|
||
|
"items": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notSelector": {
|
||
|
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"ports": {
|
||
|
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
|
||
|
"items": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"selector": {
|
||
|
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"serviceAccounts": {
|
||
|
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
|
||
|
"properties": {
|
||
|
"names": {
|
||
|
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"selector": {
|
||
|
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
|
||
|
"type": "string"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"services": {
|
||
|
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
|
||
|
"properties": {
|
||
|
"name": {
|
||
|
"description": "Name specifies the name of a Kubernetes Service to match.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"namespace": {
|
||
|
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
|
||
|
"type": "string"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"http": {
|
||
|
"description": "HTTP contains match criteria that apply to HTTP requests.",
|
||
|
"properties": {
|
||
|
"methods": {
|
||
|
"description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"paths": {
|
||
|
"description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.",
|
||
|
"items": {
|
||
|
"description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: <path>: which matches the path exactly or prefix: <path-prefix>: which matches the path prefix",
|
||
|
"properties": {
|
||
|
"exact": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"prefix": {
|
||
|
"type": "string"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"type": "array"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"icmp": {
|
||
|
"description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".",
|
||
|
"properties": {
|
||
|
"code": {
|
||
|
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
|
||
|
"type": "integer"
|
||
|
},
|
||
|
"type": {
|
||
|
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
|
||
|
"type": "integer"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"ipVersion": {
|
||
|
"description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.",
|
||
|
"type": "integer"
|
||
|
},
|
||
|
"metadata": {
|
||
|
"description": "Metadata contains additional information for this rule",
|
||
|
"properties": {
|
||
|
"annotations": {
|
||
|
"additionalProperties": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"description": "Annotations is a set of key value pairs that give extra information about the rule",
|
||
|
"type": "object"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"notICMP": {
|
||
|
"description": "NotICMP is the negated version of the ICMP field.",
|
||
|
"properties": {
|
||
|
"code": {
|
||
|
"description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.",
|
||
|
"type": "integer"
|
||
|
},
|
||
|
"type": {
|
||
|
"description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).",
|
||
|
"type": "integer"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"notProtocol": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"description": "NotProtocol is the negated version of the Protocol field.",
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"protocol": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.",
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"source": {
|
||
|
"description": "Source contains the match criteria that apply to source entity.",
|
||
|
"properties": {
|
||
|
"namespaceSelector": {
|
||
|
"description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"nets": {
|
||
|
"description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notNets": {
|
||
|
"description": "NotNets is the negated version of the Nets field.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notPorts": {
|
||
|
"description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
|
||
|
"items": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"notSelector": {
|
||
|
"description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"ports": {
|
||
|
"description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".",
|
||
|
"items": {
|
||
|
"anyOf": [
|
||
|
{
|
||
|
"type": "integer"
|
||
|
},
|
||
|
{
|
||
|
"type": "string"
|
||
|
}
|
||
|
],
|
||
|
"pattern": "^.*",
|
||
|
"x-kubernetes-int-or-string": true
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"selector": {
|
||
|
"description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"serviceAccounts": {
|
||
|
"description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.",
|
||
|
"properties": {
|
||
|
"names": {
|
||
|
"description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.",
|
||
|
"items": {
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"selector": {
|
||
|
"description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.",
|
||
|
"type": "string"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"services": {
|
||
|
"description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.",
|
||
|
"properties": {
|
||
|
"name": {
|
||
|
"description": "Name specifies the name of a Kubernetes Service to match.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"namespace": {
|
||
|
"description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.",
|
||
|
"type": "string"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
}
|
||
|
},
|
||
|
"required": [
|
||
|
"action"
|
||
|
],
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
},
|
||
|
"type": "array"
|
||
|
},
|
||
|
"namespaceSelector": {
|
||
|
"description": "NamespaceSelector is an optional field for an expression used to select a pod based on namespaces.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"order": {
|
||
|
"description": "Order is an optional field that specifies the order in which the policy is applied. Policies with higher \"order\" are applied after those with lower order. If the order is omitted, it may be considered to be \"infinite\" - i.e. the policy will be applied last. Policies with identical order will be applied in alphanumerical order based on the Policy \"Name\".",
|
||
|
"type": "number"
|
||
|
},
|
||
|
"preDNAT": {
|
||
|
"description": "PreDNAT indicates to apply the rules in this policy before any DNAT.",
|
||
|
"type": "boolean"
|
||
|
},
|
||
|
"selector": {
|
||
|
"description": "The selector is an expression used to pick pick out the endpoints that the policy should be applied to. \n Selector expressions follow this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not equal; also matches if label is not present \tlabel in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) -> True if that label is present \t! expr -> negation of expr \texpr && expr -> Short-circuit and \texpr || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples (with made-up labels): \n \ttype == \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != \"dev\" \t! has(label_name)",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"serviceAccountSelector": {
|
||
|
"description": "ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"types": {
|
||
|
"description": "Types indicates whether this policy applies to ingress, or to egress, or to both. When not explicitly specified (and so the value on creation is empty or nil), Calico defaults Types according to what Ingress and Egress rules are present in the policy. The default is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are also no Ingress rules) \n - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. \n When the policy is read back again, Types will always be one of these values, never empty or nil.",
|
||
|
"items": {
|
||
|
"description": "PolicyType enumerates the possible values of the PolicySpec Types field.",
|
||
|
"type": "string"
|
||
|
},
|
||
|
"type": "array"
|
||
|
}
|
||
|
},
|
||
|
"type": "object",
|
||
|
"additionalProperties": false
|
||
|
}
|
||
|
},
|
||
|
"type": "object"
|
||
|
}
|