github.com/cilium/cilium@v1.16.2/pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml (about) 1 --- 2 apiVersion: apiextensions.k8s.io/v1 3 kind: CustomResourceDefinition 4 metadata: 5 annotations: 6 controller-gen.kubebuilder.io/version: v0.15.0 7 creationTimestamp: null 8 name: ciliumnetworkpolicies.cilium.io 9 spec: 10 group: cilium.io 11 names: 12 categories: 13 - cilium 14 - ciliumpolicy 15 kind: CiliumNetworkPolicy 16 listKind: CiliumNetworkPolicyList 17 plural: ciliumnetworkpolicies 18 shortNames: 19 - cnp 20 - ciliumnp 21 singular: ciliumnetworkpolicy 22 scope: Namespaced 23 versions: 24 - additionalPrinterColumns: 25 - jsonPath: .metadata.creationTimestamp 26 name: Age 27 type: date 28 name: v2 29 schema: 30 openAPIV3Schema: 31 description: CiliumNetworkPolicy is a Kubernetes third-party resource with 32 an extended version of NetworkPolicy. 33 properties: 34 apiVersion: 35 description: 'APIVersion defines the versioned schema of this representation 36 of an object. Servers should convert recognized schemas to the latest 37 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 38 type: string 39 kind: 40 description: 'Kind is a string value representing the REST resource this 41 object represents. Servers may infer this from the endpoint the client 42 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 43 type: string 44 metadata: 45 type: object 46 spec: 47 description: Spec is the desired Cilium specific rule specification. 48 oneOf: 49 - properties: 50 endpointSelector: {} 51 required: 52 - endpointSelector 53 - properties: 54 nodeSelector: {} 55 required: 56 - nodeSelector 57 properties: 58 description: 59 description: Description is a free form string, it can be used by 60 the creator of the rule to store human readable explanation of the 61 purpose of this rule. Rules cannot be identified by comment. 62 type: string 63 egress: 64 description: Egress is a list of EgressRule which are enforced at 65 egress. If omitted or empty, this rule does not apply at egress. 66 items: 67 description: "EgressRule contains all rule types which can be applied 68 at egress, i.e. network traffic that originates inside the endpoint 69 and exits the endpoint selected by the endpointSelector. \n - 70 All members of this structure are optional. If omitted or empty, 71 the member will have no effect on the rule. \n - If multiple members 72 of the structure are specified, then all members must match in 73 order for the rule to take effect. The exception to this rule 74 is the ToRequires member; the effects of any Requires field in 75 any rule will apply to all other rules as well. \n - ToEndpoints, 76 ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually 77 exclusive. Only one of these members may be present within an 78 individual rule." 79 properties: 80 authentication: 81 description: Authentication is the required authentication type 82 for the allowed traffic, if any. 83 properties: 84 mode: 85 description: Mode is the required authentication mode for 86 the allowed traffic, if any. 87 enum: 88 - disabled 89 - required 90 - test-always-fail 91 type: string 92 required: 93 - mode 94 type: object 95 icmps: 96 description: "ICMPs is a list of ICMP rule identified by type 97 number which the endpoint subject to the rule is allowed to 98 connect to. \n Example: Any endpoint with the label \"app=httpd\" 99 is allowed to initiate type 8 ICMP connections." 100 items: 101 description: ICMPRule is a list of ICMP fields. 102 properties: 103 fields: 104 description: Fields is a list of ICMP fields. 105 items: 106 description: ICMPField is a ICMP field. 107 properties: 108 family: 109 default: IPv4 110 description: Family is a IP address version. Currently, 111 we support `IPv4` and `IPv6`. `IPv4` is set as 112 default. 113 enum: 114 - IPv4 115 - IPv6 116 type: string 117 type: 118 anyOf: 119 - type: integer 120 - type: string 121 description: 'Type is a ICMP-type. It should be 122 an 8bit code (0-255), or it''s CamelCase name 123 (for example, "EchoReply"). Allowed ICMP types 124 are: Ipv4: EchoReply | DestinationUnreachable 125 | Redirect | Echo | EchoRequest | RouterAdvertisement 126 | RouterSelection | TimeExceeded | ParameterProblem 127 | Timestamp | TimestampReply | Photuris | ExtendedEcho 128 Request | ExtendedEcho Reply Ipv6: DestinationUnreachable 129 | PacketTooBig | TimeExceeded | ParameterProblem 130 | EchoRequest | EchoReply | MulticastListenerQuery| 131 MulticastListenerReport | MulticastListenerDone 132 | RouterSolicitation | RouterAdvertisement | NeighborSolicitation 133 | NeighborAdvertisement | RedirectMessage | RouterRenumbering 134 | ICMPNodeInformationQuery | ICMPNodeInformationResponse 135 | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement 136 | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply 137 | MobilePrefixSolicitation | MobilePrefixAdvertisement 138 | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix 139 | ExtendedEchoRequest | ExtendedEchoReply' 140 pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho 141 Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ 142 x-kubernetes-int-or-string: true 143 required: 144 - type 145 type: object 146 maxItems: 40 147 type: array 148 type: object 149 type: array 150 toCIDR: 151 description: "ToCIDR is a list of IP blocks which the endpoint 152 subject to the rule is allowed to initiate connections. Only 153 connections destined for outside of the cluster and not targeting 154 the host will be subject to CIDR rules. This will match on 155 the destination IP address of outgoing connections. Adding 156 a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs 157 is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 158 \n Example: Any endpoint with the label \"app=database-proxy\" 159 is allowed to initiate connections to 10.2.3.0/24" 160 items: 161 description: 'CIDR specifies a block of IP addresses. Example: 162 192.0.2.1/32' 163 format: cidr 164 type: string 165 type: array 166 toCIDRSet: 167 description: "ToCIDRSet is a list of IP blocks which the endpoint 168 subject to the rule is allowed to initiate connections to 169 in addition to connections which are allowed via ToEndpoints, 170 along with a list of subnets contained within their corresponding 171 IP block to which traffic should not be allowed. This will 172 match on the destination IP address of outgoing connections. 173 Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs 174 is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 175 \n Example: Any endpoint with the label \"app=database-proxy\" 176 is allowed to initiate connections to 10.2.3.0/24 except from 177 IPs in subnet 10.2.3.0/28." 178 items: 179 description: CIDRRule is a rule that specifies a CIDR prefix 180 to/from which outside communication is allowed, along with 181 an optional list of subnets within that CIDR prefix to/from 182 which outside communication is not allowed. 183 oneOf: 184 - properties: 185 cidr: {} 186 required: 187 - cidr 188 - properties: 189 cidrGroupRef: {} 190 required: 191 - cidrGroupRef 192 properties: 193 cidr: 194 description: CIDR is a CIDR prefix / IP Block. 195 format: cidr 196 type: string 197 cidrGroupRef: 198 description: CIDRGroupRef is a reference to a CiliumCIDRGroup 199 object. A CiliumCIDRGroup contains a list of CIDRs that 200 the endpoint, subject to the rule, can (Ingress/Egress) 201 or cannot (IngressDeny/EgressDeny) receive connections 202 from. 203 maxLength: 253 204 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 205 type: string 206 except: 207 description: ExceptCIDRs is a list of IP blocks which 208 the endpoint subject to the rule is not allowed to initiate 209 connections to. These CIDR prefixes should be contained 210 within Cidr, using ExceptCIDRs together with CIDRGroupRef 211 is not supported yet. These exceptions are only applied 212 to the Cidr in this CIDRRule, and do not apply to any 213 other CIDR prefixes in any other CIDRRules. 214 items: 215 description: 'CIDR specifies a block of IP addresses. 216 Example: 192.0.2.1/32' 217 format: cidr 218 type: string 219 type: array 220 type: object 221 type: array 222 toEndpoints: 223 description: "ToEndpoints is a list of endpoints identified 224 by an EndpointSelector to which the endpoints subject to the 225 rule are allowed to communicate. \n Example: Any endpoint 226 with the label \"role=frontend\" can communicate with any 227 endpoint carrying the label \"role=backend\"." 228 items: 229 description: EndpointSelector is a wrapper for k8s LabelSelector. 230 properties: 231 matchExpressions: 232 description: matchExpressions is a list of label selector 233 requirements. The requirements are ANDed. 234 items: 235 description: A label selector requirement is a selector 236 that contains values, a key, and an operator that 237 relates the key and values. 238 properties: 239 key: 240 description: key is the label key that the selector 241 applies to. 242 type: string 243 operator: 244 description: operator represents a key's relationship 245 to a set of values. Valid operators are In, NotIn, 246 Exists and DoesNotExist. 247 enum: 248 - In 249 - NotIn 250 - Exists 251 - DoesNotExist 252 type: string 253 values: 254 description: values is an array of string values. 255 If the operator is In or NotIn, the values array 256 must be non-empty. If the operator is Exists or 257 DoesNotExist, the values array must be empty. 258 This array is replaced during a strategic merge 259 patch. 260 items: 261 type: string 262 type: array 263 x-kubernetes-list-type: atomic 264 required: 265 - key 266 - operator 267 type: object 268 type: array 269 x-kubernetes-list-type: atomic 270 matchLabels: 271 additionalProperties: 272 description: MatchLabelsValue represents the value from 273 the MatchLabels {key,value} pair. 274 maxLength: 63 275 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 276 type: string 277 description: matchLabels is a map of {key,value} pairs. 278 A single {key,value} in the matchLabels map is equivalent 279 to an element of matchExpressions, whose key field is 280 "key", the operator is "In", and the values array contains 281 only "value". The requirements are ANDed. 282 type: object 283 type: object 284 type: array 285 toEntities: 286 description: ToEntities is a list of special entities to which 287 the endpoint subject to the rule is allowed to initiate connections. 288 Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, 289 `init`, `health`,`unmanaged` and `all`. 290 items: 291 description: Entity specifies the class of receiver/sender 292 endpoints that do not have individual identities. Entities 293 are used to describe "outside of cluster", "host", etc. 294 enum: 295 - all 296 - world 297 - cluster 298 - host 299 - init 300 - ingress 301 - unmanaged 302 - remote-node 303 - health 304 - none 305 - kube-apiserver 306 type: string 307 type: array 308 toFQDNs: 309 description: 'ToFQDN allows whitelisting DNS names in place 310 of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s 311 are added to the same EgressRule object as ToCIDRSet entries, 312 and behave accordingly. Any L4 and L7 rules within this EgressRule 313 will also apply to these IPs. The DNS -> IP mapping is re-resolved 314 periodically from within the cilium-agent, and the IPs in 315 the DNS response are effected in the policy for selected pods 316 as-is (i.e. the list of IPs is not modified in any way). Note: 317 An explicit rule to allow for DNS traffic is needed for the 318 pods, as ToFQDN counts as an egress rule and will enforce 319 egress policy when PolicyEnforcment=default. Note: If the 320 resolved IPs are IPs within the kubernetes cluster, the ToFQDN 321 rule will not apply to that IP. Note: ToFQDN cannot occur 322 in the same policy as other To* rules.' 323 items: 324 oneOf: 325 - properties: 326 matchName: {} 327 required: 328 - matchName 329 - properties: 330 matchPattern: {} 331 required: 332 - matchPattern 333 properties: 334 matchName: 335 description: MatchName matches literal DNS names. A trailing 336 "." is automatically added when missing. 337 pattern: ^([-a-zA-Z0-9_]+[.]?)+$ 338 type: string 339 matchPattern: 340 description: "MatchPattern allows using wildcards to match 341 DNS names. All wildcards are case insensitive. The wildcards 342 are: - \"*\" matches 0 or more DNS valid characters, 343 and may occur anywhere in the pattern. As a special 344 case a \"*\" as the leftmost character, without a following 345 \".\" matches all subdomains as well as the name to 346 the right. A trailing \".\" is automatically added when 347 missing. \n Examples: `*.cilium.io` matches subomains 348 of cilium at that level www.cilium.io and blog.cilium.io 349 match, cilium.io and google.com do not `*cilium.io` 350 matches cilium.io and all subdomains ends with \"cilium.io\" 351 except those containing \".\" separator, subcilium.io 352 and sub-cilium.io match, www.cilium.io and blog.cilium.io 353 does not sub*.cilium.io matches subdomains of cilium 354 where the subdomain component begins with \"sub\" sub.cilium.io 355 and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, 356 cilium.io and google.com do not" 357 pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ 358 type: string 359 type: object 360 type: array 361 toGroups: 362 description: "ToGroups is a directive that allows the integration 363 with multiple outside providers. Currently, only AWS is supported, 364 and the rule can select by multiple sub directives: \n Example: 365 toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" 366 items: 367 description: Groups structure to store all kinds of new integrations 368 that needs a new derivative policy. 369 properties: 370 aws: 371 description: AWSGroup is an structure that can be used 372 to whitelisting information from AWS integration 373 properties: 374 labels: 375 additionalProperties: 376 type: string 377 type: object 378 region: 379 type: string 380 securityGroupsIds: 381 items: 382 type: string 383 type: array 384 securityGroupsNames: 385 items: 386 type: string 387 type: array 388 type: object 389 type: object 390 type: array 391 toNodes: 392 description: ToNodes is a list of nodes identified by an EndpointSelector 393 to which endpoints subject to the rule is allowed to communicate. 394 items: 395 description: EndpointSelector is a wrapper for k8s LabelSelector. 396 properties: 397 matchExpressions: 398 description: matchExpressions is a list of label selector 399 requirements. The requirements are ANDed. 400 items: 401 description: A label selector requirement is a selector 402 that contains values, a key, and an operator that 403 relates the key and values. 404 properties: 405 key: 406 description: key is the label key that the selector 407 applies to. 408 type: string 409 operator: 410 description: operator represents a key's relationship 411 to a set of values. Valid operators are In, NotIn, 412 Exists and DoesNotExist. 413 enum: 414 - In 415 - NotIn 416 - Exists 417 - DoesNotExist 418 type: string 419 values: 420 description: values is an array of string values. 421 If the operator is In or NotIn, the values array 422 must be non-empty. If the operator is Exists or 423 DoesNotExist, the values array must be empty. 424 This array is replaced during a strategic merge 425 patch. 426 items: 427 type: string 428 type: array 429 x-kubernetes-list-type: atomic 430 required: 431 - key 432 - operator 433 type: object 434 type: array 435 x-kubernetes-list-type: atomic 436 matchLabels: 437 additionalProperties: 438 description: MatchLabelsValue represents the value from 439 the MatchLabels {key,value} pair. 440 maxLength: 63 441 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 442 type: string 443 description: matchLabels is a map of {key,value} pairs. 444 A single {key,value} in the matchLabels map is equivalent 445 to an element of matchExpressions, whose key field is 446 "key", the operator is "In", and the values array contains 447 only "value". The requirements are ANDed. 448 type: object 449 type: object 450 type: array 451 toPorts: 452 description: "ToPorts is a list of destination ports identified 453 by port number and protocol which the endpoint subject to 454 the rule is allowed to connect to. \n Example: Any endpoint 455 with the label \"role=frontend\" is allowed to initiate connections 456 to destination port 8080/tcp" 457 items: 458 description: PortRule is a list of ports/protocol combinations 459 with optional Layer 7 rules which must be met. 460 properties: 461 listener: 462 description: listener specifies the name of a custom Envoy 463 listener to which this traffic should be redirected 464 to. 465 properties: 466 envoyConfig: 467 description: EnvoyConfig is a reference to the CEC 468 or CCEC resource in which the listener is defined. 469 properties: 470 kind: 471 description: Kind is the resource type being referred 472 to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig 473 for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, 474 respectively. The only case this is currently 475 explicitly needed is when referring to a CiliumClusterwideEnvoyConfig 476 from CiliumNetworkPolicy, as using a namespaced 477 listener from a cluster scoped policy is not 478 allowed. 479 enum: 480 - CiliumEnvoyConfig 481 - CiliumClusterwideEnvoyConfig 482 type: string 483 name: 484 description: Name is the resource name of the 485 CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig 486 where the listener is defined in. 487 minLength: 1 488 type: string 489 required: 490 - name 491 type: object 492 name: 493 description: Name is the name of the listener. 494 minLength: 1 495 type: string 496 priority: 497 description: Priority for this Listener that is used 498 when multiple rules would apply different listeners 499 to a policy map entry. Behavior of this is implementation 500 dependent. 501 maximum: 100 502 minimum: 1 503 type: integer 504 required: 505 - envoyConfig 506 - name 507 type: object 508 originatingTLS: 509 description: OriginatingTLS is the TLS context for the 510 connections originated by the L7 proxy. For egress 511 policy this specifies the client-side TLS parameters 512 for the upstream connection originating from the L7 513 proxy to the remote destination. For ingress policy 514 this specifies the client-side TLS parameters for the 515 connection from the L7 proxy to the local endpoint. 516 properties: 517 certificate: 518 description: Certificate is the file name or k8s secret 519 item name for the certificate chain. If omitted, 520 'tls.crt' is assumed, if it exists. If given, the 521 item must exist. 522 type: string 523 privateKey: 524 description: PrivateKey is the file name or k8s secret 525 item name for the private key matching the certificate 526 chain. If omitted, 'tls.key' is assumed, if it exists. 527 If given, the item must exist. 528 type: string 529 secret: 530 description: 'Secret is the secret that contains the 531 certificates and private key for the TLS context. 532 By default, Cilium will search in this secret for 533 the following items: - ''ca.crt'' - Which represents 534 the trusted CA to verify remote source. - ''tls.crt'' 535 - Which represents the public key certificate. - 536 ''tls.key'' - Which represents the private key matching 537 the public key certificate.' 538 properties: 539 name: 540 description: Name is the name of the secret. 541 type: string 542 namespace: 543 description: Namespace is the namespace in which 544 the secret exists. Context of use determines 545 the default value if left out (e.g., "default"). 546 type: string 547 required: 548 - name 549 type: object 550 trustedCA: 551 description: TrustedCA is the file name or k8s secret 552 item name for the trusted CA. If omitted, 'ca.crt' 553 is assumed, if it exists. If given, the item must 554 exist. 555 type: string 556 required: 557 - secret 558 type: object 559 ports: 560 description: Ports is a list of L4 port/protocol 561 items: 562 description: PortProtocol specifies an L4 port with 563 an optional transport protocol 564 properties: 565 endPort: 566 description: EndPort can only be an L4 port number. 567 format: int32 568 maximum: 65535 569 minimum: 0 570 type: integer 571 port: 572 description: Port can be an L4 port number, or a 573 name in the form of "http" or "http-8080". 574 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ 575 type: string 576 protocol: 577 description: "Protocol is the L4 protocol. If omitted 578 or empty, any protocol matches. Accepted values: 579 \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching 580 on ICMP is not supported. \n Named port specified 581 for a container may narrow this down, but may 582 not contradict this." 583 enum: 584 - TCP 585 - UDP 586 - SCTP 587 - ANY 588 type: string 589 required: 590 - port 591 type: object 592 maxItems: 40 593 type: array 594 rules: 595 description: Rules is a list of additional port level 596 rules which must be met in order for the PortRule to 597 allow the traffic. If omitted or empty, no layer 7 rules 598 are enforced. 599 oneOf: 600 - properties: 601 http: {} 602 required: 603 - http 604 - properties: 605 kafka: {} 606 required: 607 - kafka 608 - properties: 609 dns: {} 610 required: 611 - dns 612 - properties: 613 l7proto: {} 614 required: 615 - l7proto 616 properties: 617 dns: 618 description: DNS-specific rules. 619 items: 620 description: PortRuleDNS is a list of allowed DNS 621 lookups. 622 oneOf: 623 - properties: 624 matchName: {} 625 required: 626 - matchName 627 - properties: 628 matchPattern: {} 629 required: 630 - matchPattern 631 properties: 632 matchName: 633 description: MatchName matches literal DNS names. 634 A trailing "." is automatically added when 635 missing. 636 pattern: ^([-a-zA-Z0-9_]+[.]?)+$ 637 type: string 638 matchPattern: 639 description: "MatchPattern allows using wildcards 640 to match DNS names. All wildcards are case 641 insensitive. The wildcards are: - \"*\" matches 642 0 or more DNS valid characters, and may occur 643 anywhere in the pattern. As a special case 644 a \"*\" as the leftmost character, without 645 a following \".\" matches all subdomains as 646 well as the name to the right. A trailing 647 \".\" is automatically added when missing. 648 \n Examples: `*.cilium.io` matches subomains 649 of cilium at that level www.cilium.io and 650 blog.cilium.io match, cilium.io and google.com 651 do not `*cilium.io` matches cilium.io and 652 all subdomains ends with \"cilium.io\" except 653 those containing \".\" separator, subcilium.io 654 and sub-cilium.io match, www.cilium.io and 655 blog.cilium.io does not sub*.cilium.io matches 656 subdomains of cilium where the subdomain component 657 begins with \"sub\" sub.cilium.io and subdomain.cilium.io 658 match, www.cilium.io, blog.cilium.io, cilium.io 659 and google.com do not" 660 pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ 661 type: string 662 type: object 663 type: array 664 http: 665 description: HTTP specific rules. 666 items: 667 description: "PortRuleHTTP is a list of HTTP protocol 668 constraints. All fields are optional, if all fields 669 are empty or missing, the rule does not have any 670 effect. \n All fields of this type are extended 671 POSIX regex as defined by IEEE Std 1003.1, (i.e 672 this follows the egrep/unix syntax, not the perl 673 syntax) matched against the path of an incoming 674 request. Currently it can contain characters disallowed 675 from the conventional \"path\" part of a URL as 676 defined by RFC 3986." 677 properties: 678 headerMatches: 679 description: HeaderMatches is a list of HTTP 680 headers which must be present and match against 681 the given values. Mismatch field can be used 682 to specify what to do when there is no match. 683 items: 684 description: HeaderMatch extends the HeaderValue 685 for matching requirement of a named header 686 field against an immediate string, a secret 687 value, or a regex. If none of the optional 688 fields is present, then the header value 689 is not matched, only presence of the header 690 is enough. 691 properties: 692 mismatch: 693 description: Mismatch identifies what 694 to do in case there is no match. The 695 default is to drop the request. Otherwise 696 the overall rule is still considered 697 as matching, but the mismatches are 698 logged in the access log. 699 enum: 700 - LOG 701 - ADD 702 - DELETE 703 - REPLACE 704 type: string 705 name: 706 description: Name identifies the header. 707 minLength: 1 708 type: string 709 secret: 710 description: Secret refers to a secret 711 that contains the value to be matched 712 against. The secret must only contain 713 one entry. If the referred secret does 714 not exist, and there is no "Value" specified, 715 the match will fail. 716 properties: 717 name: 718 description: Name is the name of the 719 secret. 720 type: string 721 namespace: 722 description: Namespace is the namespace 723 in which the secret exists. Context 724 of use determines the default value 725 if left out (e.g., "default"). 726 type: string 727 required: 728 - name 729 type: object 730 value: 731 description: Value matches the exact value 732 of the header. Can be specified either 733 alone or together with "Secret"; will 734 be used as the header value if the secret 735 can not be found in the latter case. 736 type: string 737 required: 738 - name 739 type: object 740 type: array 741 headers: 742 description: Headers is a list of HTTP headers 743 which must be present in the request. If omitted 744 or empty, requests are allowed regardless 745 of headers present. 746 items: 747 type: string 748 type: array 749 host: 750 description: "Host is an extended POSIX regex 751 matched against the host header of a request. 752 Examples: \n - foo.bar.com will match the 753 host fooXbar.com or foo-bar.com - foo\\.bar\\.com 754 will only match the host foo.bar.com \n If 755 omitted or empty, the value of the host header 756 is ignored." 757 format: idn-hostname 758 type: string 759 method: 760 description: "Method is an extended POSIX regex 761 matched against the method of a request, e.g. 762 \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", 763 ... \n If omitted or empty, all methods are 764 allowed." 765 type: string 766 path: 767 description: "Path is an extended POSIX regex 768 matched against the path of a request. Currently 769 it can contain characters disallowed from 770 the conventional \"path\" part of a URL as 771 defined by RFC 3986. \n If omitted or empty, 772 all paths are all allowed." 773 type: string 774 type: object 775 type: array 776 kafka: 777 description: Kafka-specific rules. 778 items: 779 description: PortRule is a list of Kafka protocol 780 constraints. All fields are optional, if all fields 781 are empty or missing, the rule will match all 782 Kafka messages. 783 properties: 784 apiKey: 785 description: "APIKey is a case-insensitive string 786 matched against the key of a request, e.g. 787 \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", 788 et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 789 \n If omitted or empty, and if Role is not 790 specified, then all keys are allowed." 791 type: string 792 apiVersion: 793 description: "APIVersion is the version matched 794 against the api version of the Kafka message. 795 If set, it has to be a string representing 796 a positive integer. \n If omitted or empty, 797 all versions are allowed." 798 type: string 799 clientID: 800 description: "ClientID is the client identifier 801 as provided in the request. \n From Kafka 802 protocol documentation: This is a user supplied 803 identifier for the client application. The 804 user can use any identifier they like and 805 it will be used when logging errors, monitoring 806 aggregates, etc. For example, one might want 807 to monitor not just the requests per second 808 overall, but the number coming from each client 809 application (each of which could reside on 810 multiple servers). This id acts as a logical 811 grouping across all requests from a particular 812 client. \n If omitted or empty, all client 813 identifiers are allowed." 814 type: string 815 role: 816 description: "Role is a case-insensitive string 817 and describes a group of API keys necessary 818 to perform certain higher-level Kafka operations 819 such as \"produce\" or \"consume\". A Role 820 automatically expands into all APIKeys required 821 to perform the specified higher-level operation. 822 \n The following values are supported: - \"produce\": 823 Allow producing to the topics specified in 824 the rule - \"consume\": Allow consuming from 825 the topics specified in the rule \n This field 826 is incompatible with the APIKey field, i.e 827 APIKey and Role cannot both be specified in 828 the same rule. \n If omitted or empty, and 829 if APIKey is not specified, then all keys 830 are allowed." 831 enum: 832 - produce 833 - consume 834 type: string 835 topic: 836 description: "Topic is the topic name contained 837 in the message. If a Kafka request contains 838 multiple topics, then all topics must be allowed 839 or the message will be rejected. \n This constraint 840 is ignored if the matched request message 841 type doesn't contain any topic. Maximum size 842 of Topic can be 249 characters as per recent 843 Kafka spec and allowed characters are a-z, 844 A-Z, 0-9, -, . and _. \n Older Kafka versions 845 had longer topic lengths of 255, but in Kafka 846 0.10 version the length was changed from 255 847 to 249. For compatibility reasons we are using 848 255. \n If omitted or empty, all topics are 849 allowed." 850 maxLength: 255 851 type: string 852 type: object 853 type: array 854 l7: 855 description: Key-value pair rules. 856 items: 857 additionalProperties: 858 type: string 859 description: PortRuleL7 is a list of key-value pairs 860 interpreted by a L7 protocol as protocol constraints. 861 All fields are optional, if all fields are empty 862 or missing, the rule does not have any effect. 863 type: object 864 type: array 865 l7proto: 866 description: Name of the L7 protocol for which the 867 Key-value pair rules apply. 868 type: string 869 type: object 870 serverNames: 871 description: ServerNames is a list of allowed TLS SNI 872 values. If not empty, then TLS must be present and one 873 of the provided SNIs must be indicated in the TLS handshake. 874 items: 875 type: string 876 type: array 877 terminatingTLS: 878 description: TerminatingTLS is the TLS context for the 879 connection terminated by the L7 proxy. For egress policy 880 this specifies the server-side TLS parameters to be 881 applied on the connections originated from the local 882 endpoint and terminated by the L7 proxy. For ingress 883 policy this specifies the server-side TLS parameters 884 to be applied on the connections originated from a remote 885 source and terminated by the L7 proxy. 886 properties: 887 certificate: 888 description: Certificate is the file name or k8s secret 889 item name for the certificate chain. If omitted, 890 'tls.crt' is assumed, if it exists. If given, the 891 item must exist. 892 type: string 893 privateKey: 894 description: PrivateKey is the file name or k8s secret 895 item name for the private key matching the certificate 896 chain. If omitted, 'tls.key' is assumed, if it exists. 897 If given, the item must exist. 898 type: string 899 secret: 900 description: 'Secret is the secret that contains the 901 certificates and private key for the TLS context. 902 By default, Cilium will search in this secret for 903 the following items: - ''ca.crt'' - Which represents 904 the trusted CA to verify remote source. - ''tls.crt'' 905 - Which represents the public key certificate. - 906 ''tls.key'' - Which represents the private key matching 907 the public key certificate.' 908 properties: 909 name: 910 description: Name is the name of the secret. 911 type: string 912 namespace: 913 description: Namespace is the namespace in which 914 the secret exists. Context of use determines 915 the default value if left out (e.g., "default"). 916 type: string 917 required: 918 - name 919 type: object 920 trustedCA: 921 description: TrustedCA is the file name or k8s secret 922 item name for the trusted CA. If omitted, 'ca.crt' 923 is assumed, if it exists. If given, the item must 924 exist. 925 type: string 926 required: 927 - secret 928 type: object 929 type: object 930 type: array 931 toRequires: 932 description: "ToRequires is a list of additional constraints 933 which must be met in order for the selected endpoints to be 934 able to connect to other endpoints. These additional constraints 935 do no by itself grant access privileges and must always be 936 accompanied with at least one matching ToEndpoints. \n Example: 937 Any Endpoint with the label \"team=A\" requires any endpoint 938 to which it communicates to also carry the label \"team=A\"." 939 items: 940 description: EndpointSelector is a wrapper for k8s LabelSelector. 941 properties: 942 matchExpressions: 943 description: matchExpressions is a list of label selector 944 requirements. The requirements are ANDed. 945 items: 946 description: A label selector requirement is a selector 947 that contains values, a key, and an operator that 948 relates the key and values. 949 properties: 950 key: 951 description: key is the label key that the selector 952 applies to. 953 type: string 954 operator: 955 description: operator represents a key's relationship 956 to a set of values. Valid operators are In, NotIn, 957 Exists and DoesNotExist. 958 enum: 959 - In 960 - NotIn 961 - Exists 962 - DoesNotExist 963 type: string 964 values: 965 description: values is an array of string values. 966 If the operator is In or NotIn, the values array 967 must be non-empty. If the operator is Exists or 968 DoesNotExist, the values array must be empty. 969 This array is replaced during a strategic merge 970 patch. 971 items: 972 type: string 973 type: array 974 x-kubernetes-list-type: atomic 975 required: 976 - key 977 - operator 978 type: object 979 type: array 980 x-kubernetes-list-type: atomic 981 matchLabels: 982 additionalProperties: 983 description: MatchLabelsValue represents the value from 984 the MatchLabels {key,value} pair. 985 maxLength: 63 986 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 987 type: string 988 description: matchLabels is a map of {key,value} pairs. 989 A single {key,value} in the matchLabels map is equivalent 990 to an element of matchExpressions, whose key field is 991 "key", the operator is "In", and the values array contains 992 only "value". The requirements are ANDed. 993 type: object 994 type: object 995 type: array 996 toServices: 997 description: "ToServices is a list of services to which the 998 endpoint subject to the rule is allowed to initiate connections. 999 Currently Cilium only supports toServices for K8s services 1000 without selectors. \n Example: Any endpoint with the label 1001 \"app=backend-app\" is allowed to initiate connections to 1002 all cidrs backing the \"external-service\" service" 1003 items: 1004 description: Service wraps around selectors for services 1005 properties: 1006 k8sService: 1007 description: K8sService selects service by name and namespace 1008 pair 1009 properties: 1010 namespace: 1011 type: string 1012 serviceName: 1013 type: string 1014 type: object 1015 k8sServiceSelector: 1016 description: K8sServiceSelector selects services by k8s 1017 labels and namespace 1018 properties: 1019 namespace: 1020 type: string 1021 selector: 1022 description: ServiceSelector is a label selector for 1023 k8s services 1024 properties: 1025 matchExpressions: 1026 description: matchExpressions is a list of label 1027 selector requirements. The requirements are 1028 ANDed. 1029 items: 1030 description: A label selector requirement is 1031 a selector that contains values, a key, and 1032 an operator that relates the key and values. 1033 properties: 1034 key: 1035 description: key is the label key that the 1036 selector applies to. 1037 type: string 1038 operator: 1039 description: operator represents a key's 1040 relationship to a set of values. Valid 1041 operators are In, NotIn, Exists and DoesNotExist. 1042 enum: 1043 - In 1044 - NotIn 1045 - Exists 1046 - DoesNotExist 1047 type: string 1048 values: 1049 description: values is an array of string 1050 values. If the operator is In or NotIn, 1051 the values array must be non-empty. If 1052 the operator is Exists or DoesNotExist, 1053 the values array must be empty. This array 1054 is replaced during a strategic merge patch. 1055 items: 1056 type: string 1057 type: array 1058 x-kubernetes-list-type: atomic 1059 required: 1060 - key 1061 - operator 1062 type: object 1063 type: array 1064 x-kubernetes-list-type: atomic 1065 matchLabels: 1066 additionalProperties: 1067 description: MatchLabelsValue represents the 1068 value from the MatchLabels {key,value} pair. 1069 maxLength: 63 1070 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 1071 type: string 1072 description: matchLabels is a map of {key,value} 1073 pairs. A single {key,value} in the matchLabels 1074 map is equivalent to an element of matchExpressions, 1075 whose key field is "key", the operator is "In", 1076 and the values array contains only "value". 1077 The requirements are ANDed. 1078 type: object 1079 type: object 1080 required: 1081 - selector 1082 type: object 1083 type: object 1084 type: array 1085 type: object 1086 type: array 1087 egressDeny: 1088 description: EgressDeny is a list of EgressDenyRule which are enforced 1089 at egress. Any rule inserted here will be denied regardless of the 1090 allowed egress rules in the 'egress' field. If omitted or empty, 1091 this rule does not apply at egress. 1092 items: 1093 description: "EgressDenyRule contains all rule types which can be 1094 applied at egress, i.e. network traffic that originates inside 1095 the endpoint and exits the endpoint selected by the endpointSelector. 1096 \n - All members of this structure are optional. If omitted or 1097 empty, the member will have no effect on the rule. \n - If multiple 1098 members of the structure are specified, then all members must 1099 match in order for the rule to take effect. The exception to this 1100 rule is the ToRequires member; the effects of any Requires field 1101 in any rule will apply to all other rules as well. \n - ToEndpoints, 1102 ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually 1103 exclusive. Only one of these members may be present within an 1104 individual rule." 1105 properties: 1106 icmps: 1107 description: "ICMPs is a list of ICMP rule identified by type 1108 number which the endpoint subject to the rule is not allowed 1109 to connect to. \n Example: Any endpoint with the label \"app=httpd\" 1110 is not allowed to initiate type 8 ICMP connections." 1111 items: 1112 description: ICMPRule is a list of ICMP fields. 1113 properties: 1114 fields: 1115 description: Fields is a list of ICMP fields. 1116 items: 1117 description: ICMPField is a ICMP field. 1118 properties: 1119 family: 1120 default: IPv4 1121 description: Family is a IP address version. Currently, 1122 we support `IPv4` and `IPv6`. `IPv4` is set as 1123 default. 1124 enum: 1125 - IPv4 1126 - IPv6 1127 type: string 1128 type: 1129 anyOf: 1130 - type: integer 1131 - type: string 1132 description: 'Type is a ICMP-type. It should be 1133 an 8bit code (0-255), or it''s CamelCase name 1134 (for example, "EchoReply"). Allowed ICMP types 1135 are: Ipv4: EchoReply | DestinationUnreachable 1136 | Redirect | Echo | EchoRequest | RouterAdvertisement 1137 | RouterSelection | TimeExceeded | ParameterProblem 1138 | Timestamp | TimestampReply | Photuris | ExtendedEcho 1139 Request | ExtendedEcho Reply Ipv6: DestinationUnreachable 1140 | PacketTooBig | TimeExceeded | ParameterProblem 1141 | EchoRequest | EchoReply | MulticastListenerQuery| 1142 MulticastListenerReport | MulticastListenerDone 1143 | RouterSolicitation | RouterAdvertisement | NeighborSolicitation 1144 | NeighborAdvertisement | RedirectMessage | RouterRenumbering 1145 | ICMPNodeInformationQuery | ICMPNodeInformationResponse 1146 | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement 1147 | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply 1148 | MobilePrefixSolicitation | MobilePrefixAdvertisement 1149 | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix 1150 | ExtendedEchoRequest | ExtendedEchoReply' 1151 pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho 1152 Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ 1153 x-kubernetes-int-or-string: true 1154 required: 1155 - type 1156 type: object 1157 maxItems: 40 1158 type: array 1159 type: object 1160 type: array 1161 toCIDR: 1162 description: "ToCIDR is a list of IP blocks which the endpoint 1163 subject to the rule is allowed to initiate connections. Only 1164 connections destined for outside of the cluster and not targeting 1165 the host will be subject to CIDR rules. This will match on 1166 the destination IP address of outgoing connections. Adding 1167 a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs 1168 is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 1169 \n Example: Any endpoint with the label \"app=database-proxy\" 1170 is allowed to initiate connections to 10.2.3.0/24" 1171 items: 1172 description: 'CIDR specifies a block of IP addresses. Example: 1173 192.0.2.1/32' 1174 format: cidr 1175 type: string 1176 type: array 1177 toCIDRSet: 1178 description: "ToCIDRSet is a list of IP blocks which the endpoint 1179 subject to the rule is allowed to initiate connections to 1180 in addition to connections which are allowed via ToEndpoints, 1181 along with a list of subnets contained within their corresponding 1182 IP block to which traffic should not be allowed. This will 1183 match on the destination IP address of outgoing connections. 1184 Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs 1185 is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 1186 \n Example: Any endpoint with the label \"app=database-proxy\" 1187 is allowed to initiate connections to 10.2.3.0/24 except from 1188 IPs in subnet 10.2.3.0/28." 1189 items: 1190 description: CIDRRule is a rule that specifies a CIDR prefix 1191 to/from which outside communication is allowed, along with 1192 an optional list of subnets within that CIDR prefix to/from 1193 which outside communication is not allowed. 1194 oneOf: 1195 - properties: 1196 cidr: {} 1197 required: 1198 - cidr 1199 - properties: 1200 cidrGroupRef: {} 1201 required: 1202 - cidrGroupRef 1203 properties: 1204 cidr: 1205 description: CIDR is a CIDR prefix / IP Block. 1206 format: cidr 1207 type: string 1208 cidrGroupRef: 1209 description: CIDRGroupRef is a reference to a CiliumCIDRGroup 1210 object. A CiliumCIDRGroup contains a list of CIDRs that 1211 the endpoint, subject to the rule, can (Ingress/Egress) 1212 or cannot (IngressDeny/EgressDeny) receive connections 1213 from. 1214 maxLength: 253 1215 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1216 type: string 1217 except: 1218 description: ExceptCIDRs is a list of IP blocks which 1219 the endpoint subject to the rule is not allowed to initiate 1220 connections to. These CIDR prefixes should be contained 1221 within Cidr, using ExceptCIDRs together with CIDRGroupRef 1222 is not supported yet. These exceptions are only applied 1223 to the Cidr in this CIDRRule, and do not apply to any 1224 other CIDR prefixes in any other CIDRRules. 1225 items: 1226 description: 'CIDR specifies a block of IP addresses. 1227 Example: 192.0.2.1/32' 1228 format: cidr 1229 type: string 1230 type: array 1231 type: object 1232 type: array 1233 toEndpoints: 1234 description: "ToEndpoints is a list of endpoints identified 1235 by an EndpointSelector to which the endpoints subject to the 1236 rule are allowed to communicate. \n Example: Any endpoint 1237 with the label \"role=frontend\" can communicate with any 1238 endpoint carrying the label \"role=backend\"." 1239 items: 1240 description: EndpointSelector is a wrapper for k8s LabelSelector. 1241 properties: 1242 matchExpressions: 1243 description: matchExpressions is a list of label selector 1244 requirements. The requirements are ANDed. 1245 items: 1246 description: A label selector requirement is a selector 1247 that contains values, a key, and an operator that 1248 relates the key and values. 1249 properties: 1250 key: 1251 description: key is the label key that the selector 1252 applies to. 1253 type: string 1254 operator: 1255 description: operator represents a key's relationship 1256 to a set of values. Valid operators are In, NotIn, 1257 Exists and DoesNotExist. 1258 enum: 1259 - In 1260 - NotIn 1261 - Exists 1262 - DoesNotExist 1263 type: string 1264 values: 1265 description: values is an array of string values. 1266 If the operator is In or NotIn, the values array 1267 must be non-empty. If the operator is Exists or 1268 DoesNotExist, the values array must be empty. 1269 This array is replaced during a strategic merge 1270 patch. 1271 items: 1272 type: string 1273 type: array 1274 x-kubernetes-list-type: atomic 1275 required: 1276 - key 1277 - operator 1278 type: object 1279 type: array 1280 x-kubernetes-list-type: atomic 1281 matchLabels: 1282 additionalProperties: 1283 description: MatchLabelsValue represents the value from 1284 the MatchLabels {key,value} pair. 1285 maxLength: 63 1286 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 1287 type: string 1288 description: matchLabels is a map of {key,value} pairs. 1289 A single {key,value} in the matchLabels map is equivalent 1290 to an element of matchExpressions, whose key field is 1291 "key", the operator is "In", and the values array contains 1292 only "value". The requirements are ANDed. 1293 type: object 1294 type: object 1295 type: array 1296 toEntities: 1297 description: ToEntities is a list of special entities to which 1298 the endpoint subject to the rule is allowed to initiate connections. 1299 Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, 1300 `init`, `health`,`unmanaged` and `all`. 1301 items: 1302 description: Entity specifies the class of receiver/sender 1303 endpoints that do not have individual identities. Entities 1304 are used to describe "outside of cluster", "host", etc. 1305 enum: 1306 - all 1307 - world 1308 - cluster 1309 - host 1310 - init 1311 - ingress 1312 - unmanaged 1313 - remote-node 1314 - health 1315 - none 1316 - kube-apiserver 1317 type: string 1318 type: array 1319 toGroups: 1320 description: "ToGroups is a directive that allows the integration 1321 with multiple outside providers. Currently, only AWS is supported, 1322 and the rule can select by multiple sub directives: \n Example: 1323 toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" 1324 items: 1325 description: Groups structure to store all kinds of new integrations 1326 that needs a new derivative policy. 1327 properties: 1328 aws: 1329 description: AWSGroup is an structure that can be used 1330 to whitelisting information from AWS integration 1331 properties: 1332 labels: 1333 additionalProperties: 1334 type: string 1335 type: object 1336 region: 1337 type: string 1338 securityGroupsIds: 1339 items: 1340 type: string 1341 type: array 1342 securityGroupsNames: 1343 items: 1344 type: string 1345 type: array 1346 type: object 1347 type: object 1348 type: array 1349 toNodes: 1350 description: ToNodes is a list of nodes identified by an EndpointSelector 1351 to which endpoints subject to the rule is allowed to communicate. 1352 items: 1353 description: EndpointSelector is a wrapper for k8s LabelSelector. 1354 properties: 1355 matchExpressions: 1356 description: matchExpressions is a list of label selector 1357 requirements. The requirements are ANDed. 1358 items: 1359 description: A label selector requirement is a selector 1360 that contains values, a key, and an operator that 1361 relates the key and values. 1362 properties: 1363 key: 1364 description: key is the label key that the selector 1365 applies to. 1366 type: string 1367 operator: 1368 description: operator represents a key's relationship 1369 to a set of values. Valid operators are In, NotIn, 1370 Exists and DoesNotExist. 1371 enum: 1372 - In 1373 - NotIn 1374 - Exists 1375 - DoesNotExist 1376 type: string 1377 values: 1378 description: values is an array of string values. 1379 If the operator is In or NotIn, the values array 1380 must be non-empty. If the operator is Exists or 1381 DoesNotExist, the values array must be empty. 1382 This array is replaced during a strategic merge 1383 patch. 1384 items: 1385 type: string 1386 type: array 1387 x-kubernetes-list-type: atomic 1388 required: 1389 - key 1390 - operator 1391 type: object 1392 type: array 1393 x-kubernetes-list-type: atomic 1394 matchLabels: 1395 additionalProperties: 1396 description: MatchLabelsValue represents the value from 1397 the MatchLabels {key,value} pair. 1398 maxLength: 63 1399 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 1400 type: string 1401 description: matchLabels is a map of {key,value} pairs. 1402 A single {key,value} in the matchLabels map is equivalent 1403 to an element of matchExpressions, whose key field is 1404 "key", the operator is "In", and the values array contains 1405 only "value". The requirements are ANDed. 1406 type: object 1407 type: object 1408 type: array 1409 toPorts: 1410 description: "ToPorts is a list of destination ports identified 1411 by port number and protocol which the endpoint subject to 1412 the rule is not allowed to connect to. \n Example: Any endpoint 1413 with the label \"role=frontend\" is not allowed to initiate 1414 connections to destination port 8080/tcp" 1415 items: 1416 description: PortDenyRule is a list of ports/protocol that 1417 should be used for deny policies. This structure lacks the 1418 L7Rules since it's not supported in deny policies. 1419 properties: 1420 ports: 1421 description: Ports is a list of L4 port/protocol 1422 items: 1423 description: PortProtocol specifies an L4 port with 1424 an optional transport protocol 1425 properties: 1426 endPort: 1427 description: EndPort can only be an L4 port number. 1428 format: int32 1429 maximum: 65535 1430 minimum: 0 1431 type: integer 1432 port: 1433 description: Port can be an L4 port number, or a 1434 name in the form of "http" or "http-8080". 1435 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ 1436 type: string 1437 protocol: 1438 description: "Protocol is the L4 protocol. If omitted 1439 or empty, any protocol matches. Accepted values: 1440 \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching 1441 on ICMP is not supported. \n Named port specified 1442 for a container may narrow this down, but may 1443 not contradict this." 1444 enum: 1445 - TCP 1446 - UDP 1447 - SCTP 1448 - ANY 1449 type: string 1450 required: 1451 - port 1452 type: object 1453 type: array 1454 type: object 1455 type: array 1456 toRequires: 1457 description: "ToRequires is a list of additional constraints 1458 which must be met in order for the selected endpoints to be 1459 able to connect to other endpoints. These additional constraints 1460 do no by itself grant access privileges and must always be 1461 accompanied with at least one matching ToEndpoints. \n Example: 1462 Any Endpoint with the label \"team=A\" requires any endpoint 1463 to which it communicates to also carry the label \"team=A\"." 1464 items: 1465 description: EndpointSelector is a wrapper for k8s LabelSelector. 1466 properties: 1467 matchExpressions: 1468 description: matchExpressions is a list of label selector 1469 requirements. The requirements are ANDed. 1470 items: 1471 description: A label selector requirement is a selector 1472 that contains values, a key, and an operator that 1473 relates the key and values. 1474 properties: 1475 key: 1476 description: key is the label key that the selector 1477 applies to. 1478 type: string 1479 operator: 1480 description: operator represents a key's relationship 1481 to a set of values. Valid operators are In, NotIn, 1482 Exists and DoesNotExist. 1483 enum: 1484 - In 1485 - NotIn 1486 - Exists 1487 - DoesNotExist 1488 type: string 1489 values: 1490 description: values is an array of string values. 1491 If the operator is In or NotIn, the values array 1492 must be non-empty. If the operator is Exists or 1493 DoesNotExist, the values array must be empty. 1494 This array is replaced during a strategic merge 1495 patch. 1496 items: 1497 type: string 1498 type: array 1499 x-kubernetes-list-type: atomic 1500 required: 1501 - key 1502 - operator 1503 type: object 1504 type: array 1505 x-kubernetes-list-type: atomic 1506 matchLabels: 1507 additionalProperties: 1508 description: MatchLabelsValue represents the value from 1509 the MatchLabels {key,value} pair. 1510 maxLength: 63 1511 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 1512 type: string 1513 description: matchLabels is a map of {key,value} pairs. 1514 A single {key,value} in the matchLabels map is equivalent 1515 to an element of matchExpressions, whose key field is 1516 "key", the operator is "In", and the values array contains 1517 only "value". The requirements are ANDed. 1518 type: object 1519 type: object 1520 type: array 1521 toServices: 1522 description: "ToServices is a list of services to which the 1523 endpoint subject to the rule is allowed to initiate connections. 1524 Currently Cilium only supports toServices for K8s services 1525 without selectors. \n Example: Any endpoint with the label 1526 \"app=backend-app\" is allowed to initiate connections to 1527 all cidrs backing the \"external-service\" service" 1528 items: 1529 description: Service wraps around selectors for services 1530 properties: 1531 k8sService: 1532 description: K8sService selects service by name and namespace 1533 pair 1534 properties: 1535 namespace: 1536 type: string 1537 serviceName: 1538 type: string 1539 type: object 1540 k8sServiceSelector: 1541 description: K8sServiceSelector selects services by k8s 1542 labels and namespace 1543 properties: 1544 namespace: 1545 type: string 1546 selector: 1547 description: ServiceSelector is a label selector for 1548 k8s services 1549 properties: 1550 matchExpressions: 1551 description: matchExpressions is a list of label 1552 selector requirements. The requirements are 1553 ANDed. 1554 items: 1555 description: A label selector requirement is 1556 a selector that contains values, a key, and 1557 an operator that relates the key and values. 1558 properties: 1559 key: 1560 description: key is the label key that the 1561 selector applies to. 1562 type: string 1563 operator: 1564 description: operator represents a key's 1565 relationship to a set of values. Valid 1566 operators are In, NotIn, Exists and DoesNotExist. 1567 enum: 1568 - In 1569 - NotIn 1570 - Exists 1571 - DoesNotExist 1572 type: string 1573 values: 1574 description: values is an array of string 1575 values. If the operator is In or NotIn, 1576 the values array must be non-empty. If 1577 the operator is Exists or DoesNotExist, 1578 the values array must be empty. This array 1579 is replaced during a strategic merge patch. 1580 items: 1581 type: string 1582 type: array 1583 x-kubernetes-list-type: atomic 1584 required: 1585 - key 1586 - operator 1587 type: object 1588 type: array 1589 x-kubernetes-list-type: atomic 1590 matchLabels: 1591 additionalProperties: 1592 description: MatchLabelsValue represents the 1593 value from the MatchLabels {key,value} pair. 1594 maxLength: 63 1595 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 1596 type: string 1597 description: matchLabels is a map of {key,value} 1598 pairs. A single {key,value} in the matchLabels 1599 map is equivalent to an element of matchExpressions, 1600 whose key field is "key", the operator is "In", 1601 and the values array contains only "value". 1602 The requirements are ANDed. 1603 type: object 1604 type: object 1605 required: 1606 - selector 1607 type: object 1608 type: object 1609 type: array 1610 type: object 1611 type: array 1612 enableDefaultDeny: 1613 description: "EnableDefaultDeny determines whether this policy configures 1614 the subject endpoint(s) to have a default deny mode. If enabled, 1615 this causes all traffic not explicitly allowed by a network policy 1616 to be dropped. \n If not specified, the default is true for each 1617 traffic direction that has rules, and false otherwise. For example, 1618 if a policy only has Ingress or IngressDeny rules, then the default 1619 for ingress is true and egress is false. \n If multiple policies 1620 apply to an endpoint, that endpoint's default deny will be enabled 1621 if any policy requests it. \n This is useful for creating broad-based 1622 network policies that will not cause endpoints to enter default-deny 1623 mode." 1624 properties: 1625 egress: 1626 description: Whether or not the endpoint should have a default-deny 1627 rule applied to egress traffic. 1628 type: boolean 1629 ingress: 1630 description: Whether or not the endpoint should have a default-deny 1631 rule applied to ingress traffic. 1632 type: boolean 1633 type: object 1634 endpointSelector: 1635 description: EndpointSelector selects all endpoints which should be 1636 subject to this rule. EndpointSelector and NodeSelector cannot be 1637 both empty and are mutually exclusive. 1638 properties: 1639 matchExpressions: 1640 description: matchExpressions is a list of label selector requirements. 1641 The requirements are ANDed. 1642 items: 1643 description: A label selector requirement is a selector that 1644 contains values, a key, and an operator that relates the key 1645 and values. 1646 properties: 1647 key: 1648 description: key is the label key that the selector applies 1649 to. 1650 type: string 1651 operator: 1652 description: operator represents a key's relationship to 1653 a set of values. Valid operators are In, NotIn, Exists 1654 and DoesNotExist. 1655 enum: 1656 - In 1657 - NotIn 1658 - Exists 1659 - DoesNotExist 1660 type: string 1661 values: 1662 description: values is an array of string values. If the 1663 operator is In or NotIn, the values array must be non-empty. 1664 If the operator is Exists or DoesNotExist, the values 1665 array must be empty. This array is replaced during a strategic 1666 merge patch. 1667 items: 1668 type: string 1669 type: array 1670 x-kubernetes-list-type: atomic 1671 required: 1672 - key 1673 - operator 1674 type: object 1675 type: array 1676 x-kubernetes-list-type: atomic 1677 matchLabels: 1678 additionalProperties: 1679 description: MatchLabelsValue represents the value from the 1680 MatchLabels {key,value} pair. 1681 maxLength: 63 1682 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 1683 type: string 1684 description: matchLabels is a map of {key,value} pairs. A single 1685 {key,value} in the matchLabels map is equivalent to an element 1686 of matchExpressions, whose key field is "key", the operator 1687 is "In", and the values array contains only "value". The requirements 1688 are ANDed. 1689 type: object 1690 type: object 1691 ingress: 1692 description: Ingress is a list of IngressRule which are enforced at 1693 ingress. If omitted or empty, this rule does not apply at ingress. 1694 items: 1695 description: "IngressRule contains all rule types which can be applied 1696 at ingress, i.e. network traffic that originates outside of the 1697 endpoint and is entering the endpoint selected by the endpointSelector. 1698 \n - All members of this structure are optional. If omitted or 1699 empty, the member will have no effect on the rule. \n - If multiple 1700 members are set, all of them need to match in order for the rule 1701 to take effect. The exception to this rule is FromRequires field; 1702 the effects of any Requires field in any rule will apply to all 1703 other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet 1704 and FromEntities are mutually exclusive. Only one of these members 1705 may be present within an individual rule." 1706 properties: 1707 authentication: 1708 description: Authentication is the required authentication type 1709 for the allowed traffic, if any. 1710 properties: 1711 mode: 1712 description: Mode is the required authentication mode for 1713 the allowed traffic, if any. 1714 enum: 1715 - disabled 1716 - required 1717 - test-always-fail 1718 type: string 1719 required: 1720 - mode 1721 type: object 1722 fromCIDR: 1723 description: "FromCIDR is a list of IP blocks which the endpoint 1724 subject to the rule is allowed to receive connections from. 1725 Only connections which do *not* originate from the cluster 1726 or from the local host are subject to CIDR rules. In order 1727 to allow in-cluster connectivity, use the FromEndpoints field. 1728 \ This will match on the source IP address of incoming connections. 1729 Adding a prefix into FromCIDR or into FromCIDRSet with no 1730 ExcludeCIDRs is equivalent. Overlaps are allowed between 1731 FromCIDR and FromCIDRSet. \n Example: Any endpoint with the 1732 label \"app=my-legacy-pet\" is allowed to receive connections 1733 from 10.3.9.1" 1734 items: 1735 description: 'CIDR specifies a block of IP addresses. Example: 1736 192.0.2.1/32' 1737 format: cidr 1738 type: string 1739 type: array 1740 fromCIDRSet: 1741 description: "FromCIDRSet is a list of IP blocks which the endpoint 1742 subject to the rule is allowed to receive connections from 1743 in addition to FromEndpoints, along with a list of subnets 1744 contained within their corresponding IP block from which traffic 1745 should not be allowed. This will match on the source IP address 1746 of incoming connections. Adding a prefix into FromCIDR or 1747 into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps 1748 are allowed between FromCIDR and FromCIDRSet. \n Example: 1749 Any endpoint with the label \"app=my-legacy-pet\" is allowed 1750 to receive connections from 10.0.0.0/8 except from IPs in 1751 subnet 10.96.0.0/12." 1752 items: 1753 description: CIDRRule is a rule that specifies a CIDR prefix 1754 to/from which outside communication is allowed, along with 1755 an optional list of subnets within that CIDR prefix to/from 1756 which outside communication is not allowed. 1757 oneOf: 1758 - properties: 1759 cidr: {} 1760 required: 1761 - cidr 1762 - properties: 1763 cidrGroupRef: {} 1764 required: 1765 - cidrGroupRef 1766 properties: 1767 cidr: 1768 description: CIDR is a CIDR prefix / IP Block. 1769 format: cidr 1770 type: string 1771 cidrGroupRef: 1772 description: CIDRGroupRef is a reference to a CiliumCIDRGroup 1773 object. A CiliumCIDRGroup contains a list of CIDRs that 1774 the endpoint, subject to the rule, can (Ingress/Egress) 1775 or cannot (IngressDeny/EgressDeny) receive connections 1776 from. 1777 maxLength: 253 1778 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 1779 type: string 1780 except: 1781 description: ExceptCIDRs is a list of IP blocks which 1782 the endpoint subject to the rule is not allowed to initiate 1783 connections to. These CIDR prefixes should be contained 1784 within Cidr, using ExceptCIDRs together with CIDRGroupRef 1785 is not supported yet. These exceptions are only applied 1786 to the Cidr in this CIDRRule, and do not apply to any 1787 other CIDR prefixes in any other CIDRRules. 1788 items: 1789 description: 'CIDR specifies a block of IP addresses. 1790 Example: 192.0.2.1/32' 1791 format: cidr 1792 type: string 1793 type: array 1794 type: object 1795 type: array 1796 fromEndpoints: 1797 description: "FromEndpoints is a list of endpoints identified 1798 by an EndpointSelector which are allowed to communicate with 1799 the endpoint subject to the rule. \n Example: Any endpoint 1800 with the label \"role=backend\" can be consumed by any endpoint 1801 carrying the label \"role=frontend\"." 1802 items: 1803 description: EndpointSelector is a wrapper for k8s LabelSelector. 1804 properties: 1805 matchExpressions: 1806 description: matchExpressions is a list of label selector 1807 requirements. The requirements are ANDed. 1808 items: 1809 description: A label selector requirement is a selector 1810 that contains values, a key, and an operator that 1811 relates the key and values. 1812 properties: 1813 key: 1814 description: key is the label key that the selector 1815 applies to. 1816 type: string 1817 operator: 1818 description: operator represents a key's relationship 1819 to a set of values. Valid operators are In, NotIn, 1820 Exists and DoesNotExist. 1821 enum: 1822 - In 1823 - NotIn 1824 - Exists 1825 - DoesNotExist 1826 type: string 1827 values: 1828 description: values is an array of string values. 1829 If the operator is In or NotIn, the values array 1830 must be non-empty. If the operator is Exists or 1831 DoesNotExist, the values array must be empty. 1832 This array is replaced during a strategic merge 1833 patch. 1834 items: 1835 type: string 1836 type: array 1837 x-kubernetes-list-type: atomic 1838 required: 1839 - key 1840 - operator 1841 type: object 1842 type: array 1843 x-kubernetes-list-type: atomic 1844 matchLabels: 1845 additionalProperties: 1846 description: MatchLabelsValue represents the value from 1847 the MatchLabels {key,value} pair. 1848 maxLength: 63 1849 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 1850 type: string 1851 description: matchLabels is a map of {key,value} pairs. 1852 A single {key,value} in the matchLabels map is equivalent 1853 to an element of matchExpressions, whose key field is 1854 "key", the operator is "In", and the values array contains 1855 only "value". The requirements are ANDed. 1856 type: object 1857 type: object 1858 type: array 1859 fromEntities: 1860 description: FromEntities is a list of special entities which 1861 the endpoint subject to the rule is allowed to receive connections 1862 from. Supported entities are `world`, `cluster` and `host` 1863 items: 1864 description: Entity specifies the class of receiver/sender 1865 endpoints that do not have individual identities. Entities 1866 are used to describe "outside of cluster", "host", etc. 1867 enum: 1868 - all 1869 - world 1870 - cluster 1871 - host 1872 - init 1873 - ingress 1874 - unmanaged 1875 - remote-node 1876 - health 1877 - none 1878 - kube-apiserver 1879 type: string 1880 type: array 1881 fromGroups: 1882 description: "FromGroups is a directive that allows the integration 1883 with multiple outside providers. Currently, only AWS is supported, 1884 and the rule can select by multiple sub directives: \n Example: 1885 FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" 1886 items: 1887 description: Groups structure to store all kinds of new integrations 1888 that needs a new derivative policy. 1889 properties: 1890 aws: 1891 description: AWSGroup is an structure that can be used 1892 to whitelisting information from AWS integration 1893 properties: 1894 labels: 1895 additionalProperties: 1896 type: string 1897 type: object 1898 region: 1899 type: string 1900 securityGroupsIds: 1901 items: 1902 type: string 1903 type: array 1904 securityGroupsNames: 1905 items: 1906 type: string 1907 type: array 1908 type: object 1909 type: object 1910 type: array 1911 fromNodes: 1912 description: FromNodes is a list of nodes identified by an EndpointSelector 1913 which are allowed to communicate with the endpoint subject 1914 to the rule. 1915 items: 1916 description: EndpointSelector is a wrapper for k8s LabelSelector. 1917 properties: 1918 matchExpressions: 1919 description: matchExpressions is a list of label selector 1920 requirements. The requirements are ANDed. 1921 items: 1922 description: A label selector requirement is a selector 1923 that contains values, a key, and an operator that 1924 relates the key and values. 1925 properties: 1926 key: 1927 description: key is the label key that the selector 1928 applies to. 1929 type: string 1930 operator: 1931 description: operator represents a key's relationship 1932 to a set of values. Valid operators are In, NotIn, 1933 Exists and DoesNotExist. 1934 enum: 1935 - In 1936 - NotIn 1937 - Exists 1938 - DoesNotExist 1939 type: string 1940 values: 1941 description: values is an array of string values. 1942 If the operator is In or NotIn, the values array 1943 must be non-empty. If the operator is Exists or 1944 DoesNotExist, the values array must be empty. 1945 This array is replaced during a strategic merge 1946 patch. 1947 items: 1948 type: string 1949 type: array 1950 x-kubernetes-list-type: atomic 1951 required: 1952 - key 1953 - operator 1954 type: object 1955 type: array 1956 x-kubernetes-list-type: atomic 1957 matchLabels: 1958 additionalProperties: 1959 description: MatchLabelsValue represents the value from 1960 the MatchLabels {key,value} pair. 1961 maxLength: 63 1962 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 1963 type: string 1964 description: matchLabels is a map of {key,value} pairs. 1965 A single {key,value} in the matchLabels map is equivalent 1966 to an element of matchExpressions, whose key field is 1967 "key", the operator is "In", and the values array contains 1968 only "value". The requirements are ANDed. 1969 type: object 1970 type: object 1971 type: array 1972 fromRequires: 1973 description: "FromRequires is a list of additional constraints 1974 which must be met in order for the selected endpoints to be 1975 reachable. These additional constraints do no by itself grant 1976 access privileges and must always be accompanied with at least 1977 one matching FromEndpoints. \n Example: Any Endpoint with 1978 the label \"team=A\" requires consuming endpoint to also carry 1979 the label \"team=A\"." 1980 items: 1981 description: EndpointSelector is a wrapper for k8s LabelSelector. 1982 properties: 1983 matchExpressions: 1984 description: matchExpressions is a list of label selector 1985 requirements. The requirements are ANDed. 1986 items: 1987 description: A label selector requirement is a selector 1988 that contains values, a key, and an operator that 1989 relates the key and values. 1990 properties: 1991 key: 1992 description: key is the label key that the selector 1993 applies to. 1994 type: string 1995 operator: 1996 description: operator represents a key's relationship 1997 to a set of values. Valid operators are In, NotIn, 1998 Exists and DoesNotExist. 1999 enum: 2000 - In 2001 - NotIn 2002 - Exists 2003 - DoesNotExist 2004 type: string 2005 values: 2006 description: values is an array of string values. 2007 If the operator is In or NotIn, the values array 2008 must be non-empty. If the operator is Exists or 2009 DoesNotExist, the values array must be empty. 2010 This array is replaced during a strategic merge 2011 patch. 2012 items: 2013 type: string 2014 type: array 2015 x-kubernetes-list-type: atomic 2016 required: 2017 - key 2018 - operator 2019 type: object 2020 type: array 2021 x-kubernetes-list-type: atomic 2022 matchLabels: 2023 additionalProperties: 2024 description: MatchLabelsValue represents the value from 2025 the MatchLabels {key,value} pair. 2026 maxLength: 63 2027 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 2028 type: string 2029 description: matchLabels is a map of {key,value} pairs. 2030 A single {key,value} in the matchLabels map is equivalent 2031 to an element of matchExpressions, whose key field is 2032 "key", the operator is "In", and the values array contains 2033 only "value". The requirements are ANDed. 2034 type: object 2035 type: object 2036 type: array 2037 icmps: 2038 description: "ICMPs is a list of ICMP rule identified by type 2039 number which the endpoint subject to the rule is allowed to 2040 receive connections on. \n Example: Any endpoint with the 2041 label \"app=httpd\" can only accept incoming type 8 ICMP connections." 2042 items: 2043 description: ICMPRule is a list of ICMP fields. 2044 properties: 2045 fields: 2046 description: Fields is a list of ICMP fields. 2047 items: 2048 description: ICMPField is a ICMP field. 2049 properties: 2050 family: 2051 default: IPv4 2052 description: Family is a IP address version. Currently, 2053 we support `IPv4` and `IPv6`. `IPv4` is set as 2054 default. 2055 enum: 2056 - IPv4 2057 - IPv6 2058 type: string 2059 type: 2060 anyOf: 2061 - type: integer 2062 - type: string 2063 description: 'Type is a ICMP-type. It should be 2064 an 8bit code (0-255), or it''s CamelCase name 2065 (for example, "EchoReply"). Allowed ICMP types 2066 are: Ipv4: EchoReply | DestinationUnreachable 2067 | Redirect | Echo | EchoRequest | RouterAdvertisement 2068 | RouterSelection | TimeExceeded | ParameterProblem 2069 | Timestamp | TimestampReply | Photuris | ExtendedEcho 2070 Request | ExtendedEcho Reply Ipv6: DestinationUnreachable 2071 | PacketTooBig | TimeExceeded | ParameterProblem 2072 | EchoRequest | EchoReply | MulticastListenerQuery| 2073 MulticastListenerReport | MulticastListenerDone 2074 | RouterSolicitation | RouterAdvertisement | NeighborSolicitation 2075 | NeighborAdvertisement | RedirectMessage | RouterRenumbering 2076 | ICMPNodeInformationQuery | ICMPNodeInformationResponse 2077 | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement 2078 | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply 2079 | MobilePrefixSolicitation | MobilePrefixAdvertisement 2080 | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix 2081 | ExtendedEchoRequest | ExtendedEchoReply' 2082 pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho 2083 Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ 2084 x-kubernetes-int-or-string: true 2085 required: 2086 - type 2087 type: object 2088 maxItems: 40 2089 type: array 2090 type: object 2091 type: array 2092 toPorts: 2093 description: "ToPorts is a list of destination ports identified 2094 by port number and protocol which the endpoint subject to 2095 the rule is allowed to receive connections on. \n Example: 2096 Any endpoint with the label \"app=httpd\" can only accept 2097 incoming connections on port 80/tcp." 2098 items: 2099 description: PortRule is a list of ports/protocol combinations 2100 with optional Layer 7 rules which must be met. 2101 properties: 2102 listener: 2103 description: listener specifies the name of a custom Envoy 2104 listener to which this traffic should be redirected 2105 to. 2106 properties: 2107 envoyConfig: 2108 description: EnvoyConfig is a reference to the CEC 2109 or CCEC resource in which the listener is defined. 2110 properties: 2111 kind: 2112 description: Kind is the resource type being referred 2113 to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig 2114 for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, 2115 respectively. The only case this is currently 2116 explicitly needed is when referring to a CiliumClusterwideEnvoyConfig 2117 from CiliumNetworkPolicy, as using a namespaced 2118 listener from a cluster scoped policy is not 2119 allowed. 2120 enum: 2121 - CiliumEnvoyConfig 2122 - CiliumClusterwideEnvoyConfig 2123 type: string 2124 name: 2125 description: Name is the resource name of the 2126 CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig 2127 where the listener is defined in. 2128 minLength: 1 2129 type: string 2130 required: 2131 - name 2132 type: object 2133 name: 2134 description: Name is the name of the listener. 2135 minLength: 1 2136 type: string 2137 priority: 2138 description: Priority for this Listener that is used 2139 when multiple rules would apply different listeners 2140 to a policy map entry. Behavior of this is implementation 2141 dependent. 2142 maximum: 100 2143 minimum: 1 2144 type: integer 2145 required: 2146 - envoyConfig 2147 - name 2148 type: object 2149 originatingTLS: 2150 description: OriginatingTLS is the TLS context for the 2151 connections originated by the L7 proxy. For egress 2152 policy this specifies the client-side TLS parameters 2153 for the upstream connection originating from the L7 2154 proxy to the remote destination. For ingress policy 2155 this specifies the client-side TLS parameters for the 2156 connection from the L7 proxy to the local endpoint. 2157 properties: 2158 certificate: 2159 description: Certificate is the file name or k8s secret 2160 item name for the certificate chain. If omitted, 2161 'tls.crt' is assumed, if it exists. If given, the 2162 item must exist. 2163 type: string 2164 privateKey: 2165 description: PrivateKey is the file name or k8s secret 2166 item name for the private key matching the certificate 2167 chain. If omitted, 'tls.key' is assumed, if it exists. 2168 If given, the item must exist. 2169 type: string 2170 secret: 2171 description: 'Secret is the secret that contains the 2172 certificates and private key for the TLS context. 2173 By default, Cilium will search in this secret for 2174 the following items: - ''ca.crt'' - Which represents 2175 the trusted CA to verify remote source. - ''tls.crt'' 2176 - Which represents the public key certificate. - 2177 ''tls.key'' - Which represents the private key matching 2178 the public key certificate.' 2179 properties: 2180 name: 2181 description: Name is the name of the secret. 2182 type: string 2183 namespace: 2184 description: Namespace is the namespace in which 2185 the secret exists. Context of use determines 2186 the default value if left out (e.g., "default"). 2187 type: string 2188 required: 2189 - name 2190 type: object 2191 trustedCA: 2192 description: TrustedCA is the file name or k8s secret 2193 item name for the trusted CA. If omitted, 'ca.crt' 2194 is assumed, if it exists. If given, the item must 2195 exist. 2196 type: string 2197 required: 2198 - secret 2199 type: object 2200 ports: 2201 description: Ports is a list of L4 port/protocol 2202 items: 2203 description: PortProtocol specifies an L4 port with 2204 an optional transport protocol 2205 properties: 2206 endPort: 2207 description: EndPort can only be an L4 port number. 2208 format: int32 2209 maximum: 65535 2210 minimum: 0 2211 type: integer 2212 port: 2213 description: Port can be an L4 port number, or a 2214 name in the form of "http" or "http-8080". 2215 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ 2216 type: string 2217 protocol: 2218 description: "Protocol is the L4 protocol. If omitted 2219 or empty, any protocol matches. Accepted values: 2220 \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching 2221 on ICMP is not supported. \n Named port specified 2222 for a container may narrow this down, but may 2223 not contradict this." 2224 enum: 2225 - TCP 2226 - UDP 2227 - SCTP 2228 - ANY 2229 type: string 2230 required: 2231 - port 2232 type: object 2233 maxItems: 40 2234 type: array 2235 rules: 2236 description: Rules is a list of additional port level 2237 rules which must be met in order for the PortRule to 2238 allow the traffic. If omitted or empty, no layer 7 rules 2239 are enforced. 2240 oneOf: 2241 - properties: 2242 http: {} 2243 required: 2244 - http 2245 - properties: 2246 kafka: {} 2247 required: 2248 - kafka 2249 - properties: 2250 dns: {} 2251 required: 2252 - dns 2253 - properties: 2254 l7proto: {} 2255 required: 2256 - l7proto 2257 properties: 2258 dns: 2259 description: DNS-specific rules. 2260 items: 2261 description: PortRuleDNS is a list of allowed DNS 2262 lookups. 2263 oneOf: 2264 - properties: 2265 matchName: {} 2266 required: 2267 - matchName 2268 - properties: 2269 matchPattern: {} 2270 required: 2271 - matchPattern 2272 properties: 2273 matchName: 2274 description: MatchName matches literal DNS names. 2275 A trailing "." is automatically added when 2276 missing. 2277 pattern: ^([-a-zA-Z0-9_]+[.]?)+$ 2278 type: string 2279 matchPattern: 2280 description: "MatchPattern allows using wildcards 2281 to match DNS names. All wildcards are case 2282 insensitive. The wildcards are: - \"*\" matches 2283 0 or more DNS valid characters, and may occur 2284 anywhere in the pattern. As a special case 2285 a \"*\" as the leftmost character, without 2286 a following \".\" matches all subdomains as 2287 well as the name to the right. A trailing 2288 \".\" is automatically added when missing. 2289 \n Examples: `*.cilium.io` matches subomains 2290 of cilium at that level www.cilium.io and 2291 blog.cilium.io match, cilium.io and google.com 2292 do not `*cilium.io` matches cilium.io and 2293 all subdomains ends with \"cilium.io\" except 2294 those containing \".\" separator, subcilium.io 2295 and sub-cilium.io match, www.cilium.io and 2296 blog.cilium.io does not sub*.cilium.io matches 2297 subdomains of cilium where the subdomain component 2298 begins with \"sub\" sub.cilium.io and subdomain.cilium.io 2299 match, www.cilium.io, blog.cilium.io, cilium.io 2300 and google.com do not" 2301 pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ 2302 type: string 2303 type: object 2304 type: array 2305 http: 2306 description: HTTP specific rules. 2307 items: 2308 description: "PortRuleHTTP is a list of HTTP protocol 2309 constraints. All fields are optional, if all fields 2310 are empty or missing, the rule does not have any 2311 effect. \n All fields of this type are extended 2312 POSIX regex as defined by IEEE Std 1003.1, (i.e 2313 this follows the egrep/unix syntax, not the perl 2314 syntax) matched against the path of an incoming 2315 request. Currently it can contain characters disallowed 2316 from the conventional \"path\" part of a URL as 2317 defined by RFC 3986." 2318 properties: 2319 headerMatches: 2320 description: HeaderMatches is a list of HTTP 2321 headers which must be present and match against 2322 the given values. Mismatch field can be used 2323 to specify what to do when there is no match. 2324 items: 2325 description: HeaderMatch extends the HeaderValue 2326 for matching requirement of a named header 2327 field against an immediate string, a secret 2328 value, or a regex. If none of the optional 2329 fields is present, then the header value 2330 is not matched, only presence of the header 2331 is enough. 2332 properties: 2333 mismatch: 2334 description: Mismatch identifies what 2335 to do in case there is no match. The 2336 default is to drop the request. Otherwise 2337 the overall rule is still considered 2338 as matching, but the mismatches are 2339 logged in the access log. 2340 enum: 2341 - LOG 2342 - ADD 2343 - DELETE 2344 - REPLACE 2345 type: string 2346 name: 2347 description: Name identifies the header. 2348 minLength: 1 2349 type: string 2350 secret: 2351 description: Secret refers to a secret 2352 that contains the value to be matched 2353 against. The secret must only contain 2354 one entry. If the referred secret does 2355 not exist, and there is no "Value" specified, 2356 the match will fail. 2357 properties: 2358 name: 2359 description: Name is the name of the 2360 secret. 2361 type: string 2362 namespace: 2363 description: Namespace is the namespace 2364 in which the secret exists. Context 2365 of use determines the default value 2366 if left out (e.g., "default"). 2367 type: string 2368 required: 2369 - name 2370 type: object 2371 value: 2372 description: Value matches the exact value 2373 of the header. Can be specified either 2374 alone or together with "Secret"; will 2375 be used as the header value if the secret 2376 can not be found in the latter case. 2377 type: string 2378 required: 2379 - name 2380 type: object 2381 type: array 2382 headers: 2383 description: Headers is a list of HTTP headers 2384 which must be present in the request. If omitted 2385 or empty, requests are allowed regardless 2386 of headers present. 2387 items: 2388 type: string 2389 type: array 2390 host: 2391 description: "Host is an extended POSIX regex 2392 matched against the host header of a request. 2393 Examples: \n - foo.bar.com will match the 2394 host fooXbar.com or foo-bar.com - foo\\.bar\\.com 2395 will only match the host foo.bar.com \n If 2396 omitted or empty, the value of the host header 2397 is ignored." 2398 format: idn-hostname 2399 type: string 2400 method: 2401 description: "Method is an extended POSIX regex 2402 matched against the method of a request, e.g. 2403 \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", 2404 ... \n If omitted or empty, all methods are 2405 allowed." 2406 type: string 2407 path: 2408 description: "Path is an extended POSIX regex 2409 matched against the path of a request. Currently 2410 it can contain characters disallowed from 2411 the conventional \"path\" part of a URL as 2412 defined by RFC 3986. \n If omitted or empty, 2413 all paths are all allowed." 2414 type: string 2415 type: object 2416 type: array 2417 kafka: 2418 description: Kafka-specific rules. 2419 items: 2420 description: PortRule is a list of Kafka protocol 2421 constraints. All fields are optional, if all fields 2422 are empty or missing, the rule will match all 2423 Kafka messages. 2424 properties: 2425 apiKey: 2426 description: "APIKey is a case-insensitive string 2427 matched against the key of a request, e.g. 2428 \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", 2429 et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 2430 \n If omitted or empty, and if Role is not 2431 specified, then all keys are allowed." 2432 type: string 2433 apiVersion: 2434 description: "APIVersion is the version matched 2435 against the api version of the Kafka message. 2436 If set, it has to be a string representing 2437 a positive integer. \n If omitted or empty, 2438 all versions are allowed." 2439 type: string 2440 clientID: 2441 description: "ClientID is the client identifier 2442 as provided in the request. \n From Kafka 2443 protocol documentation: This is a user supplied 2444 identifier for the client application. The 2445 user can use any identifier they like and 2446 it will be used when logging errors, monitoring 2447 aggregates, etc. For example, one might want 2448 to monitor not just the requests per second 2449 overall, but the number coming from each client 2450 application (each of which could reside on 2451 multiple servers). This id acts as a logical 2452 grouping across all requests from a particular 2453 client. \n If omitted or empty, all client 2454 identifiers are allowed." 2455 type: string 2456 role: 2457 description: "Role is a case-insensitive string 2458 and describes a group of API keys necessary 2459 to perform certain higher-level Kafka operations 2460 such as \"produce\" or \"consume\". A Role 2461 automatically expands into all APIKeys required 2462 to perform the specified higher-level operation. 2463 \n The following values are supported: - \"produce\": 2464 Allow producing to the topics specified in 2465 the rule - \"consume\": Allow consuming from 2466 the topics specified in the rule \n This field 2467 is incompatible with the APIKey field, i.e 2468 APIKey and Role cannot both be specified in 2469 the same rule. \n If omitted or empty, and 2470 if APIKey is not specified, then all keys 2471 are allowed." 2472 enum: 2473 - produce 2474 - consume 2475 type: string 2476 topic: 2477 description: "Topic is the topic name contained 2478 in the message. If a Kafka request contains 2479 multiple topics, then all topics must be allowed 2480 or the message will be rejected. \n This constraint 2481 is ignored if the matched request message 2482 type doesn't contain any topic. Maximum size 2483 of Topic can be 249 characters as per recent 2484 Kafka spec and allowed characters are a-z, 2485 A-Z, 0-9, -, . and _. \n Older Kafka versions 2486 had longer topic lengths of 255, but in Kafka 2487 0.10 version the length was changed from 255 2488 to 249. For compatibility reasons we are using 2489 255. \n If omitted or empty, all topics are 2490 allowed." 2491 maxLength: 255 2492 type: string 2493 type: object 2494 type: array 2495 l7: 2496 description: Key-value pair rules. 2497 items: 2498 additionalProperties: 2499 type: string 2500 description: PortRuleL7 is a list of key-value pairs 2501 interpreted by a L7 protocol as protocol constraints. 2502 All fields are optional, if all fields are empty 2503 or missing, the rule does not have any effect. 2504 type: object 2505 type: array 2506 l7proto: 2507 description: Name of the L7 protocol for which the 2508 Key-value pair rules apply. 2509 type: string 2510 type: object 2511 serverNames: 2512 description: ServerNames is a list of allowed TLS SNI 2513 values. If not empty, then TLS must be present and one 2514 of the provided SNIs must be indicated in the TLS handshake. 2515 items: 2516 type: string 2517 type: array 2518 terminatingTLS: 2519 description: TerminatingTLS is the TLS context for the 2520 connection terminated by the L7 proxy. For egress policy 2521 this specifies the server-side TLS parameters to be 2522 applied on the connections originated from the local 2523 endpoint and terminated by the L7 proxy. For ingress 2524 policy this specifies the server-side TLS parameters 2525 to be applied on the connections originated from a remote 2526 source and terminated by the L7 proxy. 2527 properties: 2528 certificate: 2529 description: Certificate is the file name or k8s secret 2530 item name for the certificate chain. If omitted, 2531 'tls.crt' is assumed, if it exists. If given, the 2532 item must exist. 2533 type: string 2534 privateKey: 2535 description: PrivateKey is the file name or k8s secret 2536 item name for the private key matching the certificate 2537 chain. If omitted, 'tls.key' is assumed, if it exists. 2538 If given, the item must exist. 2539 type: string 2540 secret: 2541 description: 'Secret is the secret that contains the 2542 certificates and private key for the TLS context. 2543 By default, Cilium will search in this secret for 2544 the following items: - ''ca.crt'' - Which represents 2545 the trusted CA to verify remote source. - ''tls.crt'' 2546 - Which represents the public key certificate. - 2547 ''tls.key'' - Which represents the private key matching 2548 the public key certificate.' 2549 properties: 2550 name: 2551 description: Name is the name of the secret. 2552 type: string 2553 namespace: 2554 description: Namespace is the namespace in which 2555 the secret exists. Context of use determines 2556 the default value if left out (e.g., "default"). 2557 type: string 2558 required: 2559 - name 2560 type: object 2561 trustedCA: 2562 description: TrustedCA is the file name or k8s secret 2563 item name for the trusted CA. If omitted, 'ca.crt' 2564 is assumed, if it exists. If given, the item must 2565 exist. 2566 type: string 2567 required: 2568 - secret 2569 type: object 2570 type: object 2571 type: array 2572 type: object 2573 type: array 2574 ingressDeny: 2575 description: IngressDeny is a list of IngressDenyRule which are enforced 2576 at ingress. Any rule inserted here will be denied regardless of 2577 the allowed ingress rules in the 'ingress' field. If omitted or 2578 empty, this rule does not apply at ingress. 2579 items: 2580 description: "IngressDenyRule contains all rule types which can 2581 be applied at ingress, i.e. network traffic that originates outside 2582 of the endpoint and is entering the endpoint selected by the endpointSelector. 2583 \n - All members of this structure are optional. If omitted or 2584 empty, the member will have no effect on the rule. \n - If multiple 2585 members are set, all of them need to match in order for the rule 2586 to take effect. The exception to this rule is FromRequires field; 2587 the effects of any Requires field in any rule will apply to all 2588 other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet, 2589 FromGroups and FromEntities are mutually exclusive. Only one of 2590 these members may be present within an individual rule." 2591 properties: 2592 fromCIDR: 2593 description: "FromCIDR is a list of IP blocks which the endpoint 2594 subject to the rule is allowed to receive connections from. 2595 Only connections which do *not* originate from the cluster 2596 or from the local host are subject to CIDR rules. In order 2597 to allow in-cluster connectivity, use the FromEndpoints field. 2598 \ This will match on the source IP address of incoming connections. 2599 Adding a prefix into FromCIDR or into FromCIDRSet with no 2600 ExcludeCIDRs is equivalent. Overlaps are allowed between 2601 FromCIDR and FromCIDRSet. \n Example: Any endpoint with the 2602 label \"app=my-legacy-pet\" is allowed to receive connections 2603 from 10.3.9.1" 2604 items: 2605 description: 'CIDR specifies a block of IP addresses. Example: 2606 192.0.2.1/32' 2607 format: cidr 2608 type: string 2609 type: array 2610 fromCIDRSet: 2611 description: "FromCIDRSet is a list of IP blocks which the endpoint 2612 subject to the rule is allowed to receive connections from 2613 in addition to FromEndpoints, along with a list of subnets 2614 contained within their corresponding IP block from which traffic 2615 should not be allowed. This will match on the source IP address 2616 of incoming connections. Adding a prefix into FromCIDR or 2617 into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps 2618 are allowed between FromCIDR and FromCIDRSet. \n Example: 2619 Any endpoint with the label \"app=my-legacy-pet\" is allowed 2620 to receive connections from 10.0.0.0/8 except from IPs in 2621 subnet 10.96.0.0/12." 2622 items: 2623 description: CIDRRule is a rule that specifies a CIDR prefix 2624 to/from which outside communication is allowed, along with 2625 an optional list of subnets within that CIDR prefix to/from 2626 which outside communication is not allowed. 2627 oneOf: 2628 - properties: 2629 cidr: {} 2630 required: 2631 - cidr 2632 - properties: 2633 cidrGroupRef: {} 2634 required: 2635 - cidrGroupRef 2636 properties: 2637 cidr: 2638 description: CIDR is a CIDR prefix / IP Block. 2639 format: cidr 2640 type: string 2641 cidrGroupRef: 2642 description: CIDRGroupRef is a reference to a CiliumCIDRGroup 2643 object. A CiliumCIDRGroup contains a list of CIDRs that 2644 the endpoint, subject to the rule, can (Ingress/Egress) 2645 or cannot (IngressDeny/EgressDeny) receive connections 2646 from. 2647 maxLength: 253 2648 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 2649 type: string 2650 except: 2651 description: ExceptCIDRs is a list of IP blocks which 2652 the endpoint subject to the rule is not allowed to initiate 2653 connections to. These CIDR prefixes should be contained 2654 within Cidr, using ExceptCIDRs together with CIDRGroupRef 2655 is not supported yet. These exceptions are only applied 2656 to the Cidr in this CIDRRule, and do not apply to any 2657 other CIDR prefixes in any other CIDRRules. 2658 items: 2659 description: 'CIDR specifies a block of IP addresses. 2660 Example: 192.0.2.1/32' 2661 format: cidr 2662 type: string 2663 type: array 2664 type: object 2665 type: array 2666 fromEndpoints: 2667 description: "FromEndpoints is a list of endpoints identified 2668 by an EndpointSelector which are allowed to communicate with 2669 the endpoint subject to the rule. \n Example: Any endpoint 2670 with the label \"role=backend\" can be consumed by any endpoint 2671 carrying the label \"role=frontend\"." 2672 items: 2673 description: EndpointSelector is a wrapper for k8s LabelSelector. 2674 properties: 2675 matchExpressions: 2676 description: matchExpressions is a list of label selector 2677 requirements. The requirements are ANDed. 2678 items: 2679 description: A label selector requirement is a selector 2680 that contains values, a key, and an operator that 2681 relates the key and values. 2682 properties: 2683 key: 2684 description: key is the label key that the selector 2685 applies to. 2686 type: string 2687 operator: 2688 description: operator represents a key's relationship 2689 to a set of values. Valid operators are In, NotIn, 2690 Exists and DoesNotExist. 2691 enum: 2692 - In 2693 - NotIn 2694 - Exists 2695 - DoesNotExist 2696 type: string 2697 values: 2698 description: values is an array of string values. 2699 If the operator is In or NotIn, the values array 2700 must be non-empty. If the operator is Exists or 2701 DoesNotExist, the values array must be empty. 2702 This array is replaced during a strategic merge 2703 patch. 2704 items: 2705 type: string 2706 type: array 2707 x-kubernetes-list-type: atomic 2708 required: 2709 - key 2710 - operator 2711 type: object 2712 type: array 2713 x-kubernetes-list-type: atomic 2714 matchLabels: 2715 additionalProperties: 2716 description: MatchLabelsValue represents the value from 2717 the MatchLabels {key,value} pair. 2718 maxLength: 63 2719 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 2720 type: string 2721 description: matchLabels is a map of {key,value} pairs. 2722 A single {key,value} in the matchLabels map is equivalent 2723 to an element of matchExpressions, whose key field is 2724 "key", the operator is "In", and the values array contains 2725 only "value". The requirements are ANDed. 2726 type: object 2727 type: object 2728 type: array 2729 fromEntities: 2730 description: FromEntities is a list of special entities which 2731 the endpoint subject to the rule is allowed to receive connections 2732 from. Supported entities are `world`, `cluster` and `host` 2733 items: 2734 description: Entity specifies the class of receiver/sender 2735 endpoints that do not have individual identities. Entities 2736 are used to describe "outside of cluster", "host", etc. 2737 enum: 2738 - all 2739 - world 2740 - cluster 2741 - host 2742 - init 2743 - ingress 2744 - unmanaged 2745 - remote-node 2746 - health 2747 - none 2748 - kube-apiserver 2749 type: string 2750 type: array 2751 fromGroups: 2752 description: "FromGroups is a directive that allows the integration 2753 with multiple outside providers. Currently, only AWS is supported, 2754 and the rule can select by multiple sub directives: \n Example: 2755 FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" 2756 items: 2757 description: Groups structure to store all kinds of new integrations 2758 that needs a new derivative policy. 2759 properties: 2760 aws: 2761 description: AWSGroup is an structure that can be used 2762 to whitelisting information from AWS integration 2763 properties: 2764 labels: 2765 additionalProperties: 2766 type: string 2767 type: object 2768 region: 2769 type: string 2770 securityGroupsIds: 2771 items: 2772 type: string 2773 type: array 2774 securityGroupsNames: 2775 items: 2776 type: string 2777 type: array 2778 type: object 2779 type: object 2780 type: array 2781 fromNodes: 2782 description: FromNodes is a list of nodes identified by an EndpointSelector 2783 which are allowed to communicate with the endpoint subject 2784 to the rule. 2785 items: 2786 description: EndpointSelector is a wrapper for k8s LabelSelector. 2787 properties: 2788 matchExpressions: 2789 description: matchExpressions is a list of label selector 2790 requirements. The requirements are ANDed. 2791 items: 2792 description: A label selector requirement is a selector 2793 that contains values, a key, and an operator that 2794 relates the key and values. 2795 properties: 2796 key: 2797 description: key is the label key that the selector 2798 applies to. 2799 type: string 2800 operator: 2801 description: operator represents a key's relationship 2802 to a set of values. Valid operators are In, NotIn, 2803 Exists and DoesNotExist. 2804 enum: 2805 - In 2806 - NotIn 2807 - Exists 2808 - DoesNotExist 2809 type: string 2810 values: 2811 description: values is an array of string values. 2812 If the operator is In or NotIn, the values array 2813 must be non-empty. If the operator is Exists or 2814 DoesNotExist, the values array must be empty. 2815 This array is replaced during a strategic merge 2816 patch. 2817 items: 2818 type: string 2819 type: array 2820 x-kubernetes-list-type: atomic 2821 required: 2822 - key 2823 - operator 2824 type: object 2825 type: array 2826 x-kubernetes-list-type: atomic 2827 matchLabels: 2828 additionalProperties: 2829 description: MatchLabelsValue represents the value from 2830 the MatchLabels {key,value} pair. 2831 maxLength: 63 2832 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 2833 type: string 2834 description: matchLabels is a map of {key,value} pairs. 2835 A single {key,value} in the matchLabels map is equivalent 2836 to an element of matchExpressions, whose key field is 2837 "key", the operator is "In", and the values array contains 2838 only "value". The requirements are ANDed. 2839 type: object 2840 type: object 2841 type: array 2842 fromRequires: 2843 description: "FromRequires is a list of additional constraints 2844 which must be met in order for the selected endpoints to be 2845 reachable. These additional constraints do no by itself grant 2846 access privileges and must always be accompanied with at least 2847 one matching FromEndpoints. \n Example: Any Endpoint with 2848 the label \"team=A\" requires consuming endpoint to also carry 2849 the label \"team=A\"." 2850 items: 2851 description: EndpointSelector is a wrapper for k8s LabelSelector. 2852 properties: 2853 matchExpressions: 2854 description: matchExpressions is a list of label selector 2855 requirements. The requirements are ANDed. 2856 items: 2857 description: A label selector requirement is a selector 2858 that contains values, a key, and an operator that 2859 relates the key and values. 2860 properties: 2861 key: 2862 description: key is the label key that the selector 2863 applies to. 2864 type: string 2865 operator: 2866 description: operator represents a key's relationship 2867 to a set of values. Valid operators are In, NotIn, 2868 Exists and DoesNotExist. 2869 enum: 2870 - In 2871 - NotIn 2872 - Exists 2873 - DoesNotExist 2874 type: string 2875 values: 2876 description: values is an array of string values. 2877 If the operator is In or NotIn, the values array 2878 must be non-empty. If the operator is Exists or 2879 DoesNotExist, the values array must be empty. 2880 This array is replaced during a strategic merge 2881 patch. 2882 items: 2883 type: string 2884 type: array 2885 x-kubernetes-list-type: atomic 2886 required: 2887 - key 2888 - operator 2889 type: object 2890 type: array 2891 x-kubernetes-list-type: atomic 2892 matchLabels: 2893 additionalProperties: 2894 description: MatchLabelsValue represents the value from 2895 the MatchLabels {key,value} pair. 2896 maxLength: 63 2897 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 2898 type: string 2899 description: matchLabels is a map of {key,value} pairs. 2900 A single {key,value} in the matchLabels map is equivalent 2901 to an element of matchExpressions, whose key field is 2902 "key", the operator is "In", and the values array contains 2903 only "value". The requirements are ANDed. 2904 type: object 2905 type: object 2906 type: array 2907 icmps: 2908 description: "ICMPs is a list of ICMP rule identified by type 2909 number which the endpoint subject to the rule is not allowed 2910 to receive connections on. \n Example: Any endpoint with the 2911 label \"app=httpd\" can not accept incoming type 8 ICMP connections." 2912 items: 2913 description: ICMPRule is a list of ICMP fields. 2914 properties: 2915 fields: 2916 description: Fields is a list of ICMP fields. 2917 items: 2918 description: ICMPField is a ICMP field. 2919 properties: 2920 family: 2921 default: IPv4 2922 description: Family is a IP address version. Currently, 2923 we support `IPv4` and `IPv6`. `IPv4` is set as 2924 default. 2925 enum: 2926 - IPv4 2927 - IPv6 2928 type: string 2929 type: 2930 anyOf: 2931 - type: integer 2932 - type: string 2933 description: 'Type is a ICMP-type. It should be 2934 an 8bit code (0-255), or it''s CamelCase name 2935 (for example, "EchoReply"). Allowed ICMP types 2936 are: Ipv4: EchoReply | DestinationUnreachable 2937 | Redirect | Echo | EchoRequest | RouterAdvertisement 2938 | RouterSelection | TimeExceeded | ParameterProblem 2939 | Timestamp | TimestampReply | Photuris | ExtendedEcho 2940 Request | ExtendedEcho Reply Ipv6: DestinationUnreachable 2941 | PacketTooBig | TimeExceeded | ParameterProblem 2942 | EchoRequest | EchoReply | MulticastListenerQuery| 2943 MulticastListenerReport | MulticastListenerDone 2944 | RouterSolicitation | RouterAdvertisement | NeighborSolicitation 2945 | NeighborAdvertisement | RedirectMessage | RouterRenumbering 2946 | ICMPNodeInformationQuery | ICMPNodeInformationResponse 2947 | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement 2948 | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply 2949 | MobilePrefixSolicitation | MobilePrefixAdvertisement 2950 | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix 2951 | ExtendedEchoRequest | ExtendedEchoReply' 2952 pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho 2953 Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ 2954 x-kubernetes-int-or-string: true 2955 required: 2956 - type 2957 type: object 2958 maxItems: 40 2959 type: array 2960 type: object 2961 type: array 2962 toPorts: 2963 description: "ToPorts is a list of destination ports identified 2964 by port number and protocol which the endpoint subject to 2965 the rule is not allowed to receive connections on. \n Example: 2966 Any endpoint with the label \"app=httpd\" can not accept incoming 2967 connections on port 80/tcp." 2968 items: 2969 description: PortDenyRule is a list of ports/protocol that 2970 should be used for deny policies. This structure lacks the 2971 L7Rules since it's not supported in deny policies. 2972 properties: 2973 ports: 2974 description: Ports is a list of L4 port/protocol 2975 items: 2976 description: PortProtocol specifies an L4 port with 2977 an optional transport protocol 2978 properties: 2979 endPort: 2980 description: EndPort can only be an L4 port number. 2981 format: int32 2982 maximum: 65535 2983 minimum: 0 2984 type: integer 2985 port: 2986 description: Port can be an L4 port number, or a 2987 name in the form of "http" or "http-8080". 2988 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ 2989 type: string 2990 protocol: 2991 description: "Protocol is the L4 protocol. If omitted 2992 or empty, any protocol matches. Accepted values: 2993 \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching 2994 on ICMP is not supported. \n Named port specified 2995 for a container may narrow this down, but may 2996 not contradict this." 2997 enum: 2998 - TCP 2999 - UDP 3000 - SCTP 3001 - ANY 3002 type: string 3003 required: 3004 - port 3005 type: object 3006 type: array 3007 type: object 3008 type: array 3009 type: object 3010 type: array 3011 labels: 3012 description: Labels is a list of optional strings which can be used 3013 to re-identify the rule or to store metadata. It is possible to 3014 lookup or delete strings based on labels. Labels are not required 3015 to be unique, multiple rules can have overlapping or identical labels. 3016 items: 3017 description: Label is the Cilium's representation of a container 3018 label. 3019 properties: 3020 key: 3021 type: string 3022 source: 3023 description: 'Source can be one of the above values (e.g.: LabelSourceContainer).' 3024 type: string 3025 value: 3026 type: string 3027 required: 3028 - key 3029 type: object 3030 type: array 3031 nodeSelector: 3032 description: NodeSelector selects all nodes which should be subject 3033 to this rule. EndpointSelector and NodeSelector cannot be both empty 3034 and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies. 3035 properties: 3036 matchExpressions: 3037 description: matchExpressions is a list of label selector requirements. 3038 The requirements are ANDed. 3039 items: 3040 description: A label selector requirement is a selector that 3041 contains values, a key, and an operator that relates the key 3042 and values. 3043 properties: 3044 key: 3045 description: key is the label key that the selector applies 3046 to. 3047 type: string 3048 operator: 3049 description: operator represents a key's relationship to 3050 a set of values. Valid operators are In, NotIn, Exists 3051 and DoesNotExist. 3052 enum: 3053 - In 3054 - NotIn 3055 - Exists 3056 - DoesNotExist 3057 type: string 3058 values: 3059 description: values is an array of string values. If the 3060 operator is In or NotIn, the values array must be non-empty. 3061 If the operator is Exists or DoesNotExist, the values 3062 array must be empty. This array is replaced during a strategic 3063 merge patch. 3064 items: 3065 type: string 3066 type: array 3067 x-kubernetes-list-type: atomic 3068 required: 3069 - key 3070 - operator 3071 type: object 3072 type: array 3073 x-kubernetes-list-type: atomic 3074 matchLabels: 3075 additionalProperties: 3076 description: MatchLabelsValue represents the value from the 3077 MatchLabels {key,value} pair. 3078 maxLength: 63 3079 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 3080 type: string 3081 description: matchLabels is a map of {key,value} pairs. A single 3082 {key,value} in the matchLabels map is equivalent to an element 3083 of matchExpressions, whose key field is "key", the operator 3084 is "In", and the values array contains only "value". The requirements 3085 are ANDed. 3086 type: object 3087 type: object 3088 type: object 3089 specs: 3090 description: Specs is a list of desired Cilium specific rule specification. 3091 items: 3092 description: "Rule is a policy rule which must be applied to all endpoints 3093 which match the labels contained in the endpointSelector \n Each rule 3094 is split into an ingress section which contains all rules applicable 3095 at ingress, and an egress section applicable at egress. For rule types 3096 such as `L4Rule` and `CIDR` which can be applied at both ingress and 3097 egress, both ingress and egress side have to either specifically allow 3098 the connection or one side has to be omitted. \n Either ingress, egress, 3099 or both can be provided. If both ingress and egress are omitted, the 3100 rule has no effect." 3101 oneOf: 3102 - properties: 3103 endpointSelector: {} 3104 required: 3105 - endpointSelector 3106 - properties: 3107 nodeSelector: {} 3108 required: 3109 - nodeSelector 3110 properties: 3111 description: 3112 description: Description is a free form string, it can be used by 3113 the creator of the rule to store human readable explanation of 3114 the purpose of this rule. Rules cannot be identified by comment. 3115 type: string 3116 egress: 3117 description: Egress is a list of EgressRule which are enforced at 3118 egress. If omitted or empty, this rule does not apply at egress. 3119 items: 3120 description: "EgressRule contains all rule types which can be 3121 applied at egress, i.e. network traffic that originates inside 3122 the endpoint and exits the endpoint selected by the endpointSelector. 3123 \n - All members of this structure are optional. If omitted 3124 or empty, the member will have no effect on the rule. \n - If 3125 multiple members of the structure are specified, then all members 3126 must match in order for the rule to take effect. The exception 3127 to this rule is the ToRequires member; the effects of any Requires 3128 field in any rule will apply to all other rules as well. \n 3129 - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and 3130 ToGroups are mutually exclusive. Only one of these members may 3131 be present within an individual rule." 3132 properties: 3133 authentication: 3134 description: Authentication is the required authentication 3135 type for the allowed traffic, if any. 3136 properties: 3137 mode: 3138 description: Mode is the required authentication mode 3139 for the allowed traffic, if any. 3140 enum: 3141 - disabled 3142 - required 3143 - test-always-fail 3144 type: string 3145 required: 3146 - mode 3147 type: object 3148 icmps: 3149 description: "ICMPs is a list of ICMP rule identified by type 3150 number which the endpoint subject to the rule is allowed 3151 to connect to. \n Example: Any endpoint with the label \"app=httpd\" 3152 is allowed to initiate type 8 ICMP connections." 3153 items: 3154 description: ICMPRule is a list of ICMP fields. 3155 properties: 3156 fields: 3157 description: Fields is a list of ICMP fields. 3158 items: 3159 description: ICMPField is a ICMP field. 3160 properties: 3161 family: 3162 default: IPv4 3163 description: Family is a IP address version. Currently, 3164 we support `IPv4` and `IPv6`. `IPv4` is set 3165 as default. 3166 enum: 3167 - IPv4 3168 - IPv6 3169 type: string 3170 type: 3171 anyOf: 3172 - type: integer 3173 - type: string 3174 description: 'Type is a ICMP-type. It should be 3175 an 8bit code (0-255), or it''s CamelCase name 3176 (for example, "EchoReply"). Allowed ICMP types 3177 are: Ipv4: EchoReply | DestinationUnreachable 3178 | Redirect | Echo | EchoRequest | RouterAdvertisement 3179 | RouterSelection | TimeExceeded | ParameterProblem 3180 | Timestamp | TimestampReply | Photuris | ExtendedEcho 3181 Request | ExtendedEcho Reply Ipv6: DestinationUnreachable 3182 | PacketTooBig | TimeExceeded | ParameterProblem 3183 | EchoRequest | EchoReply | MulticastListenerQuery| 3184 MulticastListenerReport | MulticastListenerDone 3185 | RouterSolicitation | RouterAdvertisement | 3186 NeighborSolicitation | NeighborAdvertisement 3187 | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery 3188 | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation 3189 | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest 3190 | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation 3191 | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix 3192 | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest 3193 | ExtendedEchoReply' 3194 pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho 3195 Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ 3196 x-kubernetes-int-or-string: true 3197 required: 3198 - type 3199 type: object 3200 maxItems: 40 3201 type: array 3202 type: object 3203 type: array 3204 toCIDR: 3205 description: "ToCIDR is a list of IP blocks which the endpoint 3206 subject to the rule is allowed to initiate connections. 3207 Only connections destined for outside of the cluster and 3208 not targeting the host will be subject to CIDR rules. This 3209 will match on the destination IP address of outgoing connections. 3210 Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs 3211 is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 3212 \n Example: Any endpoint with the label \"app=database-proxy\" 3213 is allowed to initiate connections to 10.2.3.0/24" 3214 items: 3215 description: 'CIDR specifies a block of IP addresses. Example: 3216 192.0.2.1/32' 3217 format: cidr 3218 type: string 3219 type: array 3220 toCIDRSet: 3221 description: "ToCIDRSet is a list of IP blocks which the endpoint 3222 subject to the rule is allowed to initiate connections to 3223 in addition to connections which are allowed via ToEndpoints, 3224 along with a list of subnets contained within their corresponding 3225 IP block to which traffic should not be allowed. This will 3226 match on the destination IP address of outgoing connections. 3227 Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs 3228 is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 3229 \n Example: Any endpoint with the label \"app=database-proxy\" 3230 is allowed to initiate connections to 10.2.3.0/24 except 3231 from IPs in subnet 10.2.3.0/28." 3232 items: 3233 description: CIDRRule is a rule that specifies a CIDR prefix 3234 to/from which outside communication is allowed, along 3235 with an optional list of subnets within that CIDR prefix 3236 to/from which outside communication is not allowed. 3237 oneOf: 3238 - properties: 3239 cidr: {} 3240 required: 3241 - cidr 3242 - properties: 3243 cidrGroupRef: {} 3244 required: 3245 - cidrGroupRef 3246 properties: 3247 cidr: 3248 description: CIDR is a CIDR prefix / IP Block. 3249 format: cidr 3250 type: string 3251 cidrGroupRef: 3252 description: CIDRGroupRef is a reference to a CiliumCIDRGroup 3253 object. A CiliumCIDRGroup contains a list of CIDRs 3254 that the endpoint, subject to the rule, can (Ingress/Egress) 3255 or cannot (IngressDeny/EgressDeny) receive connections 3256 from. 3257 maxLength: 253 3258 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 3259 type: string 3260 except: 3261 description: ExceptCIDRs is a list of IP blocks which 3262 the endpoint subject to the rule is not allowed to 3263 initiate connections to. These CIDR prefixes should 3264 be contained within Cidr, using ExceptCIDRs together 3265 with CIDRGroupRef is not supported yet. These exceptions 3266 are only applied to the Cidr in this CIDRRule, and 3267 do not apply to any other CIDR prefixes in any other 3268 CIDRRules. 3269 items: 3270 description: 'CIDR specifies a block of IP addresses. 3271 Example: 192.0.2.1/32' 3272 format: cidr 3273 type: string 3274 type: array 3275 type: object 3276 type: array 3277 toEndpoints: 3278 description: "ToEndpoints is a list of endpoints identified 3279 by an EndpointSelector to which the endpoints subject to 3280 the rule are allowed to communicate. \n Example: Any endpoint 3281 with the label \"role=frontend\" can communicate with any 3282 endpoint carrying the label \"role=backend\"." 3283 items: 3284 description: EndpointSelector is a wrapper for k8s LabelSelector. 3285 properties: 3286 matchExpressions: 3287 description: matchExpressions is a list of label selector 3288 requirements. The requirements are ANDed. 3289 items: 3290 description: A label selector requirement is a selector 3291 that contains values, a key, and an operator that 3292 relates the key and values. 3293 properties: 3294 key: 3295 description: key is the label key that the selector 3296 applies to. 3297 type: string 3298 operator: 3299 description: operator represents a key's relationship 3300 to a set of values. Valid operators are In, 3301 NotIn, Exists and DoesNotExist. 3302 enum: 3303 - In 3304 - NotIn 3305 - Exists 3306 - DoesNotExist 3307 type: string 3308 values: 3309 description: values is an array of string values. 3310 If the operator is In or NotIn, the values array 3311 must be non-empty. If the operator is Exists 3312 or DoesNotExist, the values array must be empty. 3313 This array is replaced during a strategic merge 3314 patch. 3315 items: 3316 type: string 3317 type: array 3318 x-kubernetes-list-type: atomic 3319 required: 3320 - key 3321 - operator 3322 type: object 3323 type: array 3324 x-kubernetes-list-type: atomic 3325 matchLabels: 3326 additionalProperties: 3327 description: MatchLabelsValue represents the value 3328 from the MatchLabels {key,value} pair. 3329 maxLength: 63 3330 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 3331 type: string 3332 description: matchLabels is a map of {key,value} pairs. 3333 A single {key,value} in the matchLabels map is equivalent 3334 to an element of matchExpressions, whose key field 3335 is "key", the operator is "In", and the values array 3336 contains only "value". The requirements are ANDed. 3337 type: object 3338 type: object 3339 type: array 3340 toEntities: 3341 description: ToEntities is a list of special entities to which 3342 the endpoint subject to the rule is allowed to initiate 3343 connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, 3344 `init`, `health`,`unmanaged` and `all`. 3345 items: 3346 description: Entity specifies the class of receiver/sender 3347 endpoints that do not have individual identities. Entities 3348 are used to describe "outside of cluster", "host", etc. 3349 enum: 3350 - all 3351 - world 3352 - cluster 3353 - host 3354 - init 3355 - ingress 3356 - unmanaged 3357 - remote-node 3358 - health 3359 - none 3360 - kube-apiserver 3361 type: string 3362 type: array 3363 toFQDNs: 3364 description: 'ToFQDN allows whitelisting DNS names in place 3365 of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s 3366 are added to the same EgressRule object as ToCIDRSet entries, 3367 and behave accordingly. Any L4 and L7 rules within this 3368 EgressRule will also apply to these IPs. The DNS -> IP mapping 3369 is re-resolved periodically from within the cilium-agent, 3370 and the IPs in the DNS response are effected in the policy 3371 for selected pods as-is (i.e. the list of IPs is not modified 3372 in any way). Note: An explicit rule to allow for DNS traffic 3373 is needed for the pods, as ToFQDN counts as an egress rule 3374 and will enforce egress policy when PolicyEnforcment=default. 3375 Note: If the resolved IPs are IPs within the kubernetes 3376 cluster, the ToFQDN rule will not apply to that IP. Note: 3377 ToFQDN cannot occur in the same policy as other To* rules.' 3378 items: 3379 oneOf: 3380 - properties: 3381 matchName: {} 3382 required: 3383 - matchName 3384 - properties: 3385 matchPattern: {} 3386 required: 3387 - matchPattern 3388 properties: 3389 matchName: 3390 description: MatchName matches literal DNS names. A 3391 trailing "." is automatically added when missing. 3392 pattern: ^([-a-zA-Z0-9_]+[.]?)+$ 3393 type: string 3394 matchPattern: 3395 description: "MatchPattern allows using wildcards to 3396 match DNS names. All wildcards are case insensitive. 3397 The wildcards are: - \"*\" matches 0 or more DNS valid 3398 characters, and may occur anywhere in the pattern. 3399 As a special case a \"*\" as the leftmost character, 3400 without a following \".\" matches all subdomains as 3401 well as the name to the right. A trailing \".\" is 3402 automatically added when missing. \n Examples: `*.cilium.io` 3403 matches subomains of cilium at that level www.cilium.io 3404 and blog.cilium.io match, cilium.io and google.com 3405 do not `*cilium.io` matches cilium.io and all subdomains 3406 ends with \"cilium.io\" except those containing \".\" 3407 separator, subcilium.io and sub-cilium.io match, www.cilium.io 3408 and blog.cilium.io does not sub*.cilium.io matches 3409 subdomains of cilium where the subdomain component 3410 begins with \"sub\" sub.cilium.io and subdomain.cilium.io 3411 match, www.cilium.io, blog.cilium.io, cilium.io and 3412 google.com do not" 3413 pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ 3414 type: string 3415 type: object 3416 type: array 3417 toGroups: 3418 description: "ToGroups is a directive that allows the integration 3419 with multiple outside providers. Currently, only AWS is 3420 supported, and the rule can select by multiple sub directives: 3421 \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" 3422 items: 3423 description: Groups structure to store all kinds of new 3424 integrations that needs a new derivative policy. 3425 properties: 3426 aws: 3427 description: AWSGroup is an structure that can be used 3428 to whitelisting information from AWS integration 3429 properties: 3430 labels: 3431 additionalProperties: 3432 type: string 3433 type: object 3434 region: 3435 type: string 3436 securityGroupsIds: 3437 items: 3438 type: string 3439 type: array 3440 securityGroupsNames: 3441 items: 3442 type: string 3443 type: array 3444 type: object 3445 type: object 3446 type: array 3447 toNodes: 3448 description: ToNodes is a list of nodes identified by an EndpointSelector 3449 to which endpoints subject to the rule is allowed to communicate. 3450 items: 3451 description: EndpointSelector is a wrapper for k8s LabelSelector. 3452 properties: 3453 matchExpressions: 3454 description: matchExpressions is a list of label selector 3455 requirements. The requirements are ANDed. 3456 items: 3457 description: A label selector requirement is a selector 3458 that contains values, a key, and an operator that 3459 relates the key and values. 3460 properties: 3461 key: 3462 description: key is the label key that the selector 3463 applies to. 3464 type: string 3465 operator: 3466 description: operator represents a key's relationship 3467 to a set of values. Valid operators are In, 3468 NotIn, Exists and DoesNotExist. 3469 enum: 3470 - In 3471 - NotIn 3472 - Exists 3473 - DoesNotExist 3474 type: string 3475 values: 3476 description: values is an array of string values. 3477 If the operator is In or NotIn, the values array 3478 must be non-empty. If the operator is Exists 3479 or DoesNotExist, the values array must be empty. 3480 This array is replaced during a strategic merge 3481 patch. 3482 items: 3483 type: string 3484 type: array 3485 x-kubernetes-list-type: atomic 3486 required: 3487 - key 3488 - operator 3489 type: object 3490 type: array 3491 x-kubernetes-list-type: atomic 3492 matchLabels: 3493 additionalProperties: 3494 description: MatchLabelsValue represents the value 3495 from the MatchLabels {key,value} pair. 3496 maxLength: 63 3497 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 3498 type: string 3499 description: matchLabels is a map of {key,value} pairs. 3500 A single {key,value} in the matchLabels map is equivalent 3501 to an element of matchExpressions, whose key field 3502 is "key", the operator is "In", and the values array 3503 contains only "value". The requirements are ANDed. 3504 type: object 3505 type: object 3506 type: array 3507 toPorts: 3508 description: "ToPorts is a list of destination ports identified 3509 by port number and protocol which the endpoint subject to 3510 the rule is allowed to connect to. \n Example: Any endpoint 3511 with the label \"role=frontend\" is allowed to initiate 3512 connections to destination port 8080/tcp" 3513 items: 3514 description: PortRule is a list of ports/protocol combinations 3515 with optional Layer 7 rules which must be met. 3516 properties: 3517 listener: 3518 description: listener specifies the name of a custom 3519 Envoy listener to which this traffic should be redirected 3520 to. 3521 properties: 3522 envoyConfig: 3523 description: EnvoyConfig is a reference to the CEC 3524 or CCEC resource in which the listener is defined. 3525 properties: 3526 kind: 3527 description: Kind is the resource type being 3528 referred to. Defaults to CiliumEnvoyConfig 3529 or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy 3530 and CiliumClusterwideNetworkPolicy, respectively. 3531 The only case this is currently explicitly 3532 needed is when referring to a CiliumClusterwideEnvoyConfig 3533 from CiliumNetworkPolicy, as using a namespaced 3534 listener from a cluster scoped policy is not 3535 allowed. 3536 enum: 3537 - CiliumEnvoyConfig 3538 - CiliumClusterwideEnvoyConfig 3539 type: string 3540 name: 3541 description: Name is the resource name of the 3542 CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig 3543 where the listener is defined in. 3544 minLength: 1 3545 type: string 3546 required: 3547 - name 3548 type: object 3549 name: 3550 description: Name is the name of the listener. 3551 minLength: 1 3552 type: string 3553 priority: 3554 description: Priority for this Listener that is 3555 used when multiple rules would apply different 3556 listeners to a policy map entry. Behavior of this 3557 is implementation dependent. 3558 maximum: 100 3559 minimum: 1 3560 type: integer 3561 required: 3562 - envoyConfig 3563 - name 3564 type: object 3565 originatingTLS: 3566 description: OriginatingTLS is the TLS context for the 3567 connections originated by the L7 proxy. For egress 3568 policy this specifies the client-side TLS parameters 3569 for the upstream connection originating from the L7 3570 proxy to the remote destination. For ingress policy 3571 this specifies the client-side TLS parameters for 3572 the connection from the L7 proxy to the local endpoint. 3573 properties: 3574 certificate: 3575 description: Certificate is the file name or k8s 3576 secret item name for the certificate chain. If 3577 omitted, 'tls.crt' is assumed, if it exists. If 3578 given, the item must exist. 3579 type: string 3580 privateKey: 3581 description: PrivateKey is the file name or k8s 3582 secret item name for the private key matching 3583 the certificate chain. If omitted, 'tls.key' is 3584 assumed, if it exists. If given, the item must 3585 exist. 3586 type: string 3587 secret: 3588 description: 'Secret is the secret that contains 3589 the certificates and private key for the TLS context. 3590 By default, Cilium will search in this secret 3591 for the following items: - ''ca.crt'' - Which 3592 represents the trusted CA to verify remote source. 3593 - ''tls.crt'' - Which represents the public key 3594 certificate. - ''tls.key'' - Which represents 3595 the private key matching the public key certificate.' 3596 properties: 3597 name: 3598 description: Name is the name of the secret. 3599 type: string 3600 namespace: 3601 description: Namespace is the namespace in which 3602 the secret exists. Context of use determines 3603 the default value if left out (e.g., "default"). 3604 type: string 3605 required: 3606 - name 3607 type: object 3608 trustedCA: 3609 description: TrustedCA is the file name or k8s secret 3610 item name for the trusted CA. If omitted, 'ca.crt' 3611 is assumed, if it exists. If given, the item must 3612 exist. 3613 type: string 3614 required: 3615 - secret 3616 type: object 3617 ports: 3618 description: Ports is a list of L4 port/protocol 3619 items: 3620 description: PortProtocol specifies an L4 port with 3621 an optional transport protocol 3622 properties: 3623 endPort: 3624 description: EndPort can only be an L4 port number. 3625 format: int32 3626 maximum: 65535 3627 minimum: 0 3628 type: integer 3629 port: 3630 description: Port can be an L4 port number, or 3631 a name in the form of "http" or "http-8080". 3632 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ 3633 type: string 3634 protocol: 3635 description: "Protocol is the L4 protocol. If 3636 omitted or empty, any protocol matches. Accepted 3637 values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" 3638 \n Matching on ICMP is not supported. \n Named 3639 port specified for a container may narrow this 3640 down, but may not contradict this." 3641 enum: 3642 - TCP 3643 - UDP 3644 - SCTP 3645 - ANY 3646 type: string 3647 required: 3648 - port 3649 type: object 3650 maxItems: 40 3651 type: array 3652 rules: 3653 description: Rules is a list of additional port level 3654 rules which must be met in order for the PortRule 3655 to allow the traffic. If omitted or empty, no layer 3656 7 rules are enforced. 3657 oneOf: 3658 - properties: 3659 http: {} 3660 required: 3661 - http 3662 - properties: 3663 kafka: {} 3664 required: 3665 - kafka 3666 - properties: 3667 dns: {} 3668 required: 3669 - dns 3670 - properties: 3671 l7proto: {} 3672 required: 3673 - l7proto 3674 properties: 3675 dns: 3676 description: DNS-specific rules. 3677 items: 3678 description: PortRuleDNS is a list of allowed 3679 DNS lookups. 3680 oneOf: 3681 - properties: 3682 matchName: {} 3683 required: 3684 - matchName 3685 - properties: 3686 matchPattern: {} 3687 required: 3688 - matchPattern 3689 properties: 3690 matchName: 3691 description: MatchName matches literal DNS 3692 names. A trailing "." is automatically added 3693 when missing. 3694 pattern: ^([-a-zA-Z0-9_]+[.]?)+$ 3695 type: string 3696 matchPattern: 3697 description: "MatchPattern allows using wildcards 3698 to match DNS names. All wildcards are case 3699 insensitive. The wildcards are: - \"*\" 3700 matches 0 or more DNS valid characters, 3701 and may occur anywhere in the pattern. As 3702 a special case a \"*\" as the leftmost character, 3703 without a following \".\" matches all subdomains 3704 as well as the name to the right. A trailing 3705 \".\" is automatically added when missing. 3706 \n Examples: `*.cilium.io` matches subomains 3707 of cilium at that level www.cilium.io and 3708 blog.cilium.io match, cilium.io and google.com 3709 do not `*cilium.io` matches cilium.io and 3710 all subdomains ends with \"cilium.io\" except 3711 those containing \".\" separator, subcilium.io 3712 and sub-cilium.io match, www.cilium.io and 3713 blog.cilium.io does not sub*.cilium.io matches 3714 subdomains of cilium where the subdomain 3715 component begins with \"sub\" sub.cilium.io 3716 and subdomain.cilium.io match, www.cilium.io, 3717 blog.cilium.io, cilium.io and google.com 3718 do not" 3719 pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ 3720 type: string 3721 type: object 3722 type: array 3723 http: 3724 description: HTTP specific rules. 3725 items: 3726 description: "PortRuleHTTP is a list of HTTP protocol 3727 constraints. All fields are optional, if all 3728 fields are empty or missing, the rule does not 3729 have any effect. \n All fields of this type 3730 are extended POSIX regex as defined by IEEE 3731 Std 1003.1, (i.e this follows the egrep/unix 3732 syntax, not the perl syntax) matched against 3733 the path of an incoming request. Currently it 3734 can contain characters disallowed from the conventional 3735 \"path\" part of a URL as defined by RFC 3986." 3736 properties: 3737 headerMatches: 3738 description: HeaderMatches is a list of HTTP 3739 headers which must be present and match 3740 against the given values. Mismatch field 3741 can be used to specify what to do when there 3742 is no match. 3743 items: 3744 description: HeaderMatch extends the HeaderValue 3745 for matching requirement of a named header 3746 field against an immediate string, a secret 3747 value, or a regex. If none of the optional 3748 fields is present, then the header value 3749 is not matched, only presence of the header 3750 is enough. 3751 properties: 3752 mismatch: 3753 description: Mismatch identifies what 3754 to do in case there is no match. The 3755 default is to drop the request. Otherwise 3756 the overall rule is still considered 3757 as matching, but the mismatches are 3758 logged in the access log. 3759 enum: 3760 - LOG 3761 - ADD 3762 - DELETE 3763 - REPLACE 3764 type: string 3765 name: 3766 description: Name identifies the header. 3767 minLength: 1 3768 type: string 3769 secret: 3770 description: Secret refers to a secret 3771 that contains the value to be matched 3772 against. The secret must only contain 3773 one entry. If the referred secret 3774 does not exist, and there is no "Value" 3775 specified, the match will fail. 3776 properties: 3777 name: 3778 description: Name is the name of 3779 the secret. 3780 type: string 3781 namespace: 3782 description: Namespace is the namespace 3783 in which the secret exists. Context 3784 of use determines the default 3785 value if left out (e.g., "default"). 3786 type: string 3787 required: 3788 - name 3789 type: object 3790 value: 3791 description: Value matches the exact 3792 value of the header. Can be specified 3793 either alone or together with "Secret"; 3794 will be used as the header value if 3795 the secret can not be found in the 3796 latter case. 3797 type: string 3798 required: 3799 - name 3800 type: object 3801 type: array 3802 headers: 3803 description: Headers is a list of HTTP headers 3804 which must be present in the request. If 3805 omitted or empty, requests are allowed regardless 3806 of headers present. 3807 items: 3808 type: string 3809 type: array 3810 host: 3811 description: "Host is an extended POSIX regex 3812 matched against the host header of a request. 3813 Examples: \n - foo.bar.com will match the 3814 host fooXbar.com or foo-bar.com - foo\\.bar\\.com 3815 will only match the host foo.bar.com \n 3816 If omitted or empty, the value of the host 3817 header is ignored." 3818 format: idn-hostname 3819 type: string 3820 method: 3821 description: "Method is an extended POSIX 3822 regex matched against the method of a request, 3823 e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", 3824 \"DELETE\", ... \n If omitted or empty, 3825 all methods are allowed." 3826 type: string 3827 path: 3828 description: "Path is an extended POSIX regex 3829 matched against the path of a request. Currently 3830 it can contain characters disallowed from 3831 the conventional \"path\" part of a URL 3832 as defined by RFC 3986. \n If omitted or 3833 empty, all paths are all allowed." 3834 type: string 3835 type: object 3836 type: array 3837 kafka: 3838 description: Kafka-specific rules. 3839 items: 3840 description: PortRule is a list of Kafka protocol 3841 constraints. All fields are optional, if all 3842 fields are empty or missing, the rule will match 3843 all Kafka messages. 3844 properties: 3845 apiKey: 3846 description: "APIKey is a case-insensitive 3847 string matched against the key of a request, 3848 e.g. \"produce\", \"fetch\", \"createtopic\", 3849 \"deletetopic\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 3850 \n If omitted or empty, and if Role is not 3851 specified, then all keys are allowed." 3852 type: string 3853 apiVersion: 3854 description: "APIVersion is the version matched 3855 against the api version of the Kafka message. 3856 If set, it has to be a string representing 3857 a positive integer. \n If omitted or empty, 3858 all versions are allowed." 3859 type: string 3860 clientID: 3861 description: "ClientID is the client identifier 3862 as provided in the request. \n From Kafka 3863 protocol documentation: This is a user supplied 3864 identifier for the client application. The 3865 user can use any identifier they like and 3866 it will be used when logging errors, monitoring 3867 aggregates, etc. For example, one might 3868 want to monitor not just the requests per 3869 second overall, but the number coming from 3870 each client application (each of which could 3871 reside on multiple servers). This id acts 3872 as a logical grouping across all requests 3873 from a particular client. \n If omitted 3874 or empty, all client identifiers are allowed." 3875 type: string 3876 role: 3877 description: "Role is a case-insensitive string 3878 and describes a group of API keys necessary 3879 to perform certain higher-level Kafka operations 3880 such as \"produce\" or \"consume\". A Role 3881 automatically expands into all APIKeys required 3882 to perform the specified higher-level operation. 3883 \n The following values are supported: - 3884 \"produce\": Allow producing to the topics 3885 specified in the rule - \"consume\": Allow 3886 consuming from the topics specified in the 3887 rule \n This field is incompatible with 3888 the APIKey field, i.e APIKey and Role cannot 3889 both be specified in the same rule. \n If 3890 omitted or empty, and if APIKey is not specified, 3891 then all keys are allowed." 3892 enum: 3893 - produce 3894 - consume 3895 type: string 3896 topic: 3897 description: "Topic is the topic name contained 3898 in the message. If a Kafka request contains 3899 multiple topics, then all topics must be 3900 allowed or the message will be rejected. 3901 \n This constraint is ignored if the matched 3902 request message type doesn't contain any 3903 topic. Maximum size of Topic can be 249 3904 characters as per recent Kafka spec and 3905 allowed characters are a-z, A-Z, 0-9, -, 3906 . and _. \n Older Kafka versions had longer 3907 topic lengths of 255, but in Kafka 0.10 3908 version the length was changed from 255 3909 to 249. For compatibility reasons we are 3910 using 255. \n If omitted or empty, all topics 3911 are allowed." 3912 maxLength: 255 3913 type: string 3914 type: object 3915 type: array 3916 l7: 3917 description: Key-value pair rules. 3918 items: 3919 additionalProperties: 3920 type: string 3921 description: PortRuleL7 is a list of key-value 3922 pairs interpreted by a L7 protocol as protocol 3923 constraints. All fields are optional, if all 3924 fields are empty or missing, the rule does not 3925 have any effect. 3926 type: object 3927 type: array 3928 l7proto: 3929 description: Name of the L7 protocol for which the 3930 Key-value pair rules apply. 3931 type: string 3932 type: object 3933 serverNames: 3934 description: ServerNames is a list of allowed TLS SNI 3935 values. If not empty, then TLS must be present and 3936 one of the provided SNIs must be indicated in the 3937 TLS handshake. 3938 items: 3939 type: string 3940 type: array 3941 terminatingTLS: 3942 description: TerminatingTLS is the TLS context for the 3943 connection terminated by the L7 proxy. For egress 3944 policy this specifies the server-side TLS parameters 3945 to be applied on the connections originated from the 3946 local endpoint and terminated by the L7 proxy. For 3947 ingress policy this specifies the server-side TLS 3948 parameters to be applied on the connections originated 3949 from a remote source and terminated by the L7 proxy. 3950 properties: 3951 certificate: 3952 description: Certificate is the file name or k8s 3953 secret item name for the certificate chain. If 3954 omitted, 'tls.crt' is assumed, if it exists. If 3955 given, the item must exist. 3956 type: string 3957 privateKey: 3958 description: PrivateKey is the file name or k8s 3959 secret item name for the private key matching 3960 the certificate chain. If omitted, 'tls.key' is 3961 assumed, if it exists. If given, the item must 3962 exist. 3963 type: string 3964 secret: 3965 description: 'Secret is the secret that contains 3966 the certificates and private key for the TLS context. 3967 By default, Cilium will search in this secret 3968 for the following items: - ''ca.crt'' - Which 3969 represents the trusted CA to verify remote source. 3970 - ''tls.crt'' - Which represents the public key 3971 certificate. - ''tls.key'' - Which represents 3972 the private key matching the public key certificate.' 3973 properties: 3974 name: 3975 description: Name is the name of the secret. 3976 type: string 3977 namespace: 3978 description: Namespace is the namespace in which 3979 the secret exists. Context of use determines 3980 the default value if left out (e.g., "default"). 3981 type: string 3982 required: 3983 - name 3984 type: object 3985 trustedCA: 3986 description: TrustedCA is the file name or k8s secret 3987 item name for the trusted CA. If omitted, 'ca.crt' 3988 is assumed, if it exists. If given, the item must 3989 exist. 3990 type: string 3991 required: 3992 - secret 3993 type: object 3994 type: object 3995 type: array 3996 toRequires: 3997 description: "ToRequires is a list of additional constraints 3998 which must be met in order for the selected endpoints to 3999 be able to connect to other endpoints. These additional 4000 constraints do no by itself grant access privileges and 4001 must always be accompanied with at least one matching ToEndpoints. 4002 \n Example: Any Endpoint with the label \"team=A\" requires 4003 any endpoint to which it communicates to also carry the 4004 label \"team=A\"." 4005 items: 4006 description: EndpointSelector is a wrapper for k8s LabelSelector. 4007 properties: 4008 matchExpressions: 4009 description: matchExpressions is a list of label selector 4010 requirements. The requirements are ANDed. 4011 items: 4012 description: A label selector requirement is a selector 4013 that contains values, a key, and an operator that 4014 relates the key and values. 4015 properties: 4016 key: 4017 description: key is the label key that the selector 4018 applies to. 4019 type: string 4020 operator: 4021 description: operator represents a key's relationship 4022 to a set of values. Valid operators are In, 4023 NotIn, Exists and DoesNotExist. 4024 enum: 4025 - In 4026 - NotIn 4027 - Exists 4028 - DoesNotExist 4029 type: string 4030 values: 4031 description: values is an array of string values. 4032 If the operator is In or NotIn, the values array 4033 must be non-empty. If the operator is Exists 4034 or DoesNotExist, the values array must be empty. 4035 This array is replaced during a strategic merge 4036 patch. 4037 items: 4038 type: string 4039 type: array 4040 x-kubernetes-list-type: atomic 4041 required: 4042 - key 4043 - operator 4044 type: object 4045 type: array 4046 x-kubernetes-list-type: atomic 4047 matchLabels: 4048 additionalProperties: 4049 description: MatchLabelsValue represents the value 4050 from the MatchLabels {key,value} pair. 4051 maxLength: 63 4052 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 4053 type: string 4054 description: matchLabels is a map of {key,value} pairs. 4055 A single {key,value} in the matchLabels map is equivalent 4056 to an element of matchExpressions, whose key field 4057 is "key", the operator is "In", and the values array 4058 contains only "value". The requirements are ANDed. 4059 type: object 4060 type: object 4061 type: array 4062 toServices: 4063 description: "ToServices is a list of services to which the 4064 endpoint subject to the rule is allowed to initiate connections. 4065 Currently Cilium only supports toServices for K8s services 4066 without selectors. \n Example: Any endpoint with the label 4067 \"app=backend-app\" is allowed to initiate connections to 4068 all cidrs backing the \"external-service\" service" 4069 items: 4070 description: Service wraps around selectors for services 4071 properties: 4072 k8sService: 4073 description: K8sService selects service by name and 4074 namespace pair 4075 properties: 4076 namespace: 4077 type: string 4078 serviceName: 4079 type: string 4080 type: object 4081 k8sServiceSelector: 4082 description: K8sServiceSelector selects services by 4083 k8s labels and namespace 4084 properties: 4085 namespace: 4086 type: string 4087 selector: 4088 description: ServiceSelector is a label selector 4089 for k8s services 4090 properties: 4091 matchExpressions: 4092 description: matchExpressions is a list of label 4093 selector requirements. The requirements are 4094 ANDed. 4095 items: 4096 description: A label selector requirement 4097 is a selector that contains values, a key, 4098 and an operator that relates the key and 4099 values. 4100 properties: 4101 key: 4102 description: key is the label key that 4103 the selector applies to. 4104 type: string 4105 operator: 4106 description: operator represents a key's 4107 relationship to a set of values. Valid 4108 operators are In, NotIn, Exists and 4109 DoesNotExist. 4110 enum: 4111 - In 4112 - NotIn 4113 - Exists 4114 - DoesNotExist 4115 type: string 4116 values: 4117 description: values is an array of string 4118 values. If the operator is In or NotIn, 4119 the values array must be non-empty. 4120 If the operator is Exists or DoesNotExist, 4121 the values array must be empty. This 4122 array is replaced during a strategic 4123 merge patch. 4124 items: 4125 type: string 4126 type: array 4127 x-kubernetes-list-type: atomic 4128 required: 4129 - key 4130 - operator 4131 type: object 4132 type: array 4133 x-kubernetes-list-type: atomic 4134 matchLabels: 4135 additionalProperties: 4136 description: MatchLabelsValue represents the 4137 value from the MatchLabels {key,value} pair. 4138 maxLength: 63 4139 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 4140 type: string 4141 description: matchLabels is a map of {key,value} 4142 pairs. A single {key,value} in the matchLabels 4143 map is equivalent to an element of matchExpressions, 4144 whose key field is "key", the operator is 4145 "In", and the values array contains only "value". 4146 The requirements are ANDed. 4147 type: object 4148 type: object 4149 required: 4150 - selector 4151 type: object 4152 type: object 4153 type: array 4154 type: object 4155 type: array 4156 egressDeny: 4157 description: EgressDeny is a list of EgressDenyRule which are enforced 4158 at egress. Any rule inserted here will be denied regardless of 4159 the allowed egress rules in the 'egress' field. If omitted or 4160 empty, this rule does not apply at egress. 4161 items: 4162 description: "EgressDenyRule contains all rule types which can 4163 be applied at egress, i.e. network traffic that originates inside 4164 the endpoint and exits the endpoint selected by the endpointSelector. 4165 \n - All members of this structure are optional. If omitted 4166 or empty, the member will have no effect on the rule. \n - If 4167 multiple members of the structure are specified, then all members 4168 must match in order for the rule to take effect. The exception 4169 to this rule is the ToRequires member; the effects of any Requires 4170 field in any rule will apply to all other rules as well. \n 4171 - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and 4172 ToGroups are mutually exclusive. Only one of these members may 4173 be present within an individual rule." 4174 properties: 4175 icmps: 4176 description: "ICMPs is a list of ICMP rule identified by type 4177 number which the endpoint subject to the rule is not allowed 4178 to connect to. \n Example: Any endpoint with the label \"app=httpd\" 4179 is not allowed to initiate type 8 ICMP connections." 4180 items: 4181 description: ICMPRule is a list of ICMP fields. 4182 properties: 4183 fields: 4184 description: Fields is a list of ICMP fields. 4185 items: 4186 description: ICMPField is a ICMP field. 4187 properties: 4188 family: 4189 default: IPv4 4190 description: Family is a IP address version. Currently, 4191 we support `IPv4` and `IPv6`. `IPv4` is set 4192 as default. 4193 enum: 4194 - IPv4 4195 - IPv6 4196 type: string 4197 type: 4198 anyOf: 4199 - type: integer 4200 - type: string 4201 description: 'Type is a ICMP-type. It should be 4202 an 8bit code (0-255), or it''s CamelCase name 4203 (for example, "EchoReply"). Allowed ICMP types 4204 are: Ipv4: EchoReply | DestinationUnreachable 4205 | Redirect | Echo | EchoRequest | RouterAdvertisement 4206 | RouterSelection | TimeExceeded | ParameterProblem 4207 | Timestamp | TimestampReply | Photuris | ExtendedEcho 4208 Request | ExtendedEcho Reply Ipv6: DestinationUnreachable 4209 | PacketTooBig | TimeExceeded | ParameterProblem 4210 | EchoRequest | EchoReply | MulticastListenerQuery| 4211 MulticastListenerReport | MulticastListenerDone 4212 | RouterSolicitation | RouterAdvertisement | 4213 NeighborSolicitation | NeighborAdvertisement 4214 | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery 4215 | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation 4216 | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest 4217 | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation 4218 | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix 4219 | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest 4220 | ExtendedEchoReply' 4221 pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho 4222 Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ 4223 x-kubernetes-int-or-string: true 4224 required: 4225 - type 4226 type: object 4227 maxItems: 40 4228 type: array 4229 type: object 4230 type: array 4231 toCIDR: 4232 description: "ToCIDR is a list of IP blocks which the endpoint 4233 subject to the rule is allowed to initiate connections. 4234 Only connections destined for outside of the cluster and 4235 not targeting the host will be subject to CIDR rules. This 4236 will match on the destination IP address of outgoing connections. 4237 Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs 4238 is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 4239 \n Example: Any endpoint with the label \"app=database-proxy\" 4240 is allowed to initiate connections to 10.2.3.0/24" 4241 items: 4242 description: 'CIDR specifies a block of IP addresses. Example: 4243 192.0.2.1/32' 4244 format: cidr 4245 type: string 4246 type: array 4247 toCIDRSet: 4248 description: "ToCIDRSet is a list of IP blocks which the endpoint 4249 subject to the rule is allowed to initiate connections to 4250 in addition to connections which are allowed via ToEndpoints, 4251 along with a list of subnets contained within their corresponding 4252 IP block to which traffic should not be allowed. This will 4253 match on the destination IP address of outgoing connections. 4254 Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs 4255 is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 4256 \n Example: Any endpoint with the label \"app=database-proxy\" 4257 is allowed to initiate connections to 10.2.3.0/24 except 4258 from IPs in subnet 10.2.3.0/28." 4259 items: 4260 description: CIDRRule is a rule that specifies a CIDR prefix 4261 to/from which outside communication is allowed, along 4262 with an optional list of subnets within that CIDR prefix 4263 to/from which outside communication is not allowed. 4264 oneOf: 4265 - properties: 4266 cidr: {} 4267 required: 4268 - cidr 4269 - properties: 4270 cidrGroupRef: {} 4271 required: 4272 - cidrGroupRef 4273 properties: 4274 cidr: 4275 description: CIDR is a CIDR prefix / IP Block. 4276 format: cidr 4277 type: string 4278 cidrGroupRef: 4279 description: CIDRGroupRef is a reference to a CiliumCIDRGroup 4280 object. A CiliumCIDRGroup contains a list of CIDRs 4281 that the endpoint, subject to the rule, can (Ingress/Egress) 4282 or cannot (IngressDeny/EgressDeny) receive connections 4283 from. 4284 maxLength: 253 4285 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 4286 type: string 4287 except: 4288 description: ExceptCIDRs is a list of IP blocks which 4289 the endpoint subject to the rule is not allowed to 4290 initiate connections to. These CIDR prefixes should 4291 be contained within Cidr, using ExceptCIDRs together 4292 with CIDRGroupRef is not supported yet. These exceptions 4293 are only applied to the Cidr in this CIDRRule, and 4294 do not apply to any other CIDR prefixes in any other 4295 CIDRRules. 4296 items: 4297 description: 'CIDR specifies a block of IP addresses. 4298 Example: 192.0.2.1/32' 4299 format: cidr 4300 type: string 4301 type: array 4302 type: object 4303 type: array 4304 toEndpoints: 4305 description: "ToEndpoints is a list of endpoints identified 4306 by an EndpointSelector to which the endpoints subject to 4307 the rule are allowed to communicate. \n Example: Any endpoint 4308 with the label \"role=frontend\" can communicate with any 4309 endpoint carrying the label \"role=backend\"." 4310 items: 4311 description: EndpointSelector is a wrapper for k8s LabelSelector. 4312 properties: 4313 matchExpressions: 4314 description: matchExpressions is a list of label selector 4315 requirements. The requirements are ANDed. 4316 items: 4317 description: A label selector requirement is a selector 4318 that contains values, a key, and an operator that 4319 relates the key and values. 4320 properties: 4321 key: 4322 description: key is the label key that the selector 4323 applies to. 4324 type: string 4325 operator: 4326 description: operator represents a key's relationship 4327 to a set of values. Valid operators are In, 4328 NotIn, Exists and DoesNotExist. 4329 enum: 4330 - In 4331 - NotIn 4332 - Exists 4333 - DoesNotExist 4334 type: string 4335 values: 4336 description: values is an array of string values. 4337 If the operator is In or NotIn, the values array 4338 must be non-empty. If the operator is Exists 4339 or DoesNotExist, the values array must be empty. 4340 This array is replaced during a strategic merge 4341 patch. 4342 items: 4343 type: string 4344 type: array 4345 x-kubernetes-list-type: atomic 4346 required: 4347 - key 4348 - operator 4349 type: object 4350 type: array 4351 x-kubernetes-list-type: atomic 4352 matchLabels: 4353 additionalProperties: 4354 description: MatchLabelsValue represents the value 4355 from the MatchLabels {key,value} pair. 4356 maxLength: 63 4357 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 4358 type: string 4359 description: matchLabels is a map of {key,value} pairs. 4360 A single {key,value} in the matchLabels map is equivalent 4361 to an element of matchExpressions, whose key field 4362 is "key", the operator is "In", and the values array 4363 contains only "value". The requirements are ANDed. 4364 type: object 4365 type: object 4366 type: array 4367 toEntities: 4368 description: ToEntities is a list of special entities to which 4369 the endpoint subject to the rule is allowed to initiate 4370 connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, 4371 `init`, `health`,`unmanaged` and `all`. 4372 items: 4373 description: Entity specifies the class of receiver/sender 4374 endpoints that do not have individual identities. Entities 4375 are used to describe "outside of cluster", "host", etc. 4376 enum: 4377 - all 4378 - world 4379 - cluster 4380 - host 4381 - init 4382 - ingress 4383 - unmanaged 4384 - remote-node 4385 - health 4386 - none 4387 - kube-apiserver 4388 type: string 4389 type: array 4390 toGroups: 4391 description: "ToGroups is a directive that allows the integration 4392 with multiple outside providers. Currently, only AWS is 4393 supported, and the rule can select by multiple sub directives: 4394 \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" 4395 items: 4396 description: Groups structure to store all kinds of new 4397 integrations that needs a new derivative policy. 4398 properties: 4399 aws: 4400 description: AWSGroup is an structure that can be used 4401 to whitelisting information from AWS integration 4402 properties: 4403 labels: 4404 additionalProperties: 4405 type: string 4406 type: object 4407 region: 4408 type: string 4409 securityGroupsIds: 4410 items: 4411 type: string 4412 type: array 4413 securityGroupsNames: 4414 items: 4415 type: string 4416 type: array 4417 type: object 4418 type: object 4419 type: array 4420 toNodes: 4421 description: ToNodes is a list of nodes identified by an EndpointSelector 4422 to which endpoints subject to the rule is allowed to communicate. 4423 items: 4424 description: EndpointSelector is a wrapper for k8s LabelSelector. 4425 properties: 4426 matchExpressions: 4427 description: matchExpressions is a list of label selector 4428 requirements. The requirements are ANDed. 4429 items: 4430 description: A label selector requirement is a selector 4431 that contains values, a key, and an operator that 4432 relates the key and values. 4433 properties: 4434 key: 4435 description: key is the label key that the selector 4436 applies to. 4437 type: string 4438 operator: 4439 description: operator represents a key's relationship 4440 to a set of values. Valid operators are In, 4441 NotIn, Exists and DoesNotExist. 4442 enum: 4443 - In 4444 - NotIn 4445 - Exists 4446 - DoesNotExist 4447 type: string 4448 values: 4449 description: values is an array of string values. 4450 If the operator is In or NotIn, the values array 4451 must be non-empty. If the operator is Exists 4452 or DoesNotExist, the values array must be empty. 4453 This array is replaced during a strategic merge 4454 patch. 4455 items: 4456 type: string 4457 type: array 4458 x-kubernetes-list-type: atomic 4459 required: 4460 - key 4461 - operator 4462 type: object 4463 type: array 4464 x-kubernetes-list-type: atomic 4465 matchLabels: 4466 additionalProperties: 4467 description: MatchLabelsValue represents the value 4468 from the MatchLabels {key,value} pair. 4469 maxLength: 63 4470 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 4471 type: string 4472 description: matchLabels is a map of {key,value} pairs. 4473 A single {key,value} in the matchLabels map is equivalent 4474 to an element of matchExpressions, whose key field 4475 is "key", the operator is "In", and the values array 4476 contains only "value". The requirements are ANDed. 4477 type: object 4478 type: object 4479 type: array 4480 toPorts: 4481 description: "ToPorts is a list of destination ports identified 4482 by port number and protocol which the endpoint subject to 4483 the rule is not allowed to connect to. \n Example: Any endpoint 4484 with the label \"role=frontend\" is not allowed to initiate 4485 connections to destination port 8080/tcp" 4486 items: 4487 description: PortDenyRule is a list of ports/protocol that 4488 should be used for deny policies. This structure lacks 4489 the L7Rules since it's not supported in deny policies. 4490 properties: 4491 ports: 4492 description: Ports is a list of L4 port/protocol 4493 items: 4494 description: PortProtocol specifies an L4 port with 4495 an optional transport protocol 4496 properties: 4497 endPort: 4498 description: EndPort can only be an L4 port number. 4499 format: int32 4500 maximum: 65535 4501 minimum: 0 4502 type: integer 4503 port: 4504 description: Port can be an L4 port number, or 4505 a name in the form of "http" or "http-8080". 4506 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ 4507 type: string 4508 protocol: 4509 description: "Protocol is the L4 protocol. If 4510 omitted or empty, any protocol matches. Accepted 4511 values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" 4512 \n Matching on ICMP is not supported. \n Named 4513 port specified for a container may narrow this 4514 down, but may not contradict this." 4515 enum: 4516 - TCP 4517 - UDP 4518 - SCTP 4519 - ANY 4520 type: string 4521 required: 4522 - port 4523 type: object 4524 type: array 4525 type: object 4526 type: array 4527 toRequires: 4528 description: "ToRequires is a list of additional constraints 4529 which must be met in order for the selected endpoints to 4530 be able to connect to other endpoints. These additional 4531 constraints do no by itself grant access privileges and 4532 must always be accompanied with at least one matching ToEndpoints. 4533 \n Example: Any Endpoint with the label \"team=A\" requires 4534 any endpoint to which it communicates to also carry the 4535 label \"team=A\"." 4536 items: 4537 description: EndpointSelector is a wrapper for k8s LabelSelector. 4538 properties: 4539 matchExpressions: 4540 description: matchExpressions is a list of label selector 4541 requirements. The requirements are ANDed. 4542 items: 4543 description: A label selector requirement is a selector 4544 that contains values, a key, and an operator that 4545 relates the key and values. 4546 properties: 4547 key: 4548 description: key is the label key that the selector 4549 applies to. 4550 type: string 4551 operator: 4552 description: operator represents a key's relationship 4553 to a set of values. Valid operators are In, 4554 NotIn, Exists and DoesNotExist. 4555 enum: 4556 - In 4557 - NotIn 4558 - Exists 4559 - DoesNotExist 4560 type: string 4561 values: 4562 description: values is an array of string values. 4563 If the operator is In or NotIn, the values array 4564 must be non-empty. If the operator is Exists 4565 or DoesNotExist, the values array must be empty. 4566 This array is replaced during a strategic merge 4567 patch. 4568 items: 4569 type: string 4570 type: array 4571 x-kubernetes-list-type: atomic 4572 required: 4573 - key 4574 - operator 4575 type: object 4576 type: array 4577 x-kubernetes-list-type: atomic 4578 matchLabels: 4579 additionalProperties: 4580 description: MatchLabelsValue represents the value 4581 from the MatchLabels {key,value} pair. 4582 maxLength: 63 4583 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 4584 type: string 4585 description: matchLabels is a map of {key,value} pairs. 4586 A single {key,value} in the matchLabels map is equivalent 4587 to an element of matchExpressions, whose key field 4588 is "key", the operator is "In", and the values array 4589 contains only "value". The requirements are ANDed. 4590 type: object 4591 type: object 4592 type: array 4593 toServices: 4594 description: "ToServices is a list of services to which the 4595 endpoint subject to the rule is allowed to initiate connections. 4596 Currently Cilium only supports toServices for K8s services 4597 without selectors. \n Example: Any endpoint with the label 4598 \"app=backend-app\" is allowed to initiate connections to 4599 all cidrs backing the \"external-service\" service" 4600 items: 4601 description: Service wraps around selectors for services 4602 properties: 4603 k8sService: 4604 description: K8sService selects service by name and 4605 namespace pair 4606 properties: 4607 namespace: 4608 type: string 4609 serviceName: 4610 type: string 4611 type: object 4612 k8sServiceSelector: 4613 description: K8sServiceSelector selects services by 4614 k8s labels and namespace 4615 properties: 4616 namespace: 4617 type: string 4618 selector: 4619 description: ServiceSelector is a label selector 4620 for k8s services 4621 properties: 4622 matchExpressions: 4623 description: matchExpressions is a list of label 4624 selector requirements. The requirements are 4625 ANDed. 4626 items: 4627 description: A label selector requirement 4628 is a selector that contains values, a key, 4629 and an operator that relates the key and 4630 values. 4631 properties: 4632 key: 4633 description: key is the label key that 4634 the selector applies to. 4635 type: string 4636 operator: 4637 description: operator represents a key's 4638 relationship to a set of values. Valid 4639 operators are In, NotIn, Exists and 4640 DoesNotExist. 4641 enum: 4642 - In 4643 - NotIn 4644 - Exists 4645 - DoesNotExist 4646 type: string 4647 values: 4648 description: values is an array of string 4649 values. If the operator is In or NotIn, 4650 the values array must be non-empty. 4651 If the operator is Exists or DoesNotExist, 4652 the values array must be empty. This 4653 array is replaced during a strategic 4654 merge patch. 4655 items: 4656 type: string 4657 type: array 4658 x-kubernetes-list-type: atomic 4659 required: 4660 - key 4661 - operator 4662 type: object 4663 type: array 4664 x-kubernetes-list-type: atomic 4665 matchLabels: 4666 additionalProperties: 4667 description: MatchLabelsValue represents the 4668 value from the MatchLabels {key,value} pair. 4669 maxLength: 63 4670 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 4671 type: string 4672 description: matchLabels is a map of {key,value} 4673 pairs. A single {key,value} in the matchLabels 4674 map is equivalent to an element of matchExpressions, 4675 whose key field is "key", the operator is 4676 "In", and the values array contains only "value". 4677 The requirements are ANDed. 4678 type: object 4679 type: object 4680 required: 4681 - selector 4682 type: object 4683 type: object 4684 type: array 4685 type: object 4686 type: array 4687 enableDefaultDeny: 4688 description: "EnableDefaultDeny determines whether this policy configures 4689 the subject endpoint(s) to have a default deny mode. If enabled, 4690 this causes all traffic not explicitly allowed by a network policy 4691 to be dropped. \n If not specified, the default is true for each 4692 traffic direction that has rules, and false otherwise. For example, 4693 if a policy only has Ingress or IngressDeny rules, then the default 4694 for ingress is true and egress is false. \n If multiple policies 4695 apply to an endpoint, that endpoint's default deny will be enabled 4696 if any policy requests it. \n This is useful for creating broad-based 4697 network policies that will not cause endpoints to enter default-deny 4698 mode." 4699 properties: 4700 egress: 4701 description: Whether or not the endpoint should have a default-deny 4702 rule applied to egress traffic. 4703 type: boolean 4704 ingress: 4705 description: Whether or not the endpoint should have a default-deny 4706 rule applied to ingress traffic. 4707 type: boolean 4708 type: object 4709 endpointSelector: 4710 description: EndpointSelector selects all endpoints which should 4711 be subject to this rule. EndpointSelector and NodeSelector cannot 4712 be both empty and are mutually exclusive. 4713 properties: 4714 matchExpressions: 4715 description: matchExpressions is a list of label selector requirements. 4716 The requirements are ANDed. 4717 items: 4718 description: A label selector requirement is a selector that 4719 contains values, a key, and an operator that relates the 4720 key and values. 4721 properties: 4722 key: 4723 description: key is the label key that the selector applies 4724 to. 4725 type: string 4726 operator: 4727 description: operator represents a key's relationship 4728 to a set of values. Valid operators are In, NotIn, Exists 4729 and DoesNotExist. 4730 enum: 4731 - In 4732 - NotIn 4733 - Exists 4734 - DoesNotExist 4735 type: string 4736 values: 4737 description: values is an array of string values. If the 4738 operator is In or NotIn, the values array must be non-empty. 4739 If the operator is Exists or DoesNotExist, the values 4740 array must be empty. This array is replaced during a 4741 strategic merge patch. 4742 items: 4743 type: string 4744 type: array 4745 x-kubernetes-list-type: atomic 4746 required: 4747 - key 4748 - operator 4749 type: object 4750 type: array 4751 x-kubernetes-list-type: atomic 4752 matchLabels: 4753 additionalProperties: 4754 description: MatchLabelsValue represents the value from the 4755 MatchLabels {key,value} pair. 4756 maxLength: 63 4757 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 4758 type: string 4759 description: matchLabels is a map of {key,value} pairs. A single 4760 {key,value} in the matchLabels map is equivalent to an element 4761 of matchExpressions, whose key field is "key", the operator 4762 is "In", and the values array contains only "value". The requirements 4763 are ANDed. 4764 type: object 4765 type: object 4766 ingress: 4767 description: Ingress is a list of IngressRule which are enforced 4768 at ingress. If omitted or empty, this rule does not apply at ingress. 4769 items: 4770 description: "IngressRule contains all rule types which can be 4771 applied at ingress, i.e. network traffic that originates outside 4772 of the endpoint and is entering the endpoint selected by the 4773 endpointSelector. \n - All members of this structure are optional. 4774 If omitted or empty, the member will have no effect on the rule. 4775 \n - If multiple members are set, all of them need to match 4776 in order for the rule to take effect. The exception to this 4777 rule is FromRequires field; the effects of any Requires field 4778 in any rule will apply to all other rules as well. \n - FromEndpoints, 4779 FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. 4780 Only one of these members may be present within an individual 4781 rule." 4782 properties: 4783 authentication: 4784 description: Authentication is the required authentication 4785 type for the allowed traffic, if any. 4786 properties: 4787 mode: 4788 description: Mode is the required authentication mode 4789 for the allowed traffic, if any. 4790 enum: 4791 - disabled 4792 - required 4793 - test-always-fail 4794 type: string 4795 required: 4796 - mode 4797 type: object 4798 fromCIDR: 4799 description: "FromCIDR is a list of IP blocks which the endpoint 4800 subject to the rule is allowed to receive connections from. 4801 Only connections which do *not* originate from the cluster 4802 or from the local host are subject to CIDR rules. In order 4803 to allow in-cluster connectivity, use the FromEndpoints 4804 field. This will match on the source IP address of incoming 4805 connections. Adding a prefix into FromCIDR or into FromCIDRSet 4806 with no ExcludeCIDRs is equivalent. Overlaps are allowed 4807 between FromCIDR and FromCIDRSet. \n Example: Any endpoint 4808 with the label \"app=my-legacy-pet\" is allowed to receive 4809 connections from 10.3.9.1" 4810 items: 4811 description: 'CIDR specifies a block of IP addresses. Example: 4812 192.0.2.1/32' 4813 format: cidr 4814 type: string 4815 type: array 4816 fromCIDRSet: 4817 description: "FromCIDRSet is a list of IP blocks which the 4818 endpoint subject to the rule is allowed to receive connections 4819 from in addition to FromEndpoints, along with a list of 4820 subnets contained within their corresponding IP block from 4821 which traffic should not be allowed. This will match on 4822 the source IP address of incoming connections. Adding a 4823 prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs 4824 is equivalent. Overlaps are allowed between FromCIDR and 4825 FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" 4826 is allowed to receive connections from 10.0.0.0/8 except 4827 from IPs in subnet 10.96.0.0/12." 4828 items: 4829 description: CIDRRule is a rule that specifies a CIDR prefix 4830 to/from which outside communication is allowed, along 4831 with an optional list of subnets within that CIDR prefix 4832 to/from which outside communication is not allowed. 4833 oneOf: 4834 - properties: 4835 cidr: {} 4836 required: 4837 - cidr 4838 - properties: 4839 cidrGroupRef: {} 4840 required: 4841 - cidrGroupRef 4842 properties: 4843 cidr: 4844 description: CIDR is a CIDR prefix / IP Block. 4845 format: cidr 4846 type: string 4847 cidrGroupRef: 4848 description: CIDRGroupRef is a reference to a CiliumCIDRGroup 4849 object. A CiliumCIDRGroup contains a list of CIDRs 4850 that the endpoint, subject to the rule, can (Ingress/Egress) 4851 or cannot (IngressDeny/EgressDeny) receive connections 4852 from. 4853 maxLength: 253 4854 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 4855 type: string 4856 except: 4857 description: ExceptCIDRs is a list of IP blocks which 4858 the endpoint subject to the rule is not allowed to 4859 initiate connections to. These CIDR prefixes should 4860 be contained within Cidr, using ExceptCIDRs together 4861 with CIDRGroupRef is not supported yet. These exceptions 4862 are only applied to the Cidr in this CIDRRule, and 4863 do not apply to any other CIDR prefixes in any other 4864 CIDRRules. 4865 items: 4866 description: 'CIDR specifies a block of IP addresses. 4867 Example: 192.0.2.1/32' 4868 format: cidr 4869 type: string 4870 type: array 4871 type: object 4872 type: array 4873 fromEndpoints: 4874 description: "FromEndpoints is a list of endpoints identified 4875 by an EndpointSelector which are allowed to communicate 4876 with the endpoint subject to the rule. \n Example: Any endpoint 4877 with the label \"role=backend\" can be consumed by any endpoint 4878 carrying the label \"role=frontend\"." 4879 items: 4880 description: EndpointSelector is a wrapper for k8s LabelSelector. 4881 properties: 4882 matchExpressions: 4883 description: matchExpressions is a list of label selector 4884 requirements. The requirements are ANDed. 4885 items: 4886 description: A label selector requirement is a selector 4887 that contains values, a key, and an operator that 4888 relates the key and values. 4889 properties: 4890 key: 4891 description: key is the label key that the selector 4892 applies to. 4893 type: string 4894 operator: 4895 description: operator represents a key's relationship 4896 to a set of values. Valid operators are In, 4897 NotIn, Exists and DoesNotExist. 4898 enum: 4899 - In 4900 - NotIn 4901 - Exists 4902 - DoesNotExist 4903 type: string 4904 values: 4905 description: values is an array of string values. 4906 If the operator is In or NotIn, the values array 4907 must be non-empty. If the operator is Exists 4908 or DoesNotExist, the values array must be empty. 4909 This array is replaced during a strategic merge 4910 patch. 4911 items: 4912 type: string 4913 type: array 4914 x-kubernetes-list-type: atomic 4915 required: 4916 - key 4917 - operator 4918 type: object 4919 type: array 4920 x-kubernetes-list-type: atomic 4921 matchLabels: 4922 additionalProperties: 4923 description: MatchLabelsValue represents the value 4924 from the MatchLabels {key,value} pair. 4925 maxLength: 63 4926 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 4927 type: string 4928 description: matchLabels is a map of {key,value} pairs. 4929 A single {key,value} in the matchLabels map is equivalent 4930 to an element of matchExpressions, whose key field 4931 is "key", the operator is "In", and the values array 4932 contains only "value". The requirements are ANDed. 4933 type: object 4934 type: object 4935 type: array 4936 fromEntities: 4937 description: FromEntities is a list of special entities which 4938 the endpoint subject to the rule is allowed to receive connections 4939 from. Supported entities are `world`, `cluster` and `host` 4940 items: 4941 description: Entity specifies the class of receiver/sender 4942 endpoints that do not have individual identities. Entities 4943 are used to describe "outside of cluster", "host", etc. 4944 enum: 4945 - all 4946 - world 4947 - cluster 4948 - host 4949 - init 4950 - ingress 4951 - unmanaged 4952 - remote-node 4953 - health 4954 - none 4955 - kube-apiserver 4956 type: string 4957 type: array 4958 fromGroups: 4959 description: "FromGroups is a directive that allows the integration 4960 with multiple outside providers. Currently, only AWS is 4961 supported, and the rule can select by multiple sub directives: 4962 \n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" 4963 items: 4964 description: Groups structure to store all kinds of new 4965 integrations that needs a new derivative policy. 4966 properties: 4967 aws: 4968 description: AWSGroup is an structure that can be used 4969 to whitelisting information from AWS integration 4970 properties: 4971 labels: 4972 additionalProperties: 4973 type: string 4974 type: object 4975 region: 4976 type: string 4977 securityGroupsIds: 4978 items: 4979 type: string 4980 type: array 4981 securityGroupsNames: 4982 items: 4983 type: string 4984 type: array 4985 type: object 4986 type: object 4987 type: array 4988 fromNodes: 4989 description: FromNodes is a list of nodes identified by an 4990 EndpointSelector which are allowed to communicate with the 4991 endpoint subject to the rule. 4992 items: 4993 description: EndpointSelector is a wrapper for k8s LabelSelector. 4994 properties: 4995 matchExpressions: 4996 description: matchExpressions is a list of label selector 4997 requirements. The requirements are ANDed. 4998 items: 4999 description: A label selector requirement is a selector 5000 that contains values, a key, and an operator that 5001 relates the key and values. 5002 properties: 5003 key: 5004 description: key is the label key that the selector 5005 applies to. 5006 type: string 5007 operator: 5008 description: operator represents a key's relationship 5009 to a set of values. Valid operators are In, 5010 NotIn, Exists and DoesNotExist. 5011 enum: 5012 - In 5013 - NotIn 5014 - Exists 5015 - DoesNotExist 5016 type: string 5017 values: 5018 description: values is an array of string values. 5019 If the operator is In or NotIn, the values array 5020 must be non-empty. If the operator is Exists 5021 or DoesNotExist, the values array must be empty. 5022 This array is replaced during a strategic merge 5023 patch. 5024 items: 5025 type: string 5026 type: array 5027 x-kubernetes-list-type: atomic 5028 required: 5029 - key 5030 - operator 5031 type: object 5032 type: array 5033 x-kubernetes-list-type: atomic 5034 matchLabels: 5035 additionalProperties: 5036 description: MatchLabelsValue represents the value 5037 from the MatchLabels {key,value} pair. 5038 maxLength: 63 5039 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 5040 type: string 5041 description: matchLabels is a map of {key,value} pairs. 5042 A single {key,value} in the matchLabels map is equivalent 5043 to an element of matchExpressions, whose key field 5044 is "key", the operator is "In", and the values array 5045 contains only "value". The requirements are ANDed. 5046 type: object 5047 type: object 5048 type: array 5049 fromRequires: 5050 description: "FromRequires is a list of additional constraints 5051 which must be met in order for the selected endpoints to 5052 be reachable. These additional constraints do no by itself 5053 grant access privileges and must always be accompanied with 5054 at least one matching FromEndpoints. \n Example: Any Endpoint 5055 with the label \"team=A\" requires consuming endpoint to 5056 also carry the label \"team=A\"." 5057 items: 5058 description: EndpointSelector is a wrapper for k8s LabelSelector. 5059 properties: 5060 matchExpressions: 5061 description: matchExpressions is a list of label selector 5062 requirements. The requirements are ANDed. 5063 items: 5064 description: A label selector requirement is a selector 5065 that contains values, a key, and an operator that 5066 relates the key and values. 5067 properties: 5068 key: 5069 description: key is the label key that the selector 5070 applies to. 5071 type: string 5072 operator: 5073 description: operator represents a key's relationship 5074 to a set of values. Valid operators are In, 5075 NotIn, Exists and DoesNotExist. 5076 enum: 5077 - In 5078 - NotIn 5079 - Exists 5080 - DoesNotExist 5081 type: string 5082 values: 5083 description: values is an array of string values. 5084 If the operator is In or NotIn, the values array 5085 must be non-empty. If the operator is Exists 5086 or DoesNotExist, the values array must be empty. 5087 This array is replaced during a strategic merge 5088 patch. 5089 items: 5090 type: string 5091 type: array 5092 x-kubernetes-list-type: atomic 5093 required: 5094 - key 5095 - operator 5096 type: object 5097 type: array 5098 x-kubernetes-list-type: atomic 5099 matchLabels: 5100 additionalProperties: 5101 description: MatchLabelsValue represents the value 5102 from the MatchLabels {key,value} pair. 5103 maxLength: 63 5104 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 5105 type: string 5106 description: matchLabels is a map of {key,value} pairs. 5107 A single {key,value} in the matchLabels map is equivalent 5108 to an element of matchExpressions, whose key field 5109 is "key", the operator is "In", and the values array 5110 contains only "value". The requirements are ANDed. 5111 type: object 5112 type: object 5113 type: array 5114 icmps: 5115 description: "ICMPs is a list of ICMP rule identified by type 5116 number which the endpoint subject to the rule is allowed 5117 to receive connections on. \n Example: Any endpoint with 5118 the label \"app=httpd\" can only accept incoming type 8 5119 ICMP connections." 5120 items: 5121 description: ICMPRule is a list of ICMP fields. 5122 properties: 5123 fields: 5124 description: Fields is a list of ICMP fields. 5125 items: 5126 description: ICMPField is a ICMP field. 5127 properties: 5128 family: 5129 default: IPv4 5130 description: Family is a IP address version. Currently, 5131 we support `IPv4` and `IPv6`. `IPv4` is set 5132 as default. 5133 enum: 5134 - IPv4 5135 - IPv6 5136 type: string 5137 type: 5138 anyOf: 5139 - type: integer 5140 - type: string 5141 description: 'Type is a ICMP-type. It should be 5142 an 8bit code (0-255), or it''s CamelCase name 5143 (for example, "EchoReply"). Allowed ICMP types 5144 are: Ipv4: EchoReply | DestinationUnreachable 5145 | Redirect | Echo | EchoRequest | RouterAdvertisement 5146 | RouterSelection | TimeExceeded | ParameterProblem 5147 | Timestamp | TimestampReply | Photuris | ExtendedEcho 5148 Request | ExtendedEcho Reply Ipv6: DestinationUnreachable 5149 | PacketTooBig | TimeExceeded | ParameterProblem 5150 | EchoRequest | EchoReply | MulticastListenerQuery| 5151 MulticastListenerReport | MulticastListenerDone 5152 | RouterSolicitation | RouterAdvertisement | 5153 NeighborSolicitation | NeighborAdvertisement 5154 | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery 5155 | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation 5156 | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest 5157 | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation 5158 | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix 5159 | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest 5160 | ExtendedEchoReply' 5161 pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho 5162 Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ 5163 x-kubernetes-int-or-string: true 5164 required: 5165 - type 5166 type: object 5167 maxItems: 40 5168 type: array 5169 type: object 5170 type: array 5171 toPorts: 5172 description: "ToPorts is a list of destination ports identified 5173 by port number and protocol which the endpoint subject to 5174 the rule is allowed to receive connections on. \n Example: 5175 Any endpoint with the label \"app=httpd\" can only accept 5176 incoming connections on port 80/tcp." 5177 items: 5178 description: PortRule is a list of ports/protocol combinations 5179 with optional Layer 7 rules which must be met. 5180 properties: 5181 listener: 5182 description: listener specifies the name of a custom 5183 Envoy listener to which this traffic should be redirected 5184 to. 5185 properties: 5186 envoyConfig: 5187 description: EnvoyConfig is a reference to the CEC 5188 or CCEC resource in which the listener is defined. 5189 properties: 5190 kind: 5191 description: Kind is the resource type being 5192 referred to. Defaults to CiliumEnvoyConfig 5193 or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy 5194 and CiliumClusterwideNetworkPolicy, respectively. 5195 The only case this is currently explicitly 5196 needed is when referring to a CiliumClusterwideEnvoyConfig 5197 from CiliumNetworkPolicy, as using a namespaced 5198 listener from a cluster scoped policy is not 5199 allowed. 5200 enum: 5201 - CiliumEnvoyConfig 5202 - CiliumClusterwideEnvoyConfig 5203 type: string 5204 name: 5205 description: Name is the resource name of the 5206 CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig 5207 where the listener is defined in. 5208 minLength: 1 5209 type: string 5210 required: 5211 - name 5212 type: object 5213 name: 5214 description: Name is the name of the listener. 5215 minLength: 1 5216 type: string 5217 priority: 5218 description: Priority for this Listener that is 5219 used when multiple rules would apply different 5220 listeners to a policy map entry. Behavior of this 5221 is implementation dependent. 5222 maximum: 100 5223 minimum: 1 5224 type: integer 5225 required: 5226 - envoyConfig 5227 - name 5228 type: object 5229 originatingTLS: 5230 description: OriginatingTLS is the TLS context for the 5231 connections originated by the L7 proxy. For egress 5232 policy this specifies the client-side TLS parameters 5233 for the upstream connection originating from the L7 5234 proxy to the remote destination. For ingress policy 5235 this specifies the client-side TLS parameters for 5236 the connection from the L7 proxy to the local endpoint. 5237 properties: 5238 certificate: 5239 description: Certificate is the file name or k8s 5240 secret item name for the certificate chain. If 5241 omitted, 'tls.crt' is assumed, if it exists. If 5242 given, the item must exist. 5243 type: string 5244 privateKey: 5245 description: PrivateKey is the file name or k8s 5246 secret item name for the private key matching 5247 the certificate chain. If omitted, 'tls.key' is 5248 assumed, if it exists. If given, the item must 5249 exist. 5250 type: string 5251 secret: 5252 description: 'Secret is the secret that contains 5253 the certificates and private key for the TLS context. 5254 By default, Cilium will search in this secret 5255 for the following items: - ''ca.crt'' - Which 5256 represents the trusted CA to verify remote source. 5257 - ''tls.crt'' - Which represents the public key 5258 certificate. - ''tls.key'' - Which represents 5259 the private key matching the public key certificate.' 5260 properties: 5261 name: 5262 description: Name is the name of the secret. 5263 type: string 5264 namespace: 5265 description: Namespace is the namespace in which 5266 the secret exists. Context of use determines 5267 the default value if left out (e.g., "default"). 5268 type: string 5269 required: 5270 - name 5271 type: object 5272 trustedCA: 5273 description: TrustedCA is the file name or k8s secret 5274 item name for the trusted CA. If omitted, 'ca.crt' 5275 is assumed, if it exists. If given, the item must 5276 exist. 5277 type: string 5278 required: 5279 - secret 5280 type: object 5281 ports: 5282 description: Ports is a list of L4 port/protocol 5283 items: 5284 description: PortProtocol specifies an L4 port with 5285 an optional transport protocol 5286 properties: 5287 endPort: 5288 description: EndPort can only be an L4 port number. 5289 format: int32 5290 maximum: 65535 5291 minimum: 0 5292 type: integer 5293 port: 5294 description: Port can be an L4 port number, or 5295 a name in the form of "http" or "http-8080". 5296 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ 5297 type: string 5298 protocol: 5299 description: "Protocol is the L4 protocol. If 5300 omitted or empty, any protocol matches. Accepted 5301 values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" 5302 \n Matching on ICMP is not supported. \n Named 5303 port specified for a container may narrow this 5304 down, but may not contradict this." 5305 enum: 5306 - TCP 5307 - UDP 5308 - SCTP 5309 - ANY 5310 type: string 5311 required: 5312 - port 5313 type: object 5314 maxItems: 40 5315 type: array 5316 rules: 5317 description: Rules is a list of additional port level 5318 rules which must be met in order for the PortRule 5319 to allow the traffic. If omitted or empty, no layer 5320 7 rules are enforced. 5321 oneOf: 5322 - properties: 5323 http: {} 5324 required: 5325 - http 5326 - properties: 5327 kafka: {} 5328 required: 5329 - kafka 5330 - properties: 5331 dns: {} 5332 required: 5333 - dns 5334 - properties: 5335 l7proto: {} 5336 required: 5337 - l7proto 5338 properties: 5339 dns: 5340 description: DNS-specific rules. 5341 items: 5342 description: PortRuleDNS is a list of allowed 5343 DNS lookups. 5344 oneOf: 5345 - properties: 5346 matchName: {} 5347 required: 5348 - matchName 5349 - properties: 5350 matchPattern: {} 5351 required: 5352 - matchPattern 5353 properties: 5354 matchName: 5355 description: MatchName matches literal DNS 5356 names. A trailing "." is automatically added 5357 when missing. 5358 pattern: ^([-a-zA-Z0-9_]+[.]?)+$ 5359 type: string 5360 matchPattern: 5361 description: "MatchPattern allows using wildcards 5362 to match DNS names. All wildcards are case 5363 insensitive. The wildcards are: - \"*\" 5364 matches 0 or more DNS valid characters, 5365 and may occur anywhere in the pattern. As 5366 a special case a \"*\" as the leftmost character, 5367 without a following \".\" matches all subdomains 5368 as well as the name to the right. A trailing 5369 \".\" is automatically added when missing. 5370 \n Examples: `*.cilium.io` matches subomains 5371 of cilium at that level www.cilium.io and 5372 blog.cilium.io match, cilium.io and google.com 5373 do not `*cilium.io` matches cilium.io and 5374 all subdomains ends with \"cilium.io\" except 5375 those containing \".\" separator, subcilium.io 5376 and sub-cilium.io match, www.cilium.io and 5377 blog.cilium.io does not sub*.cilium.io matches 5378 subdomains of cilium where the subdomain 5379 component begins with \"sub\" sub.cilium.io 5380 and subdomain.cilium.io match, www.cilium.io, 5381 blog.cilium.io, cilium.io and google.com 5382 do not" 5383 pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ 5384 type: string 5385 type: object 5386 type: array 5387 http: 5388 description: HTTP specific rules. 5389 items: 5390 description: "PortRuleHTTP is a list of HTTP protocol 5391 constraints. All fields are optional, if all 5392 fields are empty or missing, the rule does not 5393 have any effect. \n All fields of this type 5394 are extended POSIX regex as defined by IEEE 5395 Std 1003.1, (i.e this follows the egrep/unix 5396 syntax, not the perl syntax) matched against 5397 the path of an incoming request. Currently it 5398 can contain characters disallowed from the conventional 5399 \"path\" part of a URL as defined by RFC 3986." 5400 properties: 5401 headerMatches: 5402 description: HeaderMatches is a list of HTTP 5403 headers which must be present and match 5404 against the given values. Mismatch field 5405 can be used to specify what to do when there 5406 is no match. 5407 items: 5408 description: HeaderMatch extends the HeaderValue 5409 for matching requirement of a named header 5410 field against an immediate string, a secret 5411 value, or a regex. If none of the optional 5412 fields is present, then the header value 5413 is not matched, only presence of the header 5414 is enough. 5415 properties: 5416 mismatch: 5417 description: Mismatch identifies what 5418 to do in case there is no match. The 5419 default is to drop the request. Otherwise 5420 the overall rule is still considered 5421 as matching, but the mismatches are 5422 logged in the access log. 5423 enum: 5424 - LOG 5425 - ADD 5426 - DELETE 5427 - REPLACE 5428 type: string 5429 name: 5430 description: Name identifies the header. 5431 minLength: 1 5432 type: string 5433 secret: 5434 description: Secret refers to a secret 5435 that contains the value to be matched 5436 against. The secret must only contain 5437 one entry. If the referred secret 5438 does not exist, and there is no "Value" 5439 specified, the match will fail. 5440 properties: 5441 name: 5442 description: Name is the name of 5443 the secret. 5444 type: string 5445 namespace: 5446 description: Namespace is the namespace 5447 in which the secret exists. Context 5448 of use determines the default 5449 value if left out (e.g., "default"). 5450 type: string 5451 required: 5452 - name 5453 type: object 5454 value: 5455 description: Value matches the exact 5456 value of the header. Can be specified 5457 either alone or together with "Secret"; 5458 will be used as the header value if 5459 the secret can not be found in the 5460 latter case. 5461 type: string 5462 required: 5463 - name 5464 type: object 5465 type: array 5466 headers: 5467 description: Headers is a list of HTTP headers 5468 which must be present in the request. If 5469 omitted or empty, requests are allowed regardless 5470 of headers present. 5471 items: 5472 type: string 5473 type: array 5474 host: 5475 description: "Host is an extended POSIX regex 5476 matched against the host header of a request. 5477 Examples: \n - foo.bar.com will match the 5478 host fooXbar.com or foo-bar.com - foo\\.bar\\.com 5479 will only match the host foo.bar.com \n 5480 If omitted or empty, the value of the host 5481 header is ignored." 5482 format: idn-hostname 5483 type: string 5484 method: 5485 description: "Method is an extended POSIX 5486 regex matched against the method of a request, 5487 e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", 5488 \"DELETE\", ... \n If omitted or empty, 5489 all methods are allowed." 5490 type: string 5491 path: 5492 description: "Path is an extended POSIX regex 5493 matched against the path of a request. Currently 5494 it can contain characters disallowed from 5495 the conventional \"path\" part of a URL 5496 as defined by RFC 3986. \n If omitted or 5497 empty, all paths are all allowed." 5498 type: string 5499 type: object 5500 type: array 5501 kafka: 5502 description: Kafka-specific rules. 5503 items: 5504 description: PortRule is a list of Kafka protocol 5505 constraints. All fields are optional, if all 5506 fields are empty or missing, the rule will match 5507 all Kafka messages. 5508 properties: 5509 apiKey: 5510 description: "APIKey is a case-insensitive 5511 string matched against the key of a request, 5512 e.g. \"produce\", \"fetch\", \"createtopic\", 5513 \"deletetopic\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 5514 \n If omitted or empty, and if Role is not 5515 specified, then all keys are allowed." 5516 type: string 5517 apiVersion: 5518 description: "APIVersion is the version matched 5519 against the api version of the Kafka message. 5520 If set, it has to be a string representing 5521 a positive integer. \n If omitted or empty, 5522 all versions are allowed." 5523 type: string 5524 clientID: 5525 description: "ClientID is the client identifier 5526 as provided in the request. \n From Kafka 5527 protocol documentation: This is a user supplied 5528 identifier for the client application. The 5529 user can use any identifier they like and 5530 it will be used when logging errors, monitoring 5531 aggregates, etc. For example, one might 5532 want to monitor not just the requests per 5533 second overall, but the number coming from 5534 each client application (each of which could 5535 reside on multiple servers). This id acts 5536 as a logical grouping across all requests 5537 from a particular client. \n If omitted 5538 or empty, all client identifiers are allowed." 5539 type: string 5540 role: 5541 description: "Role is a case-insensitive string 5542 and describes a group of API keys necessary 5543 to perform certain higher-level Kafka operations 5544 such as \"produce\" or \"consume\". A Role 5545 automatically expands into all APIKeys required 5546 to perform the specified higher-level operation. 5547 \n The following values are supported: - 5548 \"produce\": Allow producing to the topics 5549 specified in the rule - \"consume\": Allow 5550 consuming from the topics specified in the 5551 rule \n This field is incompatible with 5552 the APIKey field, i.e APIKey and Role cannot 5553 both be specified in the same rule. \n If 5554 omitted or empty, and if APIKey is not specified, 5555 then all keys are allowed." 5556 enum: 5557 - produce 5558 - consume 5559 type: string 5560 topic: 5561 description: "Topic is the topic name contained 5562 in the message. If a Kafka request contains 5563 multiple topics, then all topics must be 5564 allowed or the message will be rejected. 5565 \n This constraint is ignored if the matched 5566 request message type doesn't contain any 5567 topic. Maximum size of Topic can be 249 5568 characters as per recent Kafka spec and 5569 allowed characters are a-z, A-Z, 0-9, -, 5570 . and _. \n Older Kafka versions had longer 5571 topic lengths of 255, but in Kafka 0.10 5572 version the length was changed from 255 5573 to 249. For compatibility reasons we are 5574 using 255. \n If omitted or empty, all topics 5575 are allowed." 5576 maxLength: 255 5577 type: string 5578 type: object 5579 type: array 5580 l7: 5581 description: Key-value pair rules. 5582 items: 5583 additionalProperties: 5584 type: string 5585 description: PortRuleL7 is a list of key-value 5586 pairs interpreted by a L7 protocol as protocol 5587 constraints. All fields are optional, if all 5588 fields are empty or missing, the rule does not 5589 have any effect. 5590 type: object 5591 type: array 5592 l7proto: 5593 description: Name of the L7 protocol for which the 5594 Key-value pair rules apply. 5595 type: string 5596 type: object 5597 serverNames: 5598 description: ServerNames is a list of allowed TLS SNI 5599 values. If not empty, then TLS must be present and 5600 one of the provided SNIs must be indicated in the 5601 TLS handshake. 5602 items: 5603 type: string 5604 type: array 5605 terminatingTLS: 5606 description: TerminatingTLS is the TLS context for the 5607 connection terminated by the L7 proxy. For egress 5608 policy this specifies the server-side TLS parameters 5609 to be applied on the connections originated from the 5610 local endpoint and terminated by the L7 proxy. For 5611 ingress policy this specifies the server-side TLS 5612 parameters to be applied on the connections originated 5613 from a remote source and terminated by the L7 proxy. 5614 properties: 5615 certificate: 5616 description: Certificate is the file name or k8s 5617 secret item name for the certificate chain. If 5618 omitted, 'tls.crt' is assumed, if it exists. If 5619 given, the item must exist. 5620 type: string 5621 privateKey: 5622 description: PrivateKey is the file name or k8s 5623 secret item name for the private key matching 5624 the certificate chain. If omitted, 'tls.key' is 5625 assumed, if it exists. If given, the item must 5626 exist. 5627 type: string 5628 secret: 5629 description: 'Secret is the secret that contains 5630 the certificates and private key for the TLS context. 5631 By default, Cilium will search in this secret 5632 for the following items: - ''ca.crt'' - Which 5633 represents the trusted CA to verify remote source. 5634 - ''tls.crt'' - Which represents the public key 5635 certificate. - ''tls.key'' - Which represents 5636 the private key matching the public key certificate.' 5637 properties: 5638 name: 5639 description: Name is the name of the secret. 5640 type: string 5641 namespace: 5642 description: Namespace is the namespace in which 5643 the secret exists. Context of use determines 5644 the default value if left out (e.g., "default"). 5645 type: string 5646 required: 5647 - name 5648 type: object 5649 trustedCA: 5650 description: TrustedCA is the file name or k8s secret 5651 item name for the trusted CA. If omitted, 'ca.crt' 5652 is assumed, if it exists. If given, the item must 5653 exist. 5654 type: string 5655 required: 5656 - secret 5657 type: object 5658 type: object 5659 type: array 5660 type: object 5661 type: array 5662 ingressDeny: 5663 description: IngressDeny is a list of IngressDenyRule which are 5664 enforced at ingress. Any rule inserted here will be denied regardless 5665 of the allowed ingress rules in the 'ingress' field. If omitted 5666 or empty, this rule does not apply at ingress. 5667 items: 5668 description: "IngressDenyRule contains all rule types which can 5669 be applied at ingress, i.e. network traffic that originates 5670 outside of the endpoint and is entering the endpoint selected 5671 by the endpointSelector. \n - All members of this structure 5672 are optional. If omitted or empty, the member will have no effect 5673 on the rule. \n - If multiple members are set, all of them need 5674 to match in order for the rule to take effect. The exception 5675 to this rule is FromRequires field; the effects of any Requires 5676 field in any rule will apply to all other rules as well. \n 5677 - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities 5678 are mutually exclusive. Only one of these members may be present 5679 within an individual rule." 5680 properties: 5681 fromCIDR: 5682 description: "FromCIDR is a list of IP blocks which the endpoint 5683 subject to the rule is allowed to receive connections from. 5684 Only connections which do *not* originate from the cluster 5685 or from the local host are subject to CIDR rules. In order 5686 to allow in-cluster connectivity, use the FromEndpoints 5687 field. This will match on the source IP address of incoming 5688 connections. Adding a prefix into FromCIDR or into FromCIDRSet 5689 with no ExcludeCIDRs is equivalent. Overlaps are allowed 5690 between FromCIDR and FromCIDRSet. \n Example: Any endpoint 5691 with the label \"app=my-legacy-pet\" is allowed to receive 5692 connections from 10.3.9.1" 5693 items: 5694 description: 'CIDR specifies a block of IP addresses. Example: 5695 192.0.2.1/32' 5696 format: cidr 5697 type: string 5698 type: array 5699 fromCIDRSet: 5700 description: "FromCIDRSet is a list of IP blocks which the 5701 endpoint subject to the rule is allowed to receive connections 5702 from in addition to FromEndpoints, along with a list of 5703 subnets contained within their corresponding IP block from 5704 which traffic should not be allowed. This will match on 5705 the source IP address of incoming connections. Adding a 5706 prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs 5707 is equivalent. Overlaps are allowed between FromCIDR and 5708 FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" 5709 is allowed to receive connections from 10.0.0.0/8 except 5710 from IPs in subnet 10.96.0.0/12." 5711 items: 5712 description: CIDRRule is a rule that specifies a CIDR prefix 5713 to/from which outside communication is allowed, along 5714 with an optional list of subnets within that CIDR prefix 5715 to/from which outside communication is not allowed. 5716 oneOf: 5717 - properties: 5718 cidr: {} 5719 required: 5720 - cidr 5721 - properties: 5722 cidrGroupRef: {} 5723 required: 5724 - cidrGroupRef 5725 properties: 5726 cidr: 5727 description: CIDR is a CIDR prefix / IP Block. 5728 format: cidr 5729 type: string 5730 cidrGroupRef: 5731 description: CIDRGroupRef is a reference to a CiliumCIDRGroup 5732 object. A CiliumCIDRGroup contains a list of CIDRs 5733 that the endpoint, subject to the rule, can (Ingress/Egress) 5734 or cannot (IngressDeny/EgressDeny) receive connections 5735 from. 5736 maxLength: 253 5737 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ 5738 type: string 5739 except: 5740 description: ExceptCIDRs is a list of IP blocks which 5741 the endpoint subject to the rule is not allowed to 5742 initiate connections to. These CIDR prefixes should 5743 be contained within Cidr, using ExceptCIDRs together 5744 with CIDRGroupRef is not supported yet. These exceptions 5745 are only applied to the Cidr in this CIDRRule, and 5746 do not apply to any other CIDR prefixes in any other 5747 CIDRRules. 5748 items: 5749 description: 'CIDR specifies a block of IP addresses. 5750 Example: 192.0.2.1/32' 5751 format: cidr 5752 type: string 5753 type: array 5754 type: object 5755 type: array 5756 fromEndpoints: 5757 description: "FromEndpoints is a list of endpoints identified 5758 by an EndpointSelector which are allowed to communicate 5759 with the endpoint subject to the rule. \n Example: Any endpoint 5760 with the label \"role=backend\" can be consumed by any endpoint 5761 carrying the label \"role=frontend\"." 5762 items: 5763 description: EndpointSelector is a wrapper for k8s LabelSelector. 5764 properties: 5765 matchExpressions: 5766 description: matchExpressions is a list of label selector 5767 requirements. The requirements are ANDed. 5768 items: 5769 description: A label selector requirement is a selector 5770 that contains values, a key, and an operator that 5771 relates the key and values. 5772 properties: 5773 key: 5774 description: key is the label key that the selector 5775 applies to. 5776 type: string 5777 operator: 5778 description: operator represents a key's relationship 5779 to a set of values. Valid operators are In, 5780 NotIn, Exists and DoesNotExist. 5781 enum: 5782 - In 5783 - NotIn 5784 - Exists 5785 - DoesNotExist 5786 type: string 5787 values: 5788 description: values is an array of string values. 5789 If the operator is In or NotIn, the values array 5790 must be non-empty. If the operator is Exists 5791 or DoesNotExist, the values array must be empty. 5792 This array is replaced during a strategic merge 5793 patch. 5794 items: 5795 type: string 5796 type: array 5797 x-kubernetes-list-type: atomic 5798 required: 5799 - key 5800 - operator 5801 type: object 5802 type: array 5803 x-kubernetes-list-type: atomic 5804 matchLabels: 5805 additionalProperties: 5806 description: MatchLabelsValue represents the value 5807 from the MatchLabels {key,value} pair. 5808 maxLength: 63 5809 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 5810 type: string 5811 description: matchLabels is a map of {key,value} pairs. 5812 A single {key,value} in the matchLabels map is equivalent 5813 to an element of matchExpressions, whose key field 5814 is "key", the operator is "In", and the values array 5815 contains only "value". The requirements are ANDed. 5816 type: object 5817 type: object 5818 type: array 5819 fromEntities: 5820 description: FromEntities is a list of special entities which 5821 the endpoint subject to the rule is allowed to receive connections 5822 from. Supported entities are `world`, `cluster` and `host` 5823 items: 5824 description: Entity specifies the class of receiver/sender 5825 endpoints that do not have individual identities. Entities 5826 are used to describe "outside of cluster", "host", etc. 5827 enum: 5828 - all 5829 - world 5830 - cluster 5831 - host 5832 - init 5833 - ingress 5834 - unmanaged 5835 - remote-node 5836 - health 5837 - none 5838 - kube-apiserver 5839 type: string 5840 type: array 5841 fromGroups: 5842 description: "FromGroups is a directive that allows the integration 5843 with multiple outside providers. Currently, only AWS is 5844 supported, and the rule can select by multiple sub directives: 5845 \n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" 5846 items: 5847 description: Groups structure to store all kinds of new 5848 integrations that needs a new derivative policy. 5849 properties: 5850 aws: 5851 description: AWSGroup is an structure that can be used 5852 to whitelisting information from AWS integration 5853 properties: 5854 labels: 5855 additionalProperties: 5856 type: string 5857 type: object 5858 region: 5859 type: string 5860 securityGroupsIds: 5861 items: 5862 type: string 5863 type: array 5864 securityGroupsNames: 5865 items: 5866 type: string 5867 type: array 5868 type: object 5869 type: object 5870 type: array 5871 fromNodes: 5872 description: FromNodes is a list of nodes identified by an 5873 EndpointSelector which are allowed to communicate with the 5874 endpoint subject to the rule. 5875 items: 5876 description: EndpointSelector is a wrapper for k8s LabelSelector. 5877 properties: 5878 matchExpressions: 5879 description: matchExpressions is a list of label selector 5880 requirements. The requirements are ANDed. 5881 items: 5882 description: A label selector requirement is a selector 5883 that contains values, a key, and an operator that 5884 relates the key and values. 5885 properties: 5886 key: 5887 description: key is the label key that the selector 5888 applies to. 5889 type: string 5890 operator: 5891 description: operator represents a key's relationship 5892 to a set of values. Valid operators are In, 5893 NotIn, Exists and DoesNotExist. 5894 enum: 5895 - In 5896 - NotIn 5897 - Exists 5898 - DoesNotExist 5899 type: string 5900 values: 5901 description: values is an array of string values. 5902 If the operator is In or NotIn, the values array 5903 must be non-empty. If the operator is Exists 5904 or DoesNotExist, the values array must be empty. 5905 This array is replaced during a strategic merge 5906 patch. 5907 items: 5908 type: string 5909 type: array 5910 x-kubernetes-list-type: atomic 5911 required: 5912 - key 5913 - operator 5914 type: object 5915 type: array 5916 x-kubernetes-list-type: atomic 5917 matchLabels: 5918 additionalProperties: 5919 description: MatchLabelsValue represents the value 5920 from the MatchLabels {key,value} pair. 5921 maxLength: 63 5922 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 5923 type: string 5924 description: matchLabels is a map of {key,value} pairs. 5925 A single {key,value} in the matchLabels map is equivalent 5926 to an element of matchExpressions, whose key field 5927 is "key", the operator is "In", and the values array 5928 contains only "value". The requirements are ANDed. 5929 type: object 5930 type: object 5931 type: array 5932 fromRequires: 5933 description: "FromRequires is a list of additional constraints 5934 which must be met in order for the selected endpoints to 5935 be reachable. These additional constraints do no by itself 5936 grant access privileges and must always be accompanied with 5937 at least one matching FromEndpoints. \n Example: Any Endpoint 5938 with the label \"team=A\" requires consuming endpoint to 5939 also carry the label \"team=A\"." 5940 items: 5941 description: EndpointSelector is a wrapper for k8s LabelSelector. 5942 properties: 5943 matchExpressions: 5944 description: matchExpressions is a list of label selector 5945 requirements. The requirements are ANDed. 5946 items: 5947 description: A label selector requirement is a selector 5948 that contains values, a key, and an operator that 5949 relates the key and values. 5950 properties: 5951 key: 5952 description: key is the label key that the selector 5953 applies to. 5954 type: string 5955 operator: 5956 description: operator represents a key's relationship 5957 to a set of values. Valid operators are In, 5958 NotIn, Exists and DoesNotExist. 5959 enum: 5960 - In 5961 - NotIn 5962 - Exists 5963 - DoesNotExist 5964 type: string 5965 values: 5966 description: values is an array of string values. 5967 If the operator is In or NotIn, the values array 5968 must be non-empty. If the operator is Exists 5969 or DoesNotExist, the values array must be empty. 5970 This array is replaced during a strategic merge 5971 patch. 5972 items: 5973 type: string 5974 type: array 5975 x-kubernetes-list-type: atomic 5976 required: 5977 - key 5978 - operator 5979 type: object 5980 type: array 5981 x-kubernetes-list-type: atomic 5982 matchLabels: 5983 additionalProperties: 5984 description: MatchLabelsValue represents the value 5985 from the MatchLabels {key,value} pair. 5986 maxLength: 63 5987 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 5988 type: string 5989 description: matchLabels is a map of {key,value} pairs. 5990 A single {key,value} in the matchLabels map is equivalent 5991 to an element of matchExpressions, whose key field 5992 is "key", the operator is "In", and the values array 5993 contains only "value". The requirements are ANDed. 5994 type: object 5995 type: object 5996 type: array 5997 icmps: 5998 description: "ICMPs is a list of ICMP rule identified by type 5999 number which the endpoint subject to the rule is not allowed 6000 to receive connections on. \n Example: Any endpoint with 6001 the label \"app=httpd\" can not accept incoming type 8 ICMP 6002 connections." 6003 items: 6004 description: ICMPRule is a list of ICMP fields. 6005 properties: 6006 fields: 6007 description: Fields is a list of ICMP fields. 6008 items: 6009 description: ICMPField is a ICMP field. 6010 properties: 6011 family: 6012 default: IPv4 6013 description: Family is a IP address version. Currently, 6014 we support `IPv4` and `IPv6`. `IPv4` is set 6015 as default. 6016 enum: 6017 - IPv4 6018 - IPv6 6019 type: string 6020 type: 6021 anyOf: 6022 - type: integer 6023 - type: string 6024 description: 'Type is a ICMP-type. It should be 6025 an 8bit code (0-255), or it''s CamelCase name 6026 (for example, "EchoReply"). Allowed ICMP types 6027 are: Ipv4: EchoReply | DestinationUnreachable 6028 | Redirect | Echo | EchoRequest | RouterAdvertisement 6029 | RouterSelection | TimeExceeded | ParameterProblem 6030 | Timestamp | TimestampReply | Photuris | ExtendedEcho 6031 Request | ExtendedEcho Reply Ipv6: DestinationUnreachable 6032 | PacketTooBig | TimeExceeded | ParameterProblem 6033 | EchoRequest | EchoReply | MulticastListenerQuery| 6034 MulticastListenerReport | MulticastListenerDone 6035 | RouterSolicitation | RouterAdvertisement | 6036 NeighborSolicitation | NeighborAdvertisement 6037 | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery 6038 | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation 6039 | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest 6040 | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation 6041 | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix 6042 | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest 6043 | ExtendedEchoReply' 6044 pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho 6045 Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ 6046 x-kubernetes-int-or-string: true 6047 required: 6048 - type 6049 type: object 6050 maxItems: 40 6051 type: array 6052 type: object 6053 type: array 6054 toPorts: 6055 description: "ToPorts is a list of destination ports identified 6056 by port number and protocol which the endpoint subject to 6057 the rule is not allowed to receive connections on. \n Example: 6058 Any endpoint with the label \"app=httpd\" can not accept 6059 incoming connections on port 80/tcp." 6060 items: 6061 description: PortDenyRule is a list of ports/protocol that 6062 should be used for deny policies. This structure lacks 6063 the L7Rules since it's not supported in deny policies. 6064 properties: 6065 ports: 6066 description: Ports is a list of L4 port/protocol 6067 items: 6068 description: PortProtocol specifies an L4 port with 6069 an optional transport protocol 6070 properties: 6071 endPort: 6072 description: EndPort can only be an L4 port number. 6073 format: int32 6074 maximum: 65535 6075 minimum: 0 6076 type: integer 6077 port: 6078 description: Port can be an L4 port number, or 6079 a name in the form of "http" or "http-8080". 6080 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ 6081 type: string 6082 protocol: 6083 description: "Protocol is the L4 protocol. If 6084 omitted or empty, any protocol matches. Accepted 6085 values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" 6086 \n Matching on ICMP is not supported. \n Named 6087 port specified for a container may narrow this 6088 down, but may not contradict this." 6089 enum: 6090 - TCP 6091 - UDP 6092 - SCTP 6093 - ANY 6094 type: string 6095 required: 6096 - port 6097 type: object 6098 type: array 6099 type: object 6100 type: array 6101 type: object 6102 type: array 6103 labels: 6104 description: Labels is a list of optional strings which can be used 6105 to re-identify the rule or to store metadata. It is possible to 6106 lookup or delete strings based on labels. Labels are not required 6107 to be unique, multiple rules can have overlapping or identical 6108 labels. 6109 items: 6110 description: Label is the Cilium's representation of a container 6111 label. 6112 properties: 6113 key: 6114 type: string 6115 source: 6116 description: 'Source can be one of the above values (e.g.: 6117 LabelSourceContainer).' 6118 type: string 6119 value: 6120 type: string 6121 required: 6122 - key 6123 type: object 6124 type: array 6125 nodeSelector: 6126 description: NodeSelector selects all nodes which should be subject 6127 to this rule. EndpointSelector and NodeSelector cannot be both 6128 empty and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies. 6129 properties: 6130 matchExpressions: 6131 description: matchExpressions is a list of label selector requirements. 6132 The requirements are ANDed. 6133 items: 6134 description: A label selector requirement is a selector that 6135 contains values, a key, and an operator that relates the 6136 key and values. 6137 properties: 6138 key: 6139 description: key is the label key that the selector applies 6140 to. 6141 type: string 6142 operator: 6143 description: operator represents a key's relationship 6144 to a set of values. Valid operators are In, NotIn, Exists 6145 and DoesNotExist. 6146 enum: 6147 - In 6148 - NotIn 6149 - Exists 6150 - DoesNotExist 6151 type: string 6152 values: 6153 description: values is an array of string values. If the 6154 operator is In or NotIn, the values array must be non-empty. 6155 If the operator is Exists or DoesNotExist, the values 6156 array must be empty. This array is replaced during a 6157 strategic merge patch. 6158 items: 6159 type: string 6160 type: array 6161 x-kubernetes-list-type: atomic 6162 required: 6163 - key 6164 - operator 6165 type: object 6166 type: array 6167 x-kubernetes-list-type: atomic 6168 matchLabels: 6169 additionalProperties: 6170 description: MatchLabelsValue represents the value from the 6171 MatchLabels {key,value} pair. 6172 maxLength: 63 6173 pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ 6174 type: string 6175 description: matchLabels is a map of {key,value} pairs. A single 6176 {key,value} in the matchLabels map is equivalent to an element 6177 of matchExpressions, whose key field is "key", the operator 6178 is "In", and the values array contains only "value". The requirements 6179 are ANDed. 6180 type: object 6181 type: object 6182 type: object 6183 type: array 6184 status: 6185 description: Status is the status of the Cilium policy rule 6186 properties: 6187 conditions: 6188 items: 6189 properties: 6190 lastTransitionTime: 6191 description: The last time the condition transitioned from one 6192 status to another. 6193 format: date-time 6194 type: string 6195 message: 6196 description: A human readable message indicating details about 6197 the transition. 6198 type: string 6199 reason: 6200 description: The reason for the condition's last transition. 6201 type: string 6202 status: 6203 description: The status of the condition, one of True, False, 6204 or Unknown 6205 type: string 6206 type: 6207 description: The type of the policy condition 6208 type: string 6209 required: 6210 - status 6211 - type 6212 type: object 6213 type: array 6214 x-kubernetes-list-map-keys: 6215 - type 6216 x-kubernetes-list-type: map 6217 derivativePolicies: 6218 additionalProperties: 6219 description: CiliumNetworkPolicyNodeStatus is the status of a Cilium 6220 policy rule for a specific node. 6221 properties: 6222 annotations: 6223 additionalProperties: 6224 type: string 6225 description: Annotations corresponds to the Annotations in the 6226 ObjectMeta of the CNP that have been realized on the node 6227 for CNP. That is, if a CNP has been imported and has been 6228 assigned annotation X=Y by the user, Annotations in CiliumNetworkPolicyNodeStatus 6229 will be X=Y once the CNP that was imported corresponding to 6230 Annotation X=Y has been realized on the node. 6231 type: object 6232 enforcing: 6233 description: Enforcing is set to true once all endpoints present 6234 at the time the policy has been imported are enforcing this 6235 policy. 6236 type: boolean 6237 error: 6238 description: Error describes any error that occurred when parsing 6239 or importing the policy, or realizing the policy for the endpoints 6240 to which it applies on the node. 6241 type: string 6242 lastUpdated: 6243 description: LastUpdated contains the last time this status 6244 was updated 6245 format: date-time 6246 type: string 6247 localPolicyRevision: 6248 description: Revision is the policy revision of the repository 6249 which first implemented this policy. 6250 format: int64 6251 type: integer 6252 ok: 6253 description: OK is true when the policy has been parsed and 6254 imported successfully into the in-memory policy repository 6255 on the node. 6256 type: boolean 6257 type: object 6258 description: DerivativePolicies is the status of all policies derived 6259 from the Cilium policy 6260 type: object 6261 type: object 6262 required: 6263 - metadata 6264 type: object 6265 served: true 6266 storage: true 6267 subresources: 6268 status: {} 6269 status: 6270 acceptedNames: 6271 kind: "" 6272 plural: "" 6273 conditions: [] 6274 storedVersions: []