github.com/looshlee/cilium@v1.6.12/examples/crds/ciliumnetworkpolicies.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1beta1 2 kind: CustomResourceDefinition 3 metadata: 4 name: ciliumnetworkpolicies.cilium.io 5 spec: 6 conversion: 7 strategy: None 8 group: cilium.io 9 names: 10 kind: CiliumNetworkPolicy 11 listKind: CiliumNetworkPolicyList 12 plural: ciliumnetworkpolicies 13 shortNames: 14 - cnp 15 - ciliumnp 16 singular: ciliumnetworkpolicy 17 scope: Namespaced 18 subresources: 19 status: {} 20 validation: 21 openAPIV3Schema: 22 properties: 23 CIDR: 24 description: CIDR is a CIDR prefix / IP Block. 25 oneOf: 26 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 27 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 28 type: string 29 CIDRRule: 30 description: CIDRRule is a rule that specifies a CIDR prefix to/from which 31 outside communication is allowed, along with an optional list of subnets 32 within that CIDR prefix to/from which outside communication is not allowed. 33 properties: 34 cidr: 35 description: CIDR is a CIDR prefix / IP Block. 36 oneOf: 37 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 38 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 39 type: string 40 except: 41 description: ExceptCIDRs is a list of IP blocks which the endpoint subject 42 to the rule is not allowed to initiate connections to. These CIDR 43 prefixes should be contained within Cidr. These exceptions are only 44 applied to the Cidr in this CIDRRule, and do not apply to any other 45 CIDR prefixes in any other CIDRRules. 46 items: 47 description: CIDR is a CIDR prefix / IP Block. 48 oneOf: 49 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 50 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 51 type: string 52 type: array 53 required: 54 - cidr 55 type: object 56 EgressRule: 57 description: |- 58 EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. 59 60 - All members of this structure are optional. If omitted or empty, the 61 member will have no effect on the rule. 62 63 - For now, combining ToPorts and ToCIDR in the same rule is not supported 64 and such rules will be rejected. In the future, this will be supported and 65 if if multiple members of the structure are specified, then all members 66 must match in order for the rule to take effect. 67 properties: 68 toCIDR: 69 description: |- 70 ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 71 72 Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24 73 items: 74 description: CIDR is a CIDR prefix / IP Block. 75 oneOf: 76 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 77 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 78 type: string 79 type: array 80 toCIDRSet: 81 description: |- 82 ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via FromEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 83 84 Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. 85 items: 86 description: CIDRRule is a rule that specifies a CIDR prefix to/from 87 which outside communication is allowed, along with an optional list 88 of subnets within that CIDR prefix to/from which outside communication 89 is not allowed. 90 properties: 91 cidr: 92 description: CIDR is a CIDR prefix / IP Block. 93 oneOf: 94 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 95 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 96 type: string 97 except: 98 description: ExceptCIDRs is a list of IP blocks which the endpoint 99 subject to the rule is not allowed to initiate connections to. 100 These CIDR prefixes should be contained within Cidr. These exceptions 101 are only applied to the Cidr in this CIDRRule, and do not apply 102 to any other CIDR prefixes in any other CIDRRules. 103 items: 104 description: CIDR is a CIDR prefix / IP Block. 105 oneOf: 106 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 107 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 108 type: string 109 type: array 110 required: 111 - cidr 112 type: object 113 type: array 114 toEndpoints: 115 description: |- 116 ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoint subject to the ruleis allowed to communicate. 117 118 Example: Any endpoint with the label "role=frontend" can be consumed by any endpoint carrying the label "role=backend". 119 items: 120 description: EndpointSelector is a wrapper for k8s LabelSelector. 121 properties: 122 matchExpressions: 123 description: matchExpressions is a list of label selector requirements. 124 The requirements are ANDed. 125 items: 126 description: A label selector requirement is a selector that 127 contains values, a key, and an operator that relates the key 128 and values. 129 properties: 130 key: 131 description: key is the label key that the selector applies 132 to. 133 type: string 134 operator: 135 description: operator represents a key's relationship to 136 a set of values. Valid operators are In, NotIn, Exists 137 and DoesNotExist. 138 enum: 139 - In 140 - NotIn 141 - Exists 142 - DoesNotExist 143 type: string 144 values: 145 description: values is an array of string values. If the 146 operator is In or NotIn, the values array must be non-empty. 147 If the operator is Exists or DoesNotExist, the values 148 array must be empty. This array is replaced during a strategic 149 merge patch. 150 items: 151 type: string 152 type: array 153 required: 154 - key 155 - operator 156 type: object 157 type: array 158 matchLabels: 159 description: matchLabels is a map of {key,value} pairs. A single 160 {key,value} in the matchLabels map is equivalent to an element 161 of matchExpressions, whose key field is "key", the operator 162 is "In", and the values array contains only "value". The requirements 163 are ANDed. 164 type: object 165 type: object 166 type: array 167 toEntities: 168 description: ToEntities is a list of special entities to which the endpoint 169 subject to the rule is allowed to initiate connections. Supported 170 entities are `world`, `cluster` and `host` 171 items: 172 type: string 173 type: array 174 toFQDNs: 175 description: "ToFQDNs is a list of rules matching fqdns that endpoint\n\t\t\t\tis 176 allowed to communicate with" 177 items: 178 description: FQDNRule is a rule that specifies an fully qualified 179 domain name to which outside communication is allowed 180 properties: 181 matchName: 182 description: MatchName matches fqdn name 183 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 184 type: string 185 matchPattern: 186 description: MatchPattern matches fqdn by pattern 187 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 188 type: string 189 type: object 190 type: array 191 toGroups: 192 description: "ToGroups is a list of constraints that will\n\t\t\t\tgather 193 data from third-party providers and create a new\n\t\t\t\tderived 194 policy." 195 properties: 196 aws: 197 properties: 198 region: 199 description: "Region is the key that will filter the AWS EC2\n\t\t\t\tinstances 200 in the given region" 201 type: string 202 securityGroupsIds: 203 description: "SecurityGroupsIds is the list of AWS security\n\t\t\t\tgroup 204 IDs that will filter the instances IPs from the AWS API" 205 items: 206 type: string 207 type: array 208 securityGroupsNames: 209 description: "SecurityGroupsNames is the list of AWS security\n\t\t\t\tgroup 210 names that will filter the instances IPs from the AWS API" 211 items: 212 type: string 213 type: array 214 type: object 215 type: object 216 toPorts: 217 description: |- 218 ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. 219 220 Example: Any endpoint with the label "role=frontend" is allowed to initiate connections to destination port 8080/tcp 221 items: 222 description: PortRule is a list of ports/protocol combinations with 223 optional Layer 7 rules which must be met. 224 properties: 225 ports: 226 description: |- 227 Ports is a list of L4 port/protocol 228 229 If omitted or empty but RedirectPort is set, then all ports of the endpoint subject to either the ingress or egress rule are being redirected. 230 items: 231 description: PortProtocol specifies an L4 port with an optional 232 transport protocol 233 properties: 234 port: 235 description: Port is an L4 port number. For now the string 236 will be strictly parsed as a single uint16. In the future, 237 this field may support ranges in the form "1024-2048 238 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$ 239 type: string 240 protocol: 241 description: 'Protocol is the L4 protocol. If omitted or 242 empty, any protocol matches. Accepted values: "TCP", "UDP", 243 ""/"ANY"\n\nMatching on ICMP is not supported.' 244 enum: 245 - TCP 246 - UDP 247 - ANY 248 type: string 249 required: 250 - port 251 type: object 252 type: array 253 redirectPort: 254 description: RedirectPort is the L4 port which, if set, all traffic 255 matching the Ports is being redirected to. Whatever listener 256 behind that port becomes responsible to enforce the port rules 257 and is also responsible to reinject all traffic back and ensure 258 it reaches its original destination. 259 format: uint16 260 type: integer 261 rules: 262 description: Rules is a list of additional port level rules which 263 must be met in order for the PortRule to allow the traffic. 264 If omitted or empty, no layer 7 rules are enforced. 265 properties: 266 dns: 267 description: DNS specific rules 268 items: 269 description: FQDNRule is a rule that specifies an fully 270 qualified domain name to which outside communication is 271 allowed 272 properties: 273 matchName: 274 description: MatchName matches fqdn name 275 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 276 type: string 277 matchPattern: 278 description: MatchPattern matches fqdn by pattern 279 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 280 type: string 281 type: object 282 type: array 283 http: 284 description: HTTP specific rules. 285 items: 286 description: |- 287 PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. 288 289 All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 290 properties: 291 headers: 292 description: Headers is a list of HTTP headers which 293 must be present in the request. If omitted or empty, 294 requests are allowed regardless of headers present. 295 items: 296 type: string 297 type: array 298 host: 299 description: |- 300 Host is an extended POSIX regex matched against the host header of a request, e.g. "foo.com" 301 302 If omitted or empty, the value of the host header is ignored. 303 format: idn-hostname 304 type: string 305 method: 306 description: |- 307 Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... 308 309 If omitted or empty, all methods are allowed. 310 type: string 311 path: 312 description: |- 313 Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 314 315 If omitted or empty, all paths are all allowed. 316 type: string 317 type: object 318 type: array 319 kafka: 320 description: Kafka-specific rules. 321 items: 322 description: PortRuleKafka is a list of Kafka protocol constraints. 323 All fields are optional, if all fields are empty or missing, 324 the rule will match all Kafka messages. 325 properties: 326 apiKey: 327 description: |- 328 APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 329 330 If omitted or empty, all keys are allowed. 331 type: string 332 apiVersion: 333 description: |- 334 APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. 335 336 If omitted or empty, all versions are allowed. 337 type: string 338 clientID: 339 description: |- 340 ClientID is the client identifier as provided in the request. 341 342 From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. 343 344 If omitted or empty, all client identifiers are allowed. 345 type: string 346 role: 347 description: 'Role is a case-insensitive string and 348 describes a group of API keysnecessary to perform 349 certain higher level Kafka operations such as"produce" 350 or "consume". An APIGroup automatically expands into 351 all APIKeysrequired to perform the specified higher 352 level operation.The following values are supported:- 353 "produce": Allow producing to the topics specified 354 in the rule- "consume": Allow consuming from the topics 355 specified in the ruleThis field is incompatible with 356 the APIKey field, either APIKey or Rolemay be specified. 357 If omitted or empty, the field has no effect and the 358 logic of the APIKey field applies.' 359 enum: 360 - produce 361 - consume 362 type: string 363 topic: 364 description: |- 365 Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. 366 367 This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255 368 369 If omitted or empty, all topics are allowed. 370 maxLength: 255 371 type: string 372 type: object 373 type: array 374 l7: 375 description: Generic Key-Value pair rules. 376 items: 377 description: PortRuleL7 is a map of {key,value} pairs which 378 is passed to the parser referenced in l7proto. It is up 379 to the parser to define what to do with the map data. 380 If omitted or empty, all requests are allowed. Both keys 381 and values must be strings. 382 type: object 383 type: array 384 l7proto: 385 description: Parser type name that uses Key-Value pair rules. 386 type: string 387 type: object 388 type: object 389 type: array 390 toRequires: 391 description: |- 392 ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to reach other endpoints. These additional constraints do not by themselves grant access privileges and must always be accompanied with at least one matching FromEndpoints. 393 394 Example: Any Endpoint with the label "team=A" requires any endpoint to which it communicates to also carry the label "team=A". 395 items: 396 description: EndpointSelector is a wrapper for k8s LabelSelector. 397 properties: 398 matchExpressions: 399 description: matchExpressions is a list of label selector requirements. 400 The requirements are ANDed. 401 items: 402 description: A label selector requirement is a selector that 403 contains values, a key, and an operator that relates the key 404 and values. 405 properties: 406 key: 407 description: key is the label key that the selector applies 408 to. 409 type: string 410 operator: 411 description: operator represents a key's relationship to 412 a set of values. Valid operators are In, NotIn, Exists 413 and DoesNotExist. 414 enum: 415 - In 416 - NotIn 417 - Exists 418 - DoesNotExist 419 type: string 420 values: 421 description: values is an array of string values. If the 422 operator is In or NotIn, the values array must be non-empty. 423 If the operator is Exists or DoesNotExist, the values 424 array must be empty. This array is replaced during a strategic 425 merge patch. 426 items: 427 type: string 428 type: array 429 required: 430 - key 431 - operator 432 type: object 433 type: array 434 matchLabels: 435 description: matchLabels is a map of {key,value} pairs. A single 436 {key,value} in the matchLabels map is equivalent to an element 437 of matchExpressions, whose key field is "key", the operator 438 is "In", and the values array contains only "value". The requirements 439 are ANDed. 440 type: object 441 type: object 442 type: array 443 toServices: 444 description: |- 445 ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. 446 447 Example: Any endpoint with the label "app=backend-app" is allowed to initiate connections to all cidrs backing the "external-service" service 448 items: 449 description: Service wraps around selectors for services 450 properties: 451 k8sService: 452 description: K8sServiceNamespace is an abstraction for the k8s 453 service + namespace types. 454 properties: 455 namespace: 456 type: string 457 serviceName: 458 type: string 459 type: object 460 k8sServiceSelector: 461 description: K8sServiceSelector selects services by k8s labels. 462 Not supported yet 463 properties: 464 namespace: 465 type: string 466 selector: 467 description: A label selector is a label query over a set 468 of resources. The result of matchLabels and matchExpressions 469 are ANDed. An empty label selector matches all objects. 470 A null label selector matches no objects. 471 properties: 472 matchExpressions: 473 description: matchExpressions is a list of label selector 474 requirements. The requirements are ANDed. 475 items: 476 description: A label selector requirement is a selector 477 that contains values, a key, and an operator that 478 relates the key and values. 479 properties: 480 key: 481 description: key is the label key that the selector 482 applies to. 483 type: string 484 operator: 485 description: operator represents a key's relationship 486 to a set of values. Valid operators are In, NotIn, 487 Exists and DoesNotExist. 488 enum: 489 - In 490 - NotIn 491 - Exists 492 - DoesNotExist 493 type: string 494 values: 495 description: values is an array of string values. 496 If the operator is In or NotIn, the values array 497 must be non-empty. If the operator is Exists or 498 DoesNotExist, the values array must be empty. 499 This array is replaced during a strategic merge 500 patch. 501 items: 502 type: string 503 type: array 504 required: 505 - key 506 - operator 507 type: object 508 type: array 509 matchLabels: 510 description: matchLabels is a map of {key,value} pairs. 511 A single {key,value} in the matchLabels map is equivalent 512 to an element of matchExpressions, whose key field is 513 "key", the operator is "In", and the values array contains 514 only "value". The requirements are ANDed. 515 type: object 516 type: object 517 required: 518 - selector 519 type: object 520 type: object 521 type: array 522 type: object 523 EndpointSelector: 524 description: A label selector is a label query over a set of resources. 525 The result of matchLabels and matchExpressions are ANDed. An empty label 526 selector matches all objects. A null label selector matches no objects. 527 properties: 528 matchExpressions: 529 description: matchExpressions is a list of label selector requirements. 530 The requirements are ANDed. 531 items: 532 description: A label selector requirement is a selector that contains 533 values, a key, and an operator that relates the key and values. 534 properties: 535 key: 536 description: key is the label key that the selector applies to. 537 type: string 538 operator: 539 description: operator represents a key's relationship to a set 540 of values. Valid operators are In, NotIn, Exists and DoesNotExist. 541 enum: 542 - In 543 - NotIn 544 - Exists 545 - DoesNotExist 546 type: string 547 values: 548 description: values is an array of string values. If the operator 549 is In or NotIn, the values array must be non-empty. If the operator 550 is Exists or DoesNotExist, the values array must be empty. This 551 array is replaced during a strategic merge patch. 552 items: 553 type: string 554 type: array 555 required: 556 - key 557 - operator 558 type: object 559 type: array 560 matchLabels: 561 description: matchLabels is a map of {key,value} pairs. A single {key,value} 562 in the matchLabels map is equivalent to an element of matchExpressions, 563 whose key field is "key", the operator is "In", and the values array 564 contains only "value". The requirements are ANDed. 565 type: object 566 type: object 567 IngressRule: 568 description: |- 569 IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. 570 571 - All members of this structure are optional. If omitted or empty, the 572 member will have no effect on the rule. 573 574 - If multiple members are set, all of them need to match in order for 575 the rule to take effect. The exception to this rule is FromRequires field; 576 the effects of any Requires field in any rule will apply to all other 577 rules as well. 578 579 - For now, combining ToPorts, FromCIDR, and FromEndpoints in the same rule 580 is not supported and any such rules will be rejected. In the future, this 581 will be supported and if multiple members of this structure are specified, 582 then all members must match in order for the rule to take effect. The 583 exception to this rule is the Requires field, the effects of any Requires 584 field in any rule will apply to all other rules as well. 585 properties: 586 fromCIDR: 587 description: |- 588 FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. 589 590 Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.3.9.1 591 items: 592 description: CIDR is a CIDR prefix / IP Block. 593 oneOf: 594 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 595 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 596 type: string 597 type: array 598 fromCIDRSet: 599 description: |- 600 FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. 601 602 Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. 603 items: 604 description: CIDRRule is a rule that specifies a CIDR prefix to/from 605 which outside communication is allowed, along with an optional list 606 of subnets within that CIDR prefix to/from which outside communication 607 is not allowed. 608 properties: 609 cidr: 610 description: CIDR is a CIDR prefix / IP Block. 611 oneOf: 612 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 613 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 614 type: string 615 except: 616 description: ExceptCIDRs is a list of IP blocks which the endpoint 617 subject to the rule is not allowed to initiate connections to. 618 These CIDR prefixes should be contained within Cidr. These exceptions 619 are only applied to the Cidr in this CIDRRule, and do not apply 620 to any other CIDR prefixes in any other CIDRRules. 621 items: 622 description: CIDR is a CIDR prefix / IP Block. 623 oneOf: 624 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 625 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 626 type: string 627 type: array 628 required: 629 - cidr 630 type: object 631 type: array 632 fromEndpoints: 633 description: |- 634 FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. 635 636 Example: Any endpoint with the label "role=backend" can be consumed by any endpoint carrying the label "role=frontend". 637 items: 638 description: EndpointSelector is a wrapper for k8s LabelSelector. 639 properties: 640 matchExpressions: 641 description: matchExpressions is a list of label selector requirements. 642 The requirements are ANDed. 643 items: 644 description: A label selector requirement is a selector that 645 contains values, a key, and an operator that relates the key 646 and values. 647 properties: 648 key: 649 description: key is the label key that the selector applies 650 to. 651 type: string 652 operator: 653 description: operator represents a key's relationship to 654 a set of values. Valid operators are In, NotIn, Exists 655 and DoesNotExist. 656 enum: 657 - In 658 - NotIn 659 - Exists 660 - DoesNotExist 661 type: string 662 values: 663 description: values is an array of string values. If the 664 operator is In or NotIn, the values array must be non-empty. 665 If the operator is Exists or DoesNotExist, the values 666 array must be empty. This array is replaced during a strategic 667 merge patch. 668 items: 669 type: string 670 type: array 671 required: 672 - key 673 - operator 674 type: object 675 type: array 676 matchLabels: 677 description: matchLabels is a map of {key,value} pairs. A single 678 {key,value} in the matchLabels map is equivalent to an element 679 of matchExpressions, whose key field is "key", the operator 680 is "In", and the values array contains only "value". The requirements 681 are ANDed. 682 type: object 683 type: object 684 type: array 685 fromEntities: 686 description: FromEntities is a list of special entities which the endpoint 687 subject to the rule is allowed to receive connections from. Supported 688 entities are `world`, `cluster`, `host`, and `init` 689 items: 690 type: string 691 type: array 692 fromRequires: 693 description: |- 694 FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. 695 696 Example: Any Endpoint with the label "team=A" requires consuming endpoint to also carry the label "team=A". 697 items: 698 description: EndpointSelector is a wrapper for k8s LabelSelector. 699 properties: 700 matchExpressions: 701 description: matchExpressions is a list of label selector requirements. 702 The requirements are ANDed. 703 items: 704 description: A label selector requirement is a selector that 705 contains values, a key, and an operator that relates the key 706 and values. 707 properties: 708 key: 709 description: key is the label key that the selector applies 710 to. 711 type: string 712 operator: 713 description: operator represents a key's relationship to 714 a set of values. Valid operators are In, NotIn, Exists 715 and DoesNotExist. 716 enum: 717 - In 718 - NotIn 719 - Exists 720 - DoesNotExist 721 type: string 722 values: 723 description: values is an array of string values. If the 724 operator is In or NotIn, the values array must be non-empty. 725 If the operator is Exists or DoesNotExist, the values 726 array must be empty. This array is replaced during a strategic 727 merge patch. 728 items: 729 type: string 730 type: array 731 required: 732 - key 733 - operator 734 type: object 735 type: array 736 matchLabels: 737 description: matchLabels is a map of {key,value} pairs. A single 738 {key,value} in the matchLabels map is equivalent to an element 739 of matchExpressions, whose key field is "key", the operator 740 is "In", and the values array contains only "value". The requirements 741 are ANDed. 742 type: object 743 type: object 744 type: array 745 toPorts: 746 description: |- 747 ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. 748 749 Example: Any endpoint with the label "app=httpd" can only accept incoming connections on port 80/tcp. 750 items: 751 description: PortRule is a list of ports/protocol combinations with 752 optional Layer 7 rules which must be met. 753 properties: 754 ports: 755 description: |- 756 Ports is a list of L4 port/protocol 757 758 If omitted or empty but RedirectPort is set, then all ports of the endpoint subject to either the ingress or egress rule are being redirected. 759 items: 760 description: PortProtocol specifies an L4 port with an optional 761 transport protocol 762 properties: 763 port: 764 description: Port is an L4 port number. For now the string 765 will be strictly parsed as a single uint16. In the future, 766 this field may support ranges in the form "1024-2048 767 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$ 768 type: string 769 protocol: 770 description: 'Protocol is the L4 protocol. If omitted or 771 empty, any protocol matches. Accepted values: "TCP", "UDP", 772 ""/"ANY"\n\nMatching on ICMP is not supported.' 773 enum: 774 - TCP 775 - UDP 776 - ANY 777 type: string 778 required: 779 - port 780 type: object 781 type: array 782 redirectPort: 783 description: RedirectPort is the L4 port which, if set, all traffic 784 matching the Ports is being redirected to. Whatever listener 785 behind that port becomes responsible to enforce the port rules 786 and is also responsible to reinject all traffic back and ensure 787 it reaches its original destination. 788 format: uint16 789 type: integer 790 rules: 791 description: Rules is a list of additional port level rules which 792 must be met in order for the PortRule to allow the traffic. 793 If omitted or empty, no layer 7 rules are enforced. 794 properties: 795 dns: 796 description: DNS specific rules 797 items: 798 description: FQDNRule is a rule that specifies an fully 799 qualified domain name to which outside communication is 800 allowed 801 properties: 802 matchName: 803 description: MatchName matches fqdn name 804 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 805 type: string 806 matchPattern: 807 description: MatchPattern matches fqdn by pattern 808 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 809 type: string 810 type: object 811 type: array 812 http: 813 description: HTTP specific rules. 814 items: 815 description: |- 816 PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. 817 818 All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 819 properties: 820 headers: 821 description: Headers is a list of HTTP headers which 822 must be present in the request. If omitted or empty, 823 requests are allowed regardless of headers present. 824 items: 825 type: string 826 type: array 827 host: 828 description: |- 829 Host is an extended POSIX regex matched against the host header of a request, e.g. "foo.com" 830 831 If omitted or empty, the value of the host header is ignored. 832 format: idn-hostname 833 type: string 834 method: 835 description: |- 836 Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... 837 838 If omitted or empty, all methods are allowed. 839 type: string 840 path: 841 description: |- 842 Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 843 844 If omitted or empty, all paths are all allowed. 845 type: string 846 type: object 847 type: array 848 kafka: 849 description: Kafka-specific rules. 850 items: 851 description: PortRuleKafka is a list of Kafka protocol constraints. 852 All fields are optional, if all fields are empty or missing, 853 the rule will match all Kafka messages. 854 properties: 855 apiKey: 856 description: |- 857 APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 858 859 If omitted or empty, all keys are allowed. 860 type: string 861 apiVersion: 862 description: |- 863 APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. 864 865 If omitted or empty, all versions are allowed. 866 type: string 867 clientID: 868 description: |- 869 ClientID is the client identifier as provided in the request. 870 871 From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. 872 873 If omitted or empty, all client identifiers are allowed. 874 type: string 875 role: 876 description: 'Role is a case-insensitive string and 877 describes a group of API keysnecessary to perform 878 certain higher level Kafka operations such as"produce" 879 or "consume". An APIGroup automatically expands into 880 all APIKeysrequired to perform the specified higher 881 level operation.The following values are supported:- 882 "produce": Allow producing to the topics specified 883 in the rule- "consume": Allow consuming from the topics 884 specified in the ruleThis field is incompatible with 885 the APIKey field, either APIKey or Rolemay be specified. 886 If omitted or empty, the field has no effect and the 887 logic of the APIKey field applies.' 888 enum: 889 - produce 890 - consume 891 type: string 892 topic: 893 description: |- 894 Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. 895 896 This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255 897 898 If omitted or empty, all topics are allowed. 899 maxLength: 255 900 type: string 901 type: object 902 type: array 903 l7: 904 description: Generic Key-Value pair rules. 905 items: 906 description: PortRuleL7 is a map of {key,value} pairs which 907 is passed to the parser referenced in l7proto. It is up 908 to the parser to define what to do with the map data. 909 If omitted or empty, all requests are allowed. Both keys 910 and values must be strings. 911 type: object 912 type: array 913 l7proto: 914 description: Parser type name that uses Key-Value pair rules. 915 type: string 916 type: object 917 type: object 918 type: array 919 type: object 920 K8sServiceNamespace: 921 description: K8sServiceNamespace is an abstraction for the k8s service + 922 namespace types. 923 properties: 924 namespace: 925 type: string 926 serviceName: 927 type: string 928 type: object 929 L7Rules: 930 description: L7Rules is a union of port level rule types. Mixing of different 931 port level rule types is disallowed, so exactly one of the following must 932 be set. If none are specified, then no additional port level rules are 933 applied. 934 properties: 935 dns: 936 description: DNS specific rules 937 items: 938 description: FQDNRule is a rule that specifies an fully qualified 939 domain name to which outside communication is allowed 940 properties: 941 matchName: 942 description: MatchName matches fqdn name 943 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 944 type: string 945 matchPattern: 946 description: MatchPattern matches fqdn by pattern 947 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 948 type: string 949 type: object 950 type: array 951 http: 952 description: HTTP specific rules. 953 items: 954 description: |- 955 PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. 956 957 All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 958 properties: 959 headers: 960 description: Headers is a list of HTTP headers which must be present 961 in the request. If omitted or empty, requests are allowed regardless 962 of headers present. 963 items: 964 type: string 965 type: array 966 host: 967 description: |- 968 Host is an extended POSIX regex matched against the host header of a request, e.g. "foo.com" 969 970 If omitted or empty, the value of the host header is ignored. 971 format: idn-hostname 972 type: string 973 method: 974 description: |- 975 Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... 976 977 If omitted or empty, all methods are allowed. 978 type: string 979 path: 980 description: |- 981 Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 982 983 If omitted or empty, all paths are all allowed. 984 type: string 985 type: object 986 type: array 987 kafka: 988 description: Kafka-specific rules. 989 items: 990 description: PortRuleKafka is a list of Kafka protocol constraints. 991 All fields are optional, if all fields are empty or missing, the 992 rule will match all Kafka messages. 993 properties: 994 apiKey: 995 description: |- 996 APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 997 998 If omitted or empty, all keys are allowed. 999 type: string 1000 apiVersion: 1001 description: |- 1002 APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. 1003 1004 If omitted or empty, all versions are allowed. 1005 type: string 1006 clientID: 1007 description: |- 1008 ClientID is the client identifier as provided in the request. 1009 1010 From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. 1011 1012 If omitted or empty, all client identifiers are allowed. 1013 type: string 1014 role: 1015 description: 'Role is a case-insensitive string and describes 1016 a group of API keysnecessary to perform certain higher level 1017 Kafka operations such as"produce" or "consume". An APIGroup 1018 automatically expands into all APIKeysrequired to perform the 1019 specified higher level operation.The following values are supported:- 1020 "produce": Allow producing to the topics specified in the rule- 1021 "consume": Allow consuming from the topics specified in the 1022 ruleThis field is incompatible with the APIKey field, either 1023 APIKey or Rolemay be specified. If omitted or empty, the field 1024 has no effect and the logic of the APIKey field applies.' 1025 enum: 1026 - produce 1027 - consume 1028 type: string 1029 topic: 1030 description: |- 1031 Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. 1032 1033 This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255 1034 1035 If omitted or empty, all topics are allowed. 1036 maxLength: 255 1037 type: string 1038 type: object 1039 type: array 1040 l7: 1041 description: Generic Key-Value pair rules. 1042 items: 1043 description: PortRuleL7 is a map of {key,value} pairs which is passed 1044 to the parser referenced in l7proto. It is up to the parser to define 1045 what to do with the map data. If omitted or empty, all requests 1046 are allowed. Both keys and values must be strings. 1047 type: object 1048 type: array 1049 l7proto: 1050 description: Parser type name that uses Key-Value pair rules. 1051 type: string 1052 type: object 1053 Label: 1054 description: Label is the cilium's representation of a container label. 1055 properties: 1056 key: 1057 type: string 1058 source: 1059 description: 'Source can be one of the values present in const.go (e.g.: 1060 LabelSourceContainer)' 1061 type: string 1062 value: 1063 type: string 1064 required: 1065 - key 1066 type: object 1067 LabelSelector: 1068 description: A label selector is a label query over a set of resources. 1069 The result of matchLabels and matchExpressions are ANDed. An empty label 1070 selector matches all objects. A null label selector matches no objects. 1071 properties: 1072 matchExpressions: 1073 description: matchExpressions is a list of label selector requirements. 1074 The requirements are ANDed. 1075 items: 1076 description: A label selector requirement is a selector that contains 1077 values, a key, and an operator that relates the key and values. 1078 properties: 1079 key: 1080 description: key is the label key that the selector applies to. 1081 type: string 1082 operator: 1083 description: operator represents a key's relationship to a set 1084 of values. Valid operators are In, NotIn, Exists and DoesNotExist. 1085 enum: 1086 - In 1087 - NotIn 1088 - Exists 1089 - DoesNotExist 1090 type: string 1091 values: 1092 description: values is an array of string values. If the operator 1093 is In or NotIn, the values array must be non-empty. If the operator 1094 is Exists or DoesNotExist, the values array must be empty. This 1095 array is replaced during a strategic merge patch. 1096 items: 1097 type: string 1098 type: array 1099 required: 1100 - key 1101 - operator 1102 type: object 1103 type: array 1104 matchLabels: 1105 description: matchLabels is a map of {key,value} pairs. A single {key,value} 1106 in the matchLabels map is equivalent to an element of matchExpressions, 1107 whose key field is "key", the operator is "In", and the values array 1108 contains only "value". The requirements are ANDed. 1109 type: object 1110 type: object 1111 LabelSelectorRequirement: 1112 description: A label selector requirement is a selector that contains values, 1113 a key, and an operator that relates the key and values. 1114 properties: 1115 key: 1116 description: key is the label key that the selector applies to. 1117 type: string 1118 operator: 1119 description: operator represents a key's relationship to a set of values. 1120 Valid operators are In, NotIn, Exists and DoesNotExist. 1121 enum: 1122 - In 1123 - NotIn 1124 - Exists 1125 - DoesNotExist 1126 type: string 1127 values: 1128 description: values is an array of string values. If the operator is 1129 In or NotIn, the values array must be non-empty. If the operator is 1130 Exists or DoesNotExist, the values array must be empty. This array 1131 is replaced during a strategic merge patch. 1132 items: 1133 type: string 1134 type: array 1135 required: 1136 - key 1137 - operator 1138 type: object 1139 PortProtocol: 1140 description: PortProtocol specifies an L4 port with an optional transport 1141 protocol 1142 properties: 1143 port: 1144 description: Port is an L4 port number. For now the string will be strictly 1145 parsed as a single uint16. In the future, this field may support ranges 1146 in the form "1024-2048 1147 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$ 1148 type: string 1149 protocol: 1150 description: 'Protocol is the L4 protocol. If omitted or empty, any 1151 protocol matches. Accepted values: "TCP", "UDP", ""/"ANY"\n\nMatching 1152 on ICMP is not supported.' 1153 enum: 1154 - TCP 1155 - UDP 1156 - ANY 1157 type: string 1158 required: 1159 - port 1160 type: object 1161 PortRule: 1162 description: PortRule is a list of ports/protocol combinations with optional 1163 Layer 7 rules which must be met. 1164 properties: 1165 ports: 1166 description: |- 1167 Ports is a list of L4 port/protocol 1168 1169 If omitted or empty but RedirectPort is set, then all ports of the endpoint subject to either the ingress or egress rule are being redirected. 1170 items: 1171 description: PortProtocol specifies an L4 port with an optional transport 1172 protocol 1173 properties: 1174 port: 1175 description: Port is an L4 port number. For now the string will 1176 be strictly parsed as a single uint16. In the future, this field 1177 may support ranges in the form "1024-2048 1178 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$ 1179 type: string 1180 protocol: 1181 description: 'Protocol is the L4 protocol. If omitted or empty, 1182 any protocol matches. Accepted values: "TCP", "UDP", ""/"ANY"\n\nMatching 1183 on ICMP is not supported.' 1184 enum: 1185 - TCP 1186 - UDP 1187 - ANY 1188 type: string 1189 required: 1190 - port 1191 type: object 1192 type: array 1193 redirectPort: 1194 description: RedirectPort is the L4 port which, if set, all traffic 1195 matching the Ports is being redirected to. Whatever listener behind 1196 that port becomes responsible to enforce the port rules and is also 1197 responsible to reinject all traffic back and ensure it reaches its 1198 original destination. 1199 format: uint16 1200 type: integer 1201 rules: 1202 description: Rules is a list of additional port level rules which must 1203 be met in order for the PortRule to allow the traffic. If omitted 1204 or empty, no layer 7 rules are enforced. 1205 properties: 1206 dns: 1207 description: DNS specific rules 1208 items: 1209 description: FQDNRule is a rule that specifies an fully qualified 1210 domain name to which outside communication is allowed 1211 properties: 1212 matchName: 1213 description: MatchName matches fqdn name 1214 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 1215 type: string 1216 matchPattern: 1217 description: MatchPattern matches fqdn by pattern 1218 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 1219 type: string 1220 type: object 1221 type: array 1222 http: 1223 description: HTTP specific rules. 1224 items: 1225 description: |- 1226 PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. 1227 1228 All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 1229 properties: 1230 headers: 1231 description: Headers is a list of HTTP headers which must 1232 be present in the request. If omitted or empty, requests 1233 are allowed regardless of headers present. 1234 items: 1235 type: string 1236 type: array 1237 host: 1238 description: |- 1239 Host is an extended POSIX regex matched against the host header of a request, e.g. "foo.com" 1240 1241 If omitted or empty, the value of the host header is ignored. 1242 format: idn-hostname 1243 type: string 1244 method: 1245 description: |- 1246 Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... 1247 1248 If omitted or empty, all methods are allowed. 1249 type: string 1250 path: 1251 description: |- 1252 Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 1253 1254 If omitted or empty, all paths are all allowed. 1255 type: string 1256 type: object 1257 type: array 1258 kafka: 1259 description: Kafka-specific rules. 1260 items: 1261 description: PortRuleKafka is a list of Kafka protocol constraints. 1262 All fields are optional, if all fields are empty or missing, 1263 the rule will match all Kafka messages. 1264 properties: 1265 apiKey: 1266 description: |- 1267 APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 1268 1269 If omitted or empty, all keys are allowed. 1270 type: string 1271 apiVersion: 1272 description: |- 1273 APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. 1274 1275 If omitted or empty, all versions are allowed. 1276 type: string 1277 clientID: 1278 description: |- 1279 ClientID is the client identifier as provided in the request. 1280 1281 From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. 1282 1283 If omitted or empty, all client identifiers are allowed. 1284 type: string 1285 role: 1286 description: 'Role is a case-insensitive string and describes 1287 a group of API keysnecessary to perform certain higher level 1288 Kafka operations such as"produce" or "consume". An APIGroup 1289 automatically expands into all APIKeysrequired to perform 1290 the specified higher level operation.The following values 1291 are supported:- "produce": Allow producing to the topics 1292 specified in the rule- "consume": Allow consuming from the 1293 topics specified in the ruleThis field is incompatible with 1294 the APIKey field, either APIKey or Rolemay be specified. 1295 If omitted or empty, the field has no effect and the logic 1296 of the APIKey field applies.' 1297 enum: 1298 - produce 1299 - consume 1300 type: string 1301 topic: 1302 description: |- 1303 Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. 1304 1305 This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255 1306 1307 If omitted or empty, all topics are allowed. 1308 maxLength: 255 1309 type: string 1310 type: object 1311 type: array 1312 l7: 1313 description: Generic Key-Value pair rules. 1314 items: 1315 description: PortRuleL7 is a map of {key,value} pairs which is 1316 passed to the parser referenced in l7proto. It is up to the 1317 parser to define what to do with the map data. If omitted or 1318 empty, all requests are allowed. Both keys and values must be 1319 strings. 1320 type: object 1321 type: array 1322 l7proto: 1323 description: Parser type name that uses Key-Value pair rules. 1324 type: string 1325 type: object 1326 type: object 1327 PortRuleHTTP: 1328 description: |- 1329 PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. 1330 1331 All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 1332 properties: 1333 headers: 1334 description: Headers is a list of HTTP headers which must be present 1335 in the request. If omitted or empty, requests are allowed regardless 1336 of headers present. 1337 items: 1338 type: string 1339 type: array 1340 host: 1341 description: |- 1342 Host is an extended POSIX regex matched against the host header of a request, e.g. "foo.com" 1343 1344 If omitted or empty, the value of the host header is ignored. 1345 format: idn-hostname 1346 type: string 1347 method: 1348 description: |- 1349 Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... 1350 1351 If omitted or empty, all methods are allowed. 1352 type: string 1353 path: 1354 description: |- 1355 Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 1356 1357 If omitted or empty, all paths are all allowed. 1358 type: string 1359 type: object 1360 PortRuleKafka: 1361 description: PortRuleKafka is a list of Kafka protocol constraints. All 1362 fields are optional, if all fields are empty or missing, the rule will 1363 match all Kafka messages. 1364 properties: 1365 apiKey: 1366 description: |- 1367 APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 1368 1369 If omitted or empty, all keys are allowed. 1370 type: string 1371 apiVersion: 1372 description: |- 1373 APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. 1374 1375 If omitted or empty, all versions are allowed. 1376 type: string 1377 clientID: 1378 description: |- 1379 ClientID is the client identifier as provided in the request. 1380 1381 From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. 1382 1383 If omitted or empty, all client identifiers are allowed. 1384 type: string 1385 role: 1386 description: 'Role is a case-insensitive string and describes a group 1387 of API keysnecessary to perform certain higher level Kafka operations 1388 such as"produce" or "consume". An APIGroup automatically expands into 1389 all APIKeysrequired to perform the specified higher level operation.The 1390 following values are supported:- "produce": Allow producing to the 1391 topics specified in the rule- "consume": Allow consuming from the 1392 topics specified in the ruleThis field is incompatible with the APIKey 1393 field, either APIKey or Rolemay be specified. If omitted or empty, 1394 the field has no effect and the logic of the APIKey field applies.' 1395 enum: 1396 - produce 1397 - consume 1398 type: string 1399 topic: 1400 description: |- 1401 Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. 1402 1403 This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255 1404 1405 If omitted or empty, all topics are allowed. 1406 maxLength: 255 1407 type: string 1408 type: object 1409 PortRuleL7: 1410 description: PortRuleL7 is a map of {key,value} pairs which is passed to 1411 the parser referenced in l7proto. It is up to the parser to define what 1412 to do with the map data. If omitted or empty, all requests are allowed. 1413 Both keys and values must be strings. 1414 type: object 1415 Rule: 1416 description: |- 1417 Rule is a policy rule which must be applied to all endpoints which match the labels contained in the endpointSelector 1418 1419 Each rule is split into an ingress section which contains all rules applicable at ingress, and an egress section applicable at egress. For rule types such as `L4Rule` and `CIDR` which can be applied at both ingress and egress, both ingress and egress side have to either specifically allow the connection or one side has to be omitted. 1420 1421 Either ingress, egress, or both can be provided. If both ingress and egress are omitted, the rule has no effect. 1422 properties: 1423 Description: 1424 description: Description is a free form string, it can be used by the 1425 creator of the rule to store human readable explanation of the purpose 1426 of this rule. Rules cannot be identified by comment. 1427 type: string 1428 egress: 1429 description: Egress is a list of EgressRule which are enforced at egress. 1430 If omitted or empty, this rule does not apply at egress. 1431 items: 1432 description: |- 1433 EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. 1434 1435 - All members of this structure are optional. If omitted or empty, the 1436 member will have no effect on the rule. 1437 1438 - For now, combining ToPorts and ToCIDR in the same rule is not supported 1439 and such rules will be rejected. In the future, this will be supported and 1440 if if multiple members of the structure are specified, then all members 1441 must match in order for the rule to take effect. 1442 properties: 1443 toCIDR: 1444 description: |- 1445 ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 1446 1447 Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24 1448 items: 1449 description: CIDR is a CIDR prefix / IP Block. 1450 oneOf: 1451 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 1452 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 1453 type: string 1454 type: array 1455 toCIDRSet: 1456 description: |- 1457 ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via FromEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 1458 1459 Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. 1460 items: 1461 description: CIDRRule is a rule that specifies a CIDR prefix 1462 to/from which outside communication is allowed, along with 1463 an optional list of subnets within that CIDR prefix to/from 1464 which outside communication is not allowed. 1465 properties: 1466 cidr: 1467 description: CIDR is a CIDR prefix / IP Block. 1468 oneOf: 1469 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 1470 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 1471 type: string 1472 except: 1473 description: ExceptCIDRs is a list of IP blocks which the 1474 endpoint subject to the rule is not allowed to initiate 1475 connections to. These CIDR prefixes should be contained 1476 within Cidr. These exceptions are only applied to the 1477 Cidr in this CIDRRule, and do not apply to any other CIDR 1478 prefixes in any other CIDRRules. 1479 items: 1480 description: CIDR is a CIDR prefix / IP Block. 1481 oneOf: 1482 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 1483 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 1484 type: string 1485 type: array 1486 required: 1487 - cidr 1488 type: object 1489 type: array 1490 toEndpoints: 1491 description: |- 1492 ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoint subject to the ruleis allowed to communicate. 1493 1494 Example: Any endpoint with the label "role=frontend" can be consumed by any endpoint carrying the label "role=backend". 1495 items: 1496 description: EndpointSelector is a wrapper for k8s LabelSelector. 1497 properties: 1498 matchExpressions: 1499 description: matchExpressions is a list of label selector 1500 requirements. The requirements are ANDed. 1501 items: 1502 description: A label selector requirement is a selector 1503 that contains values, a key, and an operator that relates 1504 the key and values. 1505 properties: 1506 key: 1507 description: key is the label key that the selector 1508 applies to. 1509 type: string 1510 operator: 1511 description: operator represents a key's relationship 1512 to a set of values. Valid operators are In, NotIn, 1513 Exists and DoesNotExist. 1514 enum: 1515 - In 1516 - NotIn 1517 - Exists 1518 - DoesNotExist 1519 type: string 1520 values: 1521 description: values is an array of string values. 1522 If the operator is In or NotIn, the values array 1523 must be non-empty. If the operator is Exists or 1524 DoesNotExist, the values array must be empty. This 1525 array is replaced during a strategic merge patch. 1526 items: 1527 type: string 1528 type: array 1529 required: 1530 - key 1531 - operator 1532 type: object 1533 type: array 1534 matchLabels: 1535 description: matchLabels is a map of {key,value} pairs. 1536 A single {key,value} in the matchLabels map is equivalent 1537 to an element of matchExpressions, whose key field is 1538 "key", the operator is "In", and the values array contains 1539 only "value". The requirements are ANDed. 1540 type: object 1541 type: object 1542 type: array 1543 toEntities: 1544 description: ToEntities is a list of special entities to which 1545 the endpoint subject to the rule is allowed to initiate connections. 1546 Supported entities are `world`, `cluster` and `host` 1547 items: 1548 type: string 1549 type: array 1550 toFQDNs: 1551 description: "ToFQDNs is a list of rules matching fqdns that endpoint\n\t\t\t\tis 1552 allowed to communicate with" 1553 items: 1554 description: FQDNRule is a rule that specifies an fully qualified 1555 domain name to which outside communication is allowed 1556 properties: 1557 matchName: 1558 description: MatchName matches fqdn name 1559 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 1560 type: string 1561 matchPattern: 1562 description: MatchPattern matches fqdn by pattern 1563 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 1564 type: string 1565 type: object 1566 type: array 1567 toGroups: 1568 description: "ToGroups is a list of constraints that will\n\t\t\t\tgather 1569 data from third-party providers and create a new\n\t\t\t\tderived 1570 policy." 1571 properties: 1572 aws: 1573 properties: 1574 region: 1575 description: "Region is the key that will filter the AWS 1576 EC2\n\t\t\t\tinstances in the given region" 1577 type: string 1578 securityGroupsIds: 1579 description: "SecurityGroupsIds is the list of AWS security\n\t\t\t\tgroup 1580 IDs that will filter the instances IPs from the AWS 1581 API" 1582 items: 1583 type: string 1584 type: array 1585 securityGroupsNames: 1586 description: "SecurityGroupsNames is the list of AWS 1587 security\n\t\t\t\tgroup names that will filter the instances 1588 IPs from the AWS API" 1589 items: 1590 type: string 1591 type: array 1592 type: object 1593 type: object 1594 toPorts: 1595 description: |- 1596 ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. 1597 1598 Example: Any endpoint with the label "role=frontend" is allowed to initiate connections to destination port 8080/tcp 1599 items: 1600 description: PortRule is a list of ports/protocol combinations 1601 with optional Layer 7 rules which must be met. 1602 properties: 1603 ports: 1604 description: |- 1605 Ports is a list of L4 port/protocol 1606 1607 If omitted or empty but RedirectPort is set, then all ports of the endpoint subject to either the ingress or egress rule are being redirected. 1608 items: 1609 description: PortProtocol specifies an L4 port with an 1610 optional transport protocol 1611 properties: 1612 port: 1613 description: Port is an L4 port number. For now the 1614 string will be strictly parsed as a single uint16. 1615 In the future, this field may support ranges in 1616 the form "1024-2048 1617 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$ 1618 type: string 1619 protocol: 1620 description: 'Protocol is the L4 protocol. If omitted 1621 or empty, any protocol matches. Accepted values: 1622 "TCP", "UDP", ""/"ANY"\n\nMatching on ICMP is not 1623 supported.' 1624 enum: 1625 - TCP 1626 - UDP 1627 - ANY 1628 type: string 1629 required: 1630 - port 1631 type: object 1632 type: array 1633 redirectPort: 1634 description: RedirectPort is the L4 port which, if set, 1635 all traffic matching the Ports is being redirected to. 1636 Whatever listener behind that port becomes responsible 1637 to enforce the port rules and is also responsible to reinject 1638 all traffic back and ensure it reaches its original destination. 1639 format: uint16 1640 type: integer 1641 rules: 1642 description: Rules is a list of additional port level rules 1643 which must be met in order for the PortRule to allow the 1644 traffic. If omitted or empty, no layer 7 rules are enforced. 1645 properties: 1646 dns: 1647 description: DNS specific rules 1648 items: 1649 description: FQDNRule is a rule that specifies an 1650 fully qualified domain name to which outside communication 1651 is allowed 1652 properties: 1653 matchName: 1654 description: MatchName matches fqdn name 1655 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 1656 type: string 1657 matchPattern: 1658 description: MatchPattern matches fqdn by pattern 1659 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 1660 type: string 1661 type: object 1662 type: array 1663 http: 1664 description: HTTP specific rules. 1665 items: 1666 description: |- 1667 PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. 1668 1669 All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 1670 properties: 1671 headers: 1672 description: Headers is a list of HTTP headers 1673 which must be present in the request. If omitted 1674 or empty, requests are allowed regardless of 1675 headers present. 1676 items: 1677 type: string 1678 type: array 1679 host: 1680 description: |- 1681 Host is an extended POSIX regex matched against the host header of a request, e.g. "foo.com" 1682 1683 If omitted or empty, the value of the host header is ignored. 1684 format: idn-hostname 1685 type: string 1686 method: 1687 description: |- 1688 Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... 1689 1690 If omitted or empty, all methods are allowed. 1691 type: string 1692 path: 1693 description: |- 1694 Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 1695 1696 If omitted or empty, all paths are all allowed. 1697 type: string 1698 type: object 1699 type: array 1700 kafka: 1701 description: Kafka-specific rules. 1702 items: 1703 description: PortRuleKafka is a list of Kafka protocol 1704 constraints. All fields are optional, if all fields 1705 are empty or missing, the rule will match all Kafka 1706 messages. 1707 properties: 1708 apiKey: 1709 description: |- 1710 APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 1711 1712 If omitted or empty, all keys are allowed. 1713 type: string 1714 apiVersion: 1715 description: |- 1716 APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. 1717 1718 If omitted or empty, all versions are allowed. 1719 type: string 1720 clientID: 1721 description: |- 1722 ClientID is the client identifier as provided in the request. 1723 1724 From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. 1725 1726 If omitted or empty, all client identifiers are allowed. 1727 type: string 1728 role: 1729 description: 'Role is a case-insensitive string 1730 and describes a group of API keysnecessary to 1731 perform certain higher level Kafka operations 1732 such as"produce" or "consume". An APIGroup automatically 1733 expands into all APIKeysrequired to perform 1734 the specified higher level operation.The following 1735 values are supported:- "produce": Allow producing 1736 to the topics specified in the rule- "consume": 1737 Allow consuming from the topics specified in 1738 the ruleThis field is incompatible with the 1739 APIKey field, either APIKey or Rolemay be specified. 1740 If omitted or empty, the field has no effect 1741 and the logic of the APIKey field applies.' 1742 enum: 1743 - produce 1744 - consume 1745 type: string 1746 topic: 1747 description: |- 1748 Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. 1749 1750 This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255 1751 1752 If omitted or empty, all topics are allowed. 1753 maxLength: 255 1754 type: string 1755 type: object 1756 type: array 1757 l7: 1758 description: Generic Key-Value pair rules. 1759 items: 1760 description: PortRuleL7 is a map of {key,value} pairs 1761 which is passed to the parser referenced in l7proto. 1762 It is up to the parser to define what to do with 1763 the map data. If omitted or empty, all requests 1764 are allowed. Both keys and values must be strings. 1765 type: object 1766 type: array 1767 l7proto: 1768 description: Parser type name that uses Key-Value pair 1769 rules. 1770 type: string 1771 type: object 1772 type: object 1773 type: array 1774 toRequires: 1775 description: |- 1776 ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to reach other endpoints. These additional constraints do not by themselves grant access privileges and must always be accompanied with at least one matching FromEndpoints. 1777 1778 Example: Any Endpoint with the label "team=A" requires any endpoint to which it communicates to also carry the label "team=A". 1779 items: 1780 description: EndpointSelector is a wrapper for k8s LabelSelector. 1781 properties: 1782 matchExpressions: 1783 description: matchExpressions is a list of label selector 1784 requirements. The requirements are ANDed. 1785 items: 1786 description: A label selector requirement is a selector 1787 that contains values, a key, and an operator that relates 1788 the key and values. 1789 properties: 1790 key: 1791 description: key is the label key that the selector 1792 applies to. 1793 type: string 1794 operator: 1795 description: operator represents a key's relationship 1796 to a set of values. Valid operators are In, NotIn, 1797 Exists and DoesNotExist. 1798 enum: 1799 - In 1800 - NotIn 1801 - Exists 1802 - DoesNotExist 1803 type: string 1804 values: 1805 description: values is an array of string values. 1806 If the operator is In or NotIn, the values array 1807 must be non-empty. If the operator is Exists or 1808 DoesNotExist, the values array must be empty. This 1809 array is replaced during a strategic merge patch. 1810 items: 1811 type: string 1812 type: array 1813 required: 1814 - key 1815 - operator 1816 type: object 1817 type: array 1818 matchLabels: 1819 description: matchLabels is a map of {key,value} pairs. 1820 A single {key,value} in the matchLabels map is equivalent 1821 to an element of matchExpressions, whose key field is 1822 "key", the operator is "In", and the values array contains 1823 only "value". The requirements are ANDed. 1824 type: object 1825 type: object 1826 type: array 1827 toServices: 1828 description: |- 1829 ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. 1830 1831 Example: Any endpoint with the label "app=backend-app" is allowed to initiate connections to all cidrs backing the "external-service" service 1832 items: 1833 description: Service wraps around selectors for services 1834 properties: 1835 k8sService: 1836 description: K8sServiceNamespace is an abstraction for the 1837 k8s service + namespace types. 1838 properties: 1839 namespace: 1840 type: string 1841 serviceName: 1842 type: string 1843 type: object 1844 k8sServiceSelector: 1845 description: K8sServiceSelector selects services by k8s 1846 labels. Not supported yet 1847 properties: 1848 namespace: 1849 type: string 1850 selector: 1851 description: A label selector is a label query over 1852 a set of resources. The result of matchLabels and 1853 matchExpressions are ANDed. An empty label selector 1854 matches all objects. A null label selector matches 1855 no objects. 1856 properties: 1857 matchExpressions: 1858 description: matchExpressions is a list of label 1859 selector requirements. The requirements are ANDed. 1860 items: 1861 description: A label selector requirement is a 1862 selector that contains values, a key, and an 1863 operator that relates the key and values. 1864 properties: 1865 key: 1866 description: key is the label key that the 1867 selector applies to. 1868 type: string 1869 operator: 1870 description: operator represents a key's relationship 1871 to a set of values. Valid operators are 1872 In, NotIn, Exists and DoesNotExist. 1873 enum: 1874 - In 1875 - NotIn 1876 - Exists 1877 - DoesNotExist 1878 type: string 1879 values: 1880 description: values is an array of string 1881 values. If the operator is In or NotIn, 1882 the values array must be non-empty. If the 1883 operator is Exists or DoesNotExist, the 1884 values array must be empty. This array is 1885 replaced during a strategic merge patch. 1886 items: 1887 type: string 1888 type: array 1889 required: 1890 - key 1891 - operator 1892 type: object 1893 type: array 1894 matchLabels: 1895 description: matchLabels is a map of {key,value} 1896 pairs. A single {key,value} in the matchLabels 1897 map is equivalent to an element of matchExpressions, 1898 whose key field is "key", the operator is "In", 1899 and the values array contains only "value". The 1900 requirements are ANDed. 1901 type: object 1902 type: object 1903 required: 1904 - selector 1905 type: object 1906 type: object 1907 type: array 1908 type: object 1909 type: array 1910 endpointSelector: 1911 description: EndpointSelector selects all endpoints which should be 1912 subject to this rule. Cannot be empty. 1913 properties: 1914 matchExpressions: 1915 description: matchExpressions is a list of label selector requirements. 1916 The requirements are ANDed. 1917 items: 1918 description: A label selector requirement is a selector that contains 1919 values, a key, and an operator that relates the key and values. 1920 properties: 1921 key: 1922 description: key is the label key that the selector applies 1923 to. 1924 type: string 1925 operator: 1926 description: operator represents a key's relationship to a 1927 set of values. Valid operators are In, NotIn, Exists and 1928 DoesNotExist. 1929 enum: 1930 - In 1931 - NotIn 1932 - Exists 1933 - DoesNotExist 1934 type: string 1935 values: 1936 description: values is an array of string values. If the operator 1937 is In or NotIn, the values array must be non-empty. If the 1938 operator is Exists or DoesNotExist, the values array must 1939 be empty. This array is replaced during a strategic merge 1940 patch. 1941 items: 1942 type: string 1943 type: array 1944 required: 1945 - key 1946 - operator 1947 type: object 1948 type: array 1949 matchLabels: 1950 description: matchLabels is a map of {key,value} pairs. A single 1951 {key,value} in the matchLabels map is equivalent to an element 1952 of matchExpressions, whose key field is "key", the operator is 1953 "In", and the values array contains only "value". The requirements 1954 are ANDed. 1955 type: object 1956 type: object 1957 ingress: 1958 description: Ingress is a list of IngressRule which are enforced at 1959 ingress. If omitted or empty, this rule does not apply at ingress. 1960 items: 1961 description: |- 1962 IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. 1963 1964 - All members of this structure are optional. If omitted or empty, the 1965 member will have no effect on the rule. 1966 1967 - If multiple members are set, all of them need to match in order for 1968 the rule to take effect. The exception to this rule is FromRequires field; 1969 the effects of any Requires field in any rule will apply to all other 1970 rules as well. 1971 1972 - For now, combining ToPorts, FromCIDR, and FromEndpoints in the same rule 1973 is not supported and any such rules will be rejected. In the future, this 1974 will be supported and if multiple members of this structure are specified, 1975 then all members must match in order for the rule to take effect. The 1976 exception to this rule is the Requires field, the effects of any Requires 1977 field in any rule will apply to all other rules as well. 1978 properties: 1979 fromCIDR: 1980 description: |- 1981 FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. 1982 1983 Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.3.9.1 1984 items: 1985 description: CIDR is a CIDR prefix / IP Block. 1986 oneOf: 1987 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 1988 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 1989 type: string 1990 type: array 1991 fromCIDRSet: 1992 description: |- 1993 FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. 1994 1995 Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. 1996 items: 1997 description: CIDRRule is a rule that specifies a CIDR prefix 1998 to/from which outside communication is allowed, along with 1999 an optional list of subnets within that CIDR prefix to/from 2000 which outside communication is not allowed. 2001 properties: 2002 cidr: 2003 description: CIDR is a CIDR prefix / IP Block. 2004 oneOf: 2005 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 2006 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 2007 type: string 2008 except: 2009 description: ExceptCIDRs is a list of IP blocks which the 2010 endpoint subject to the rule is not allowed to initiate 2011 connections to. These CIDR prefixes should be contained 2012 within Cidr. These exceptions are only applied to the 2013 Cidr in this CIDRRule, and do not apply to any other CIDR 2014 prefixes in any other CIDRRules. 2015 items: 2016 description: CIDR is a CIDR prefix / IP Block. 2017 oneOf: 2018 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 2019 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 2020 type: string 2021 type: array 2022 required: 2023 - cidr 2024 type: object 2025 type: array 2026 fromEndpoints: 2027 description: |- 2028 FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. 2029 2030 Example: Any endpoint with the label "role=backend" can be consumed by any endpoint carrying the label "role=frontend". 2031 items: 2032 description: EndpointSelector is a wrapper for k8s LabelSelector. 2033 properties: 2034 matchExpressions: 2035 description: matchExpressions is a list of label selector 2036 requirements. The requirements are ANDed. 2037 items: 2038 description: A label selector requirement is a selector 2039 that contains values, a key, and an operator that relates 2040 the key and values. 2041 properties: 2042 key: 2043 description: key is the label key that the selector 2044 applies to. 2045 type: string 2046 operator: 2047 description: operator represents a key's relationship 2048 to a set of values. Valid operators are In, NotIn, 2049 Exists and DoesNotExist. 2050 enum: 2051 - In 2052 - NotIn 2053 - Exists 2054 - DoesNotExist 2055 type: string 2056 values: 2057 description: values is an array of string values. 2058 If the operator is In or NotIn, the values array 2059 must be non-empty. If the operator is Exists or 2060 DoesNotExist, the values array must be empty. This 2061 array is replaced during a strategic merge patch. 2062 items: 2063 type: string 2064 type: array 2065 required: 2066 - key 2067 - operator 2068 type: object 2069 type: array 2070 matchLabels: 2071 description: matchLabels is a map of {key,value} pairs. 2072 A single {key,value} in the matchLabels map is equivalent 2073 to an element of matchExpressions, whose key field is 2074 "key", the operator is "In", and the values array contains 2075 only "value". The requirements are ANDed. 2076 type: object 2077 type: object 2078 type: array 2079 fromEntities: 2080 description: FromEntities is a list of special entities which 2081 the endpoint subject to the rule is allowed to receive connections 2082 from. Supported entities are `world`, `cluster`, `host`, and 2083 `init` 2084 items: 2085 type: string 2086 type: array 2087 fromRequires: 2088 description: |- 2089 FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. 2090 2091 Example: Any Endpoint with the label "team=A" requires consuming endpoint to also carry the label "team=A". 2092 items: 2093 description: EndpointSelector is a wrapper for k8s LabelSelector. 2094 properties: 2095 matchExpressions: 2096 description: matchExpressions is a list of label selector 2097 requirements. The requirements are ANDed. 2098 items: 2099 description: A label selector requirement is a selector 2100 that contains values, a key, and an operator that relates 2101 the key and values. 2102 properties: 2103 key: 2104 description: key is the label key that the selector 2105 applies to. 2106 type: string 2107 operator: 2108 description: operator represents a key's relationship 2109 to a set of values. Valid operators are In, NotIn, 2110 Exists and DoesNotExist. 2111 enum: 2112 - In 2113 - NotIn 2114 - Exists 2115 - DoesNotExist 2116 type: string 2117 values: 2118 description: values is an array of string values. 2119 If the operator is In or NotIn, the values array 2120 must be non-empty. If the operator is Exists or 2121 DoesNotExist, the values array must be empty. This 2122 array is replaced during a strategic merge patch. 2123 items: 2124 type: string 2125 type: array 2126 required: 2127 - key 2128 - operator 2129 type: object 2130 type: array 2131 matchLabels: 2132 description: matchLabels is a map of {key,value} pairs. 2133 A single {key,value} in the matchLabels map is equivalent 2134 to an element of matchExpressions, whose key field is 2135 "key", the operator is "In", and the values array contains 2136 only "value". The requirements are ANDed. 2137 type: object 2138 type: object 2139 type: array 2140 toPorts: 2141 description: |- 2142 ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. 2143 2144 Example: Any endpoint with the label "app=httpd" can only accept incoming connections on port 80/tcp. 2145 items: 2146 description: PortRule is a list of ports/protocol combinations 2147 with optional Layer 7 rules which must be met. 2148 properties: 2149 ports: 2150 description: |- 2151 Ports is a list of L4 port/protocol 2152 2153 If omitted or empty but RedirectPort is set, then all ports of the endpoint subject to either the ingress or egress rule are being redirected. 2154 items: 2155 description: PortProtocol specifies an L4 port with an 2156 optional transport protocol 2157 properties: 2158 port: 2159 description: Port is an L4 port number. For now the 2160 string will be strictly parsed as a single uint16. 2161 In the future, this field may support ranges in 2162 the form "1024-2048 2163 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$ 2164 type: string 2165 protocol: 2166 description: 'Protocol is the L4 protocol. If omitted 2167 or empty, any protocol matches. Accepted values: 2168 "TCP", "UDP", ""/"ANY"\n\nMatching on ICMP is not 2169 supported.' 2170 enum: 2171 - TCP 2172 - UDP 2173 - ANY 2174 type: string 2175 required: 2176 - port 2177 type: object 2178 type: array 2179 redirectPort: 2180 description: RedirectPort is the L4 port which, if set, 2181 all traffic matching the Ports is being redirected to. 2182 Whatever listener behind that port becomes responsible 2183 to enforce the port rules and is also responsible to reinject 2184 all traffic back and ensure it reaches its original destination. 2185 format: uint16 2186 type: integer 2187 rules: 2188 description: Rules is a list of additional port level rules 2189 which must be met in order for the PortRule to allow the 2190 traffic. If omitted or empty, no layer 7 rules are enforced. 2191 properties: 2192 dns: 2193 description: DNS specific rules 2194 items: 2195 description: FQDNRule is a rule that specifies an 2196 fully qualified domain name to which outside communication 2197 is allowed 2198 properties: 2199 matchName: 2200 description: MatchName matches fqdn name 2201 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 2202 type: string 2203 matchPattern: 2204 description: MatchPattern matches fqdn by pattern 2205 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 2206 type: string 2207 type: object 2208 type: array 2209 http: 2210 description: HTTP specific rules. 2211 items: 2212 description: |- 2213 PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. 2214 2215 All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 2216 properties: 2217 headers: 2218 description: Headers is a list of HTTP headers 2219 which must be present in the request. If omitted 2220 or empty, requests are allowed regardless of 2221 headers present. 2222 items: 2223 type: string 2224 type: array 2225 host: 2226 description: |- 2227 Host is an extended POSIX regex matched against the host header of a request, e.g. "foo.com" 2228 2229 If omitted or empty, the value of the host header is ignored. 2230 format: idn-hostname 2231 type: string 2232 method: 2233 description: |- 2234 Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... 2235 2236 If omitted or empty, all methods are allowed. 2237 type: string 2238 path: 2239 description: |- 2240 Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 2241 2242 If omitted or empty, all paths are all allowed. 2243 type: string 2244 type: object 2245 type: array 2246 kafka: 2247 description: Kafka-specific rules. 2248 items: 2249 description: PortRuleKafka is a list of Kafka protocol 2250 constraints. All fields are optional, if all fields 2251 are empty or missing, the rule will match all Kafka 2252 messages. 2253 properties: 2254 apiKey: 2255 description: |- 2256 APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 2257 2258 If omitted or empty, all keys are allowed. 2259 type: string 2260 apiVersion: 2261 description: |- 2262 APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. 2263 2264 If omitted or empty, all versions are allowed. 2265 type: string 2266 clientID: 2267 description: |- 2268 ClientID is the client identifier as provided in the request. 2269 2270 From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. 2271 2272 If omitted or empty, all client identifiers are allowed. 2273 type: string 2274 role: 2275 description: 'Role is a case-insensitive string 2276 and describes a group of API keysnecessary to 2277 perform certain higher level Kafka operations 2278 such as"produce" or "consume". An APIGroup automatically 2279 expands into all APIKeysrequired to perform 2280 the specified higher level operation.The following 2281 values are supported:- "produce": Allow producing 2282 to the topics specified in the rule- "consume": 2283 Allow consuming from the topics specified in 2284 the ruleThis field is incompatible with the 2285 APIKey field, either APIKey or Rolemay be specified. 2286 If omitted or empty, the field has no effect 2287 and the logic of the APIKey field applies.' 2288 enum: 2289 - produce 2290 - consume 2291 type: string 2292 topic: 2293 description: |- 2294 Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. 2295 2296 This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255 2297 2298 If omitted or empty, all topics are allowed. 2299 maxLength: 255 2300 type: string 2301 type: object 2302 type: array 2303 l7: 2304 description: Generic Key-Value pair rules. 2305 items: 2306 description: PortRuleL7 is a map of {key,value} pairs 2307 which is passed to the parser referenced in l7proto. 2308 It is up to the parser to define what to do with 2309 the map data. If omitted or empty, all requests 2310 are allowed. Both keys and values must be strings. 2311 type: object 2312 type: array 2313 l7proto: 2314 description: Parser type name that uses Key-Value pair 2315 rules. 2316 type: string 2317 type: object 2318 type: object 2319 type: array 2320 type: object 2321 type: array 2322 labels: 2323 description: Labels is a list of optional strings which can be used 2324 to re-identify the rule or to store metadata. It is possible to lookup 2325 or delete strings based on labels. Labels are not required to be unique, 2326 multiple rules can have overlapping or identical labels. 2327 items: 2328 description: Label is the cilium's representation of a container label. 2329 properties: 2330 key: 2331 type: string 2332 source: 2333 description: 'Source can be one of the values present in const.go 2334 (e.g.: LabelSourceContainer)' 2335 type: string 2336 value: 2337 type: string 2338 required: 2339 - key 2340 type: object 2341 type: array 2342 required: 2343 - endpointSelector 2344 type: object 2345 Service: 2346 description: Service wraps around selectors for services 2347 properties: 2348 k8sService: 2349 description: K8sServiceNamespace is an abstraction for the k8s service 2350 + namespace types. 2351 properties: 2352 namespace: 2353 type: string 2354 serviceName: 2355 type: string 2356 type: object 2357 k8sServiceSelector: 2358 description: K8sServiceSelector selects services by k8s labels. Not 2359 supported yet 2360 properties: 2361 namespace: 2362 type: string 2363 selector: 2364 description: A label selector is a label query over a set of resources. 2365 The result of matchLabels and matchExpressions are ANDed. An empty 2366 label selector matches all objects. A null label selector matches 2367 no objects. 2368 properties: 2369 matchExpressions: 2370 description: matchExpressions is a list of label selector requirements. 2371 The requirements are ANDed. 2372 items: 2373 description: A label selector requirement is a selector that 2374 contains values, a key, and an operator that relates the 2375 key and values. 2376 properties: 2377 key: 2378 description: key is the label key that the selector applies 2379 to. 2380 type: string 2381 operator: 2382 description: operator represents a key's relationship 2383 to a set of values. Valid operators are In, NotIn, Exists 2384 and DoesNotExist. 2385 enum: 2386 - In 2387 - NotIn 2388 - Exists 2389 - DoesNotExist 2390 type: string 2391 values: 2392 description: values is an array of string values. If the 2393 operator is In or NotIn, the values array must be non-empty. 2394 If the operator is Exists or DoesNotExist, the values 2395 array must be empty. This array is replaced during a 2396 strategic merge patch. 2397 items: 2398 type: string 2399 type: array 2400 required: 2401 - key 2402 - operator 2403 type: object 2404 type: array 2405 matchLabels: 2406 description: matchLabels is a map of {key,value} pairs. A single 2407 {key,value} in the matchLabels map is equivalent to an element 2408 of matchExpressions, whose key field is "key", the operator 2409 is "In", and the values array contains only "value". The requirements 2410 are ANDed. 2411 type: object 2412 type: object 2413 required: 2414 - selector 2415 type: object 2416 type: object 2417 ServiceSelector: 2418 description: ServiceSelector is a label selector for k8s services 2419 properties: 2420 namespace: 2421 type: string 2422 selector: 2423 description: A label selector is a label query over a set of resources. 2424 The result of matchLabels and matchExpressions are ANDed. An empty 2425 label selector matches all objects. A null label selector matches 2426 no objects. 2427 properties: 2428 matchExpressions: 2429 description: matchExpressions is a list of label selector requirements. 2430 The requirements are ANDed. 2431 items: 2432 description: A label selector requirement is a selector that contains 2433 values, a key, and an operator that relates the key and values. 2434 properties: 2435 key: 2436 description: key is the label key that the selector applies 2437 to. 2438 type: string 2439 operator: 2440 description: operator represents a key's relationship to a 2441 set of values. Valid operators are In, NotIn, Exists and 2442 DoesNotExist. 2443 enum: 2444 - In 2445 - NotIn 2446 - Exists 2447 - DoesNotExist 2448 type: string 2449 values: 2450 description: values is an array of string values. If the operator 2451 is In or NotIn, the values array must be non-empty. If the 2452 operator is Exists or DoesNotExist, the values array must 2453 be empty. This array is replaced during a strategic merge 2454 patch. 2455 items: 2456 type: string 2457 type: array 2458 required: 2459 - key 2460 - operator 2461 type: object 2462 type: array 2463 matchLabels: 2464 description: matchLabels is a map of {key,value} pairs. A single 2465 {key,value} in the matchLabels map is equivalent to an element 2466 of matchExpressions, whose key field is "key", the operator is 2467 "In", and the values array contains only "value". The requirements 2468 are ANDed. 2469 type: object 2470 type: object 2471 required: 2472 - selector 2473 type: object 2474 spec: 2475 description: |- 2476 Rule is a policy rule which must be applied to all endpoints which match the labels contained in the endpointSelector 2477 2478 Each rule is split into an ingress section which contains all rules applicable at ingress, and an egress section applicable at egress. For rule types such as `L4Rule` and `CIDR` which can be applied at both ingress and egress, both ingress and egress side have to either specifically allow the connection or one side has to be omitted. 2479 2480 Either ingress, egress, or both can be provided. If both ingress and egress are omitted, the rule has no effect. 2481 properties: 2482 Description: 2483 description: Description is a free form string, it can be used by the 2484 creator of the rule to store human readable explanation of the purpose 2485 of this rule. Rules cannot be identified by comment. 2486 type: string 2487 egress: 2488 description: Egress is a list of EgressRule which are enforced at egress. 2489 If omitted or empty, this rule does not apply at egress. 2490 items: 2491 description: |- 2492 EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. 2493 2494 - All members of this structure are optional. If omitted or empty, the 2495 member will have no effect on the rule. 2496 2497 - For now, combining ToPorts and ToCIDR in the same rule is not supported 2498 and such rules will be rejected. In the future, this will be supported and 2499 if if multiple members of the structure are specified, then all members 2500 must match in order for the rule to take effect. 2501 properties: 2502 toCIDR: 2503 description: |- 2504 ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 2505 2506 Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24 2507 items: 2508 description: CIDR is a CIDR prefix / IP Block. 2509 oneOf: 2510 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 2511 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 2512 type: string 2513 type: array 2514 toCIDRSet: 2515 description: |- 2516 ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via FromEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 2517 2518 Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. 2519 items: 2520 description: CIDRRule is a rule that specifies a CIDR prefix 2521 to/from which outside communication is allowed, along with 2522 an optional list of subnets within that CIDR prefix to/from 2523 which outside communication is not allowed. 2524 properties: 2525 cidr: 2526 description: CIDR is a CIDR prefix / IP Block. 2527 oneOf: 2528 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 2529 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 2530 type: string 2531 except: 2532 description: ExceptCIDRs is a list of IP blocks which the 2533 endpoint subject to the rule is not allowed to initiate 2534 connections to. These CIDR prefixes should be contained 2535 within Cidr. These exceptions are only applied to the 2536 Cidr in this CIDRRule, and do not apply to any other CIDR 2537 prefixes in any other CIDRRules. 2538 items: 2539 description: CIDR is a CIDR prefix / IP Block. 2540 oneOf: 2541 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 2542 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 2543 type: string 2544 type: array 2545 required: 2546 - cidr 2547 type: object 2548 type: array 2549 toEndpoints: 2550 description: |- 2551 ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoint subject to the ruleis allowed to communicate. 2552 2553 Example: Any endpoint with the label "role=frontend" can be consumed by any endpoint carrying the label "role=backend". 2554 items: 2555 description: A label selector is a label query over a set of 2556 resources. The result of matchLabels and matchExpressions 2557 are ANDed. An empty label selector matches all objects. A 2558 null label selector matches no objects. 2559 properties: 2560 matchExpressions: 2561 description: matchExpressions is a list of label selector 2562 requirements. The requirements are ANDed. 2563 items: 2564 description: A label selector requirement is a selector 2565 that contains values, a key, and an operator that relates 2566 the key and values. 2567 properties: 2568 key: 2569 description: key is the label key that the selector 2570 applies to. 2571 type: string 2572 operator: 2573 description: operator represents a key's relationship 2574 to a set of values. Valid operators are In, NotIn, 2575 Exists and DoesNotExist. 2576 enum: 2577 - In 2578 - NotIn 2579 - Exists 2580 - DoesNotExist 2581 type: string 2582 values: 2583 description: values is an array of string values. 2584 If the operator is In or NotIn, the values array 2585 must be non-empty. If the operator is Exists or 2586 DoesNotExist, the values array must be empty. This 2587 array is replaced during a strategic merge patch. 2588 items: 2589 type: string 2590 type: array 2591 required: 2592 - key 2593 - operator 2594 type: object 2595 type: array 2596 matchLabels: 2597 description: matchLabels is a map of {key,value} pairs. 2598 A single {key,value} in the matchLabels map is equivalent 2599 to an element of matchExpressions, whose key field is 2600 "key", the operator is "In", and the values array contains 2601 only "value". The requirements are ANDed. 2602 type: object 2603 type: object 2604 type: array 2605 toEntities: 2606 description: ToEntities is a list of special entities to which 2607 the endpoint subject to the rule is allowed to initiate connections. 2608 Supported entities are `world`, `cluster` and `host` 2609 items: 2610 type: string 2611 type: array 2612 toFQDNs: 2613 description: "ToFQDNs is a list of rules matching fqdns that endpoint\n\t\t\t\tis 2614 allowed to communicate with" 2615 items: 2616 description: FQDNRule is a rule that specifies an fully qualified 2617 domain name to which outside communication is allowed 2618 properties: 2619 matchName: 2620 description: MatchName matches fqdn name 2621 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 2622 type: string 2623 matchPattern: 2624 description: MatchPattern matches fqdn by pattern 2625 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 2626 type: string 2627 type: object 2628 type: array 2629 toGroups: 2630 description: "ToGroups is a list of constraints that will\n\t\t\t\tgather 2631 data from third-party providers and create a new\n\t\t\t\tderived 2632 policy." 2633 properties: 2634 aws: 2635 properties: 2636 region: 2637 description: "Region is the key that will filter the AWS 2638 EC2\n\t\t\t\tinstances in the given region" 2639 type: string 2640 securityGroupsIds: 2641 description: "SecurityGroupsIds is the list of AWS security\n\t\t\t\tgroup 2642 IDs that will filter the instances IPs from the AWS 2643 API" 2644 items: 2645 type: string 2646 type: array 2647 securityGroupsNames: 2648 description: "SecurityGroupsNames is the list of AWS 2649 security\n\t\t\t\tgroup names that will filter the instances 2650 IPs from the AWS API" 2651 items: 2652 type: string 2653 type: array 2654 type: object 2655 type: object 2656 toPorts: 2657 description: |- 2658 ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. 2659 2660 Example: Any endpoint with the label "role=frontend" is allowed to initiate connections to destination port 8080/tcp 2661 items: 2662 description: PortRule is a list of ports/protocol combinations 2663 with optional Layer 7 rules which must be met. 2664 properties: 2665 ports: 2666 description: |- 2667 Ports is a list of L4 port/protocol 2668 2669 If omitted or empty but RedirectPort is set, then all ports of the endpoint subject to either the ingress or egress rule are being redirected. 2670 items: 2671 description: PortProtocol specifies an L4 port with an 2672 optional transport protocol 2673 properties: 2674 port: 2675 description: Port is an L4 port number. For now the 2676 string will be strictly parsed as a single uint16. 2677 In the future, this field may support ranges in 2678 the form "1024-2048 2679 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$ 2680 type: string 2681 protocol: 2682 description: 'Protocol is the L4 protocol. If omitted 2683 or empty, any protocol matches. Accepted values: 2684 "TCP", "UDP", ""/"ANY"\n\nMatching on ICMP is not 2685 supported.' 2686 enum: 2687 - TCP 2688 - UDP 2689 - ANY 2690 type: string 2691 required: 2692 - port 2693 type: object 2694 type: array 2695 redirectPort: 2696 description: RedirectPort is the L4 port which, if set, 2697 all traffic matching the Ports is being redirected to. 2698 Whatever listener behind that port becomes responsible 2699 to enforce the port rules and is also responsible to reinject 2700 all traffic back and ensure it reaches its original destination. 2701 format: uint16 2702 type: integer 2703 rules: 2704 description: L7Rules is a union of port level rule types. 2705 Mixing of different port level rule types is disallowed, 2706 so exactly one of the following must be set. If none are 2707 specified, then no additional port level rules are applied. 2708 properties: 2709 dns: 2710 description: DNS specific rules 2711 items: 2712 description: FQDNRule is a rule that specifies an 2713 fully qualified domain name to which outside communication 2714 is allowed 2715 properties: 2716 matchName: 2717 description: MatchName matches fqdn name 2718 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 2719 type: string 2720 matchPattern: 2721 description: MatchPattern matches fqdn by pattern 2722 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 2723 type: string 2724 type: object 2725 type: array 2726 http: 2727 description: HTTP specific rules. 2728 items: 2729 description: |- 2730 PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. 2731 2732 All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 2733 properties: 2734 headers: 2735 description: Headers is a list of HTTP headers 2736 which must be present in the request. If omitted 2737 or empty, requests are allowed regardless of 2738 headers present. 2739 items: 2740 type: string 2741 type: array 2742 host: 2743 description: |- 2744 Host is an extended POSIX regex matched against the host header of a request, e.g. "foo.com" 2745 2746 If omitted or empty, the value of the host header is ignored. 2747 format: idn-hostname 2748 type: string 2749 method: 2750 description: |- 2751 Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... 2752 2753 If omitted or empty, all methods are allowed. 2754 type: string 2755 path: 2756 description: |- 2757 Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 2758 2759 If omitted or empty, all paths are all allowed. 2760 type: string 2761 type: object 2762 type: array 2763 kafka: 2764 description: Kafka-specific rules. 2765 items: 2766 description: PortRuleKafka is a list of Kafka protocol 2767 constraints. All fields are optional, if all fields 2768 are empty or missing, the rule will match all Kafka 2769 messages. 2770 properties: 2771 apiKey: 2772 description: |- 2773 APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 2774 2775 If omitted or empty, all keys are allowed. 2776 type: string 2777 apiVersion: 2778 description: |- 2779 APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. 2780 2781 If omitted or empty, all versions are allowed. 2782 type: string 2783 clientID: 2784 description: |- 2785 ClientID is the client identifier as provided in the request. 2786 2787 From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. 2788 2789 If omitted or empty, all client identifiers are allowed. 2790 type: string 2791 role: 2792 description: 'Role is a case-insensitive string 2793 and describes a group of API keysnecessary to 2794 perform certain higher level Kafka operations 2795 such as"produce" or "consume". An APIGroup automatically 2796 expands into all APIKeysrequired to perform 2797 the specified higher level operation.The following 2798 values are supported:- "produce": Allow producing 2799 to the topics specified in the rule- "consume": 2800 Allow consuming from the topics specified in 2801 the ruleThis field is incompatible with the 2802 APIKey field, either APIKey or Rolemay be specified. 2803 If omitted or empty, the field has no effect 2804 and the logic of the APIKey field applies.' 2805 enum: 2806 - produce 2807 - consume 2808 type: string 2809 topic: 2810 description: |- 2811 Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. 2812 2813 This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255 2814 2815 If omitted or empty, all topics are allowed. 2816 maxLength: 255 2817 type: string 2818 type: object 2819 type: array 2820 l7: 2821 description: Generic Key-Value pair rules. 2822 items: 2823 description: PortRuleL7 is a map of {key,value} pairs 2824 which is passed to the parser referenced in l7proto. 2825 It is up to the parser to define what to do with 2826 the map data. If omitted or empty, all requests 2827 are allowed. Both keys and values must be strings. 2828 type: object 2829 type: array 2830 l7proto: 2831 description: Parser type name that uses Key-Value pair 2832 rules. 2833 type: string 2834 type: object 2835 type: object 2836 type: array 2837 toRequires: 2838 description: |- 2839 ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to reach other endpoints. These additional constraints do not by themselves grant access privileges and must always be accompanied with at least one matching FromEndpoints. 2840 2841 Example: Any Endpoint with the label "team=A" requires any endpoint to which it communicates to also carry the label "team=A". 2842 items: 2843 description: A label selector is a label query over a set of 2844 resources. The result of matchLabels and matchExpressions 2845 are ANDed. An empty label selector matches all objects. A 2846 null label selector matches no objects. 2847 properties: 2848 matchExpressions: 2849 description: matchExpressions is a list of label selector 2850 requirements. The requirements are ANDed. 2851 items: 2852 description: A label selector requirement is a selector 2853 that contains values, a key, and an operator that relates 2854 the key and values. 2855 properties: 2856 key: 2857 description: key is the label key that the selector 2858 applies to. 2859 type: string 2860 operator: 2861 description: operator represents a key's relationship 2862 to a set of values. Valid operators are In, NotIn, 2863 Exists and DoesNotExist. 2864 enum: 2865 - In 2866 - NotIn 2867 - Exists 2868 - DoesNotExist 2869 type: string 2870 values: 2871 description: values is an array of string values. 2872 If the operator is In or NotIn, the values array 2873 must be non-empty. If the operator is Exists or 2874 DoesNotExist, the values array must be empty. This 2875 array is replaced during a strategic merge patch. 2876 items: 2877 type: string 2878 type: array 2879 required: 2880 - key 2881 - operator 2882 type: object 2883 type: array 2884 matchLabels: 2885 description: matchLabels is a map of {key,value} pairs. 2886 A single {key,value} in the matchLabels map is equivalent 2887 to an element of matchExpressions, whose key field is 2888 "key", the operator is "In", and the values array contains 2889 only "value". The requirements are ANDed. 2890 type: object 2891 type: object 2892 type: array 2893 toServices: 2894 description: |- 2895 ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. 2896 2897 Example: Any endpoint with the label "app=backend-app" is allowed to initiate connections to all cidrs backing the "external-service" service 2898 items: 2899 description: Service wraps around selectors for services 2900 properties: 2901 k8sService: 2902 description: K8sServiceNamespace is an abstraction for the 2903 k8s service + namespace types. 2904 properties: 2905 namespace: 2906 type: string 2907 serviceName: 2908 type: string 2909 type: object 2910 k8sServiceSelector: 2911 description: ServiceSelector is a label selector for k8s 2912 services 2913 properties: 2914 namespace: 2915 type: string 2916 selector: 2917 description: A label selector is a label query over 2918 a set of resources. The result of matchLabels and 2919 matchExpressions are ANDed. An empty label selector 2920 matches all objects. A null label selector matches 2921 no objects. 2922 properties: 2923 matchExpressions: 2924 description: matchExpressions is a list of label 2925 selector requirements. The requirements are ANDed. 2926 items: 2927 description: A label selector requirement is a 2928 selector that contains values, a key, and an 2929 operator that relates the key and values. 2930 properties: 2931 key: 2932 description: key is the label key that the 2933 selector applies to. 2934 type: string 2935 operator: 2936 description: operator represents a key's relationship 2937 to a set of values. Valid operators are 2938 In, NotIn, Exists and DoesNotExist. 2939 enum: 2940 - In 2941 - NotIn 2942 - Exists 2943 - DoesNotExist 2944 type: string 2945 values: 2946 description: values is an array of string 2947 values. If the operator is In or NotIn, 2948 the values array must be non-empty. If the 2949 operator is Exists or DoesNotExist, the 2950 values array must be empty. This array is 2951 replaced during a strategic merge patch. 2952 items: 2953 type: string 2954 type: array 2955 required: 2956 - key 2957 - operator 2958 type: object 2959 type: array 2960 matchLabels: 2961 description: matchLabels is a map of {key,value} 2962 pairs. A single {key,value} in the matchLabels 2963 map is equivalent to an element of matchExpressions, 2964 whose key field is "key", the operator is "In", 2965 and the values array contains only "value". The 2966 requirements are ANDed. 2967 type: object 2968 type: object 2969 required: 2970 - selector 2971 type: object 2972 type: object 2973 type: array 2974 type: object 2975 type: array 2976 endpointSelector: 2977 description: A label selector is a label query over a set of resources. 2978 The result of matchLabels and matchExpressions are ANDed. An empty 2979 label selector matches all objects. A null label selector matches 2980 no objects. 2981 properties: 2982 matchExpressions: 2983 description: matchExpressions is a list of label selector requirements. 2984 The requirements are ANDed. 2985 items: 2986 description: A label selector requirement is a selector that contains 2987 values, a key, and an operator that relates the key and values. 2988 properties: 2989 key: 2990 description: key is the label key that the selector applies 2991 to. 2992 type: string 2993 operator: 2994 description: operator represents a key's relationship to a 2995 set of values. Valid operators are In, NotIn, Exists and 2996 DoesNotExist. 2997 enum: 2998 - In 2999 - NotIn 3000 - Exists 3001 - DoesNotExist 3002 type: string 3003 values: 3004 description: values is an array of string values. If the operator 3005 is In or NotIn, the values array must be non-empty. If the 3006 operator is Exists or DoesNotExist, the values array must 3007 be empty. This array is replaced during a strategic merge 3008 patch. 3009 items: 3010 type: string 3011 type: array 3012 required: 3013 - key 3014 - operator 3015 type: object 3016 type: array 3017 matchLabels: 3018 description: matchLabels is a map of {key,value} pairs. A single 3019 {key,value} in the matchLabels map is equivalent to an element 3020 of matchExpressions, whose key field is "key", the operator is 3021 "In", and the values array contains only "value". The requirements 3022 are ANDed. 3023 type: object 3024 type: object 3025 ingress: 3026 description: Ingress is a list of IngressRule which are enforced at 3027 ingress. If omitted or empty, this rule does not apply at ingress. 3028 items: 3029 description: |- 3030 IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. 3031 3032 - All members of this structure are optional. If omitted or empty, the 3033 member will have no effect on the rule. 3034 3035 - If multiple members are set, all of them need to match in order for 3036 the rule to take effect. The exception to this rule is FromRequires field; 3037 the effects of any Requires field in any rule will apply to all other 3038 rules as well. 3039 3040 - For now, combining ToPorts, FromCIDR, and FromEndpoints in the same rule 3041 is not supported and any such rules will be rejected. In the future, this 3042 will be supported and if multiple members of this structure are specified, 3043 then all members must match in order for the rule to take effect. The 3044 exception to this rule is the Requires field, the effects of any Requires 3045 field in any rule will apply to all other rules as well. 3046 properties: 3047 fromCIDR: 3048 description: |- 3049 FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. 3050 3051 Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.3.9.1 3052 items: 3053 description: CIDR is a CIDR prefix / IP Block. 3054 oneOf: 3055 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 3056 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 3057 type: string 3058 type: array 3059 fromCIDRSet: 3060 description: |- 3061 FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. 3062 3063 Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. 3064 items: 3065 description: CIDRRule is a rule that specifies a CIDR prefix 3066 to/from which outside communication is allowed, along with 3067 an optional list of subnets within that CIDR prefix to/from 3068 which outside communication is not allowed. 3069 properties: 3070 cidr: 3071 description: CIDR is a CIDR prefix / IP Block. 3072 oneOf: 3073 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 3074 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 3075 type: string 3076 except: 3077 description: ExceptCIDRs is a list of IP blocks which the 3078 endpoint subject to the rule is not allowed to initiate 3079 connections to. These CIDR prefixes should be contained 3080 within Cidr. These exceptions are only applied to the 3081 Cidr in this CIDRRule, and do not apply to any other CIDR 3082 prefixes in any other CIDRRules. 3083 items: 3084 description: CIDR is a CIDR prefix / IP Block. 3085 oneOf: 3086 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 3087 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 3088 type: string 3089 type: array 3090 required: 3091 - cidr 3092 type: object 3093 type: array 3094 fromEndpoints: 3095 description: |- 3096 FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. 3097 3098 Example: Any endpoint with the label "role=backend" can be consumed by any endpoint carrying the label "role=frontend". 3099 items: 3100 description: A label selector is a label query over a set of 3101 resources. The result of matchLabels and matchExpressions 3102 are ANDed. An empty label selector matches all objects. A 3103 null label selector matches no objects. 3104 properties: 3105 matchExpressions: 3106 description: matchExpressions is a list of label selector 3107 requirements. The requirements are ANDed. 3108 items: 3109 description: A label selector requirement is a selector 3110 that contains values, a key, and an operator that relates 3111 the key and values. 3112 properties: 3113 key: 3114 description: key is the label key that the selector 3115 applies to. 3116 type: string 3117 operator: 3118 description: operator represents a key's relationship 3119 to a set of values. Valid operators are In, NotIn, 3120 Exists and DoesNotExist. 3121 enum: 3122 - In 3123 - NotIn 3124 - Exists 3125 - DoesNotExist 3126 type: string 3127 values: 3128 description: values is an array of string values. 3129 If the operator is In or NotIn, the values array 3130 must be non-empty. If the operator is Exists or 3131 DoesNotExist, the values array must be empty. This 3132 array is replaced during a strategic merge patch. 3133 items: 3134 type: string 3135 type: array 3136 required: 3137 - key 3138 - operator 3139 type: object 3140 type: array 3141 matchLabels: 3142 description: matchLabels is a map of {key,value} pairs. 3143 A single {key,value} in the matchLabels map is equivalent 3144 to an element of matchExpressions, whose key field is 3145 "key", the operator is "In", and the values array contains 3146 only "value". The requirements are ANDed. 3147 type: object 3148 type: object 3149 type: array 3150 fromEntities: 3151 description: FromEntities is a list of special entities which 3152 the endpoint subject to the rule is allowed to receive connections 3153 from. Supported entities are `world`, `cluster`, `host`, and 3154 `init` 3155 items: 3156 type: string 3157 type: array 3158 fromRequires: 3159 description: |- 3160 FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. 3161 3162 Example: Any Endpoint with the label "team=A" requires consuming endpoint to also carry the label "team=A". 3163 items: 3164 description: A label selector is a label query over a set of 3165 resources. The result of matchLabels and matchExpressions 3166 are ANDed. An empty label selector matches all objects. A 3167 null label selector matches no objects. 3168 properties: 3169 matchExpressions: 3170 description: matchExpressions is a list of label selector 3171 requirements. The requirements are ANDed. 3172 items: 3173 description: A label selector requirement is a selector 3174 that contains values, a key, and an operator that relates 3175 the key and values. 3176 properties: 3177 key: 3178 description: key is the label key that the selector 3179 applies to. 3180 type: string 3181 operator: 3182 description: operator represents a key's relationship 3183 to a set of values. Valid operators are In, NotIn, 3184 Exists and DoesNotExist. 3185 enum: 3186 - In 3187 - NotIn 3188 - Exists 3189 - DoesNotExist 3190 type: string 3191 values: 3192 description: values is an array of string values. 3193 If the operator is In or NotIn, the values array 3194 must be non-empty. If the operator is Exists or 3195 DoesNotExist, the values array must be empty. This 3196 array is replaced during a strategic merge patch. 3197 items: 3198 type: string 3199 type: array 3200 required: 3201 - key 3202 - operator 3203 type: object 3204 type: array 3205 matchLabels: 3206 description: matchLabels is a map of {key,value} pairs. 3207 A single {key,value} in the matchLabels map is equivalent 3208 to an element of matchExpressions, whose key field is 3209 "key", the operator is "In", and the values array contains 3210 only "value". The requirements are ANDed. 3211 type: object 3212 type: object 3213 type: array 3214 toPorts: 3215 description: |- 3216 ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. 3217 3218 Example: Any endpoint with the label "app=httpd" can only accept incoming connections on port 80/tcp. 3219 items: 3220 description: PortRule is a list of ports/protocol combinations 3221 with optional Layer 7 rules which must be met. 3222 properties: 3223 ports: 3224 description: |- 3225 Ports is a list of L4 port/protocol 3226 3227 If omitted or empty but RedirectPort is set, then all ports of the endpoint subject to either the ingress or egress rule are being redirected. 3228 items: 3229 description: PortProtocol specifies an L4 port with an 3230 optional transport protocol 3231 properties: 3232 port: 3233 description: Port is an L4 port number. For now the 3234 string will be strictly parsed as a single uint16. 3235 In the future, this field may support ranges in 3236 the form "1024-2048 3237 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$ 3238 type: string 3239 protocol: 3240 description: 'Protocol is the L4 protocol. If omitted 3241 or empty, any protocol matches. Accepted values: 3242 "TCP", "UDP", ""/"ANY"\n\nMatching on ICMP is not 3243 supported.' 3244 enum: 3245 - TCP 3246 - UDP 3247 - ANY 3248 type: string 3249 required: 3250 - port 3251 type: object 3252 type: array 3253 redirectPort: 3254 description: RedirectPort is the L4 port which, if set, 3255 all traffic matching the Ports is being redirected to. 3256 Whatever listener behind that port becomes responsible 3257 to enforce the port rules and is also responsible to reinject 3258 all traffic back and ensure it reaches its original destination. 3259 format: uint16 3260 type: integer 3261 rules: 3262 description: L7Rules is a union of port level rule types. 3263 Mixing of different port level rule types is disallowed, 3264 so exactly one of the following must be set. If none are 3265 specified, then no additional port level rules are applied. 3266 properties: 3267 dns: 3268 description: DNS specific rules 3269 items: 3270 description: FQDNRule is a rule that specifies an 3271 fully qualified domain name to which outside communication 3272 is allowed 3273 properties: 3274 matchName: 3275 description: MatchName matches fqdn name 3276 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 3277 type: string 3278 matchPattern: 3279 description: MatchPattern matches fqdn by pattern 3280 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 3281 type: string 3282 type: object 3283 type: array 3284 http: 3285 description: HTTP specific rules. 3286 items: 3287 description: |- 3288 PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. 3289 3290 All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 3291 properties: 3292 headers: 3293 description: Headers is a list of HTTP headers 3294 which must be present in the request. If omitted 3295 or empty, requests are allowed regardless of 3296 headers present. 3297 items: 3298 type: string 3299 type: array 3300 host: 3301 description: |- 3302 Host is an extended POSIX regex matched against the host header of a request, e.g. "foo.com" 3303 3304 If omitted or empty, the value of the host header is ignored. 3305 format: idn-hostname 3306 type: string 3307 method: 3308 description: |- 3309 Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... 3310 3311 If omitted or empty, all methods are allowed. 3312 type: string 3313 path: 3314 description: |- 3315 Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 3316 3317 If omitted or empty, all paths are all allowed. 3318 type: string 3319 type: object 3320 type: array 3321 kafka: 3322 description: Kafka-specific rules. 3323 items: 3324 description: PortRuleKafka is a list of Kafka protocol 3325 constraints. All fields are optional, if all fields 3326 are empty or missing, the rule will match all Kafka 3327 messages. 3328 properties: 3329 apiKey: 3330 description: |- 3331 APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 3332 3333 If omitted or empty, all keys are allowed. 3334 type: string 3335 apiVersion: 3336 description: |- 3337 APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. 3338 3339 If omitted or empty, all versions are allowed. 3340 type: string 3341 clientID: 3342 description: |- 3343 ClientID is the client identifier as provided in the request. 3344 3345 From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. 3346 3347 If omitted or empty, all client identifiers are allowed. 3348 type: string 3349 role: 3350 description: 'Role is a case-insensitive string 3351 and describes a group of API keysnecessary to 3352 perform certain higher level Kafka operations 3353 such as"produce" or "consume". An APIGroup automatically 3354 expands into all APIKeysrequired to perform 3355 the specified higher level operation.The following 3356 values are supported:- "produce": Allow producing 3357 to the topics specified in the rule- "consume": 3358 Allow consuming from the topics specified in 3359 the ruleThis field is incompatible with the 3360 APIKey field, either APIKey or Rolemay be specified. 3361 If omitted or empty, the field has no effect 3362 and the logic of the APIKey field applies.' 3363 enum: 3364 - produce 3365 - consume 3366 type: string 3367 topic: 3368 description: |- 3369 Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. 3370 3371 This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255 3372 3373 If omitted or empty, all topics are allowed. 3374 maxLength: 255 3375 type: string 3376 type: object 3377 type: array 3378 l7: 3379 description: Generic Key-Value pair rules. 3380 items: 3381 description: PortRuleL7 is a map of {key,value} pairs 3382 which is passed to the parser referenced in l7proto. 3383 It is up to the parser to define what to do with 3384 the map data. If omitted or empty, all requests 3385 are allowed. Both keys and values must be strings. 3386 type: object 3387 type: array 3388 l7proto: 3389 description: Parser type name that uses Key-Value pair 3390 rules. 3391 type: string 3392 type: object 3393 type: object 3394 type: array 3395 type: object 3396 type: array 3397 labels: 3398 description: Labels is a list of optional strings which can be used 3399 to re-identify the rule or to store metadata. It is possible to lookup 3400 or delete strings based on labels. Labels are not required to be unique, 3401 multiple rules can have overlapping or identical labels. 3402 items: 3403 description: Label is the cilium's representation of a container label. 3404 properties: 3405 key: 3406 type: string 3407 source: 3408 description: 'Source can be one of the values present in const.go 3409 (e.g.: LabelSourceContainer)' 3410 type: string 3411 value: 3412 type: string 3413 required: 3414 - key 3415 type: object 3416 type: array 3417 required: 3418 - endpointSelector 3419 type: object 3420 specs: 3421 description: Specs is a list of desired Cilium specific rule specification. 3422 items: 3423 description: Spec is the desired Cilium specific rule specification. 3424 properties: 3425 Description: 3426 description: Description is a free form string, it can be used by 3427 the creator of the rule to store human readable explanation of the 3428 purpose of this rule. Rules cannot be identified by comment. 3429 type: string 3430 egress: 3431 description: Egress is a list of EgressRule which are enforced at 3432 egress. If omitted or empty, this rule does not apply at egress. 3433 items: 3434 description: |- 3435 EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. 3436 3437 - All members of this structure are optional. If omitted or empty, the 3438 member will have no effect on the rule. 3439 3440 - For now, combining ToPorts and ToCIDR in the same rule is not supported 3441 and such rules will be rejected. In the future, this will be supported and 3442 if if multiple members of the structure are specified, then all members 3443 must match in order for the rule to take effect. 3444 properties: 3445 toCIDR: 3446 description: |- 3447 ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 3448 3449 Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24 3450 items: 3451 description: CIDR is a CIDR prefix / IP Block. 3452 oneOf: 3453 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 3454 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 3455 type: string 3456 type: array 3457 toCIDRSet: 3458 description: |- 3459 ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via FromEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. 3460 3461 Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. 3462 items: 3463 description: CIDRRule is a rule that specifies a CIDR prefix 3464 to/from which outside communication is allowed, along with 3465 an optional list of subnets within that CIDR prefix to/from 3466 which outside communication is not allowed. 3467 properties: 3468 cidr: 3469 description: CIDR is a CIDR prefix / IP Block. 3470 oneOf: 3471 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 3472 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 3473 type: string 3474 except: 3475 description: ExceptCIDRs is a list of IP blocks which 3476 the endpoint subject to the rule is not allowed to initiate 3477 connections to. These CIDR prefixes should be contained 3478 within Cidr. These exceptions are only applied to the 3479 Cidr in this CIDRRule, and do not apply to any other 3480 CIDR prefixes in any other CIDRRules. 3481 items: 3482 description: CIDR is a CIDR prefix / IP Block. 3483 oneOf: 3484 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 3485 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 3486 type: string 3487 type: array 3488 required: 3489 - cidr 3490 type: object 3491 type: array 3492 toEndpoints: 3493 description: |- 3494 ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoint subject to the ruleis allowed to communicate. 3495 3496 Example: Any endpoint with the label "role=frontend" can be consumed by any endpoint carrying the label "role=backend". 3497 items: 3498 description: A label selector is a label query over a set 3499 of resources. The result of matchLabels and matchExpressions 3500 are ANDed. An empty label selector matches all objects. 3501 A null label selector matches no objects. 3502 properties: 3503 matchExpressions: 3504 description: matchExpressions is a list of label selector 3505 requirements. The requirements are ANDed. 3506 items: 3507 description: A label selector requirement is a selector 3508 that contains values, a key, and an operator that 3509 relates the key and values. 3510 properties: 3511 key: 3512 description: key is the label key that the selector 3513 applies to. 3514 type: string 3515 operator: 3516 description: operator represents a key's relationship 3517 to a set of values. Valid operators are In, NotIn, 3518 Exists and DoesNotExist. 3519 enum: 3520 - In 3521 - NotIn 3522 - Exists 3523 - DoesNotExist 3524 type: string 3525 values: 3526 description: values is an array of string values. 3527 If the operator is In or NotIn, the values array 3528 must be non-empty. If the operator is Exists or 3529 DoesNotExist, the values array must be empty. 3530 This array is replaced during a strategic merge 3531 patch. 3532 items: 3533 type: string 3534 type: array 3535 required: 3536 - key 3537 - operator 3538 type: object 3539 type: array 3540 matchLabels: 3541 description: matchLabels is a map of {key,value} pairs. 3542 A single {key,value} in the matchLabels map is equivalent 3543 to an element of matchExpressions, whose key field is 3544 "key", the operator is "In", and the values array contains 3545 only "value". The requirements are ANDed. 3546 type: object 3547 type: object 3548 type: array 3549 toEntities: 3550 description: ToEntities is a list of special entities to which 3551 the endpoint subject to the rule is allowed to initiate connections. 3552 Supported entities are `world`, `cluster` and `host` 3553 items: 3554 type: string 3555 type: array 3556 toFQDNs: 3557 description: "ToFQDNs is a list of rules matching fqdns that 3558 endpoint\n\t\t\t\tis allowed to communicate with" 3559 items: 3560 description: FQDNRule is a rule that specifies an fully qualified 3561 domain name to which outside communication is allowed 3562 properties: 3563 matchName: 3564 description: MatchName matches fqdn name 3565 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 3566 type: string 3567 matchPattern: 3568 description: MatchPattern matches fqdn by pattern 3569 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 3570 type: string 3571 type: object 3572 type: array 3573 toGroups: 3574 description: "ToGroups is a list of constraints that will\n\t\t\t\tgather 3575 data from third-party providers and create a new\n\t\t\t\tderived 3576 policy." 3577 properties: 3578 aws: 3579 properties: 3580 region: 3581 description: "Region is the key that will filter the 3582 AWS EC2\n\t\t\t\tinstances in the given region" 3583 type: string 3584 securityGroupsIds: 3585 description: "SecurityGroupsIds is the list of AWS security\n\t\t\t\tgroup 3586 IDs that will filter the instances IPs from the AWS 3587 API" 3588 items: 3589 type: string 3590 type: array 3591 securityGroupsNames: 3592 description: "SecurityGroupsNames is the list of AWS 3593 security\n\t\t\t\tgroup names that will filter the 3594 instances IPs from the AWS API" 3595 items: 3596 type: string 3597 type: array 3598 type: object 3599 type: object 3600 toPorts: 3601 description: |- 3602 ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. 3603 3604 Example: Any endpoint with the label "role=frontend" is allowed to initiate connections to destination port 8080/tcp 3605 items: 3606 description: PortRule is a list of ports/protocol combinations 3607 with optional Layer 7 rules which must be met. 3608 properties: 3609 ports: 3610 description: |- 3611 Ports is a list of L4 port/protocol 3612 3613 If omitted or empty but RedirectPort is set, then all ports of the endpoint subject to either the ingress or egress rule are being redirected. 3614 items: 3615 description: PortProtocol specifies an L4 port with 3616 an optional transport protocol 3617 properties: 3618 port: 3619 description: Port is an L4 port number. For now 3620 the string will be strictly parsed as a single 3621 uint16. In the future, this field may support 3622 ranges in the form "1024-2048 3623 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$ 3624 type: string 3625 protocol: 3626 description: 'Protocol is the L4 protocol. If omitted 3627 or empty, any protocol matches. Accepted values: 3628 "TCP", "UDP", ""/"ANY"\n\nMatching on ICMP is 3629 not supported.' 3630 enum: 3631 - TCP 3632 - UDP 3633 - ANY 3634 type: string 3635 required: 3636 - port 3637 type: object 3638 type: array 3639 redirectPort: 3640 description: RedirectPort is the L4 port which, if set, 3641 all traffic matching the Ports is being redirected to. 3642 Whatever listener behind that port becomes responsible 3643 to enforce the port rules and is also responsible to 3644 reinject all traffic back and ensure it reaches its 3645 original destination. 3646 format: uint16 3647 type: integer 3648 rules: 3649 description: L7Rules is a union of port level rule types. 3650 Mixing of different port level rule types is disallowed, 3651 so exactly one of the following must be set. If none 3652 are specified, then no additional port level rules are 3653 applied. 3654 properties: 3655 dns: 3656 description: DNS specific rules 3657 items: 3658 description: FQDNRule is a rule that specifies an 3659 fully qualified domain name to which outside communication 3660 is allowed 3661 properties: 3662 matchName: 3663 description: MatchName matches fqdn name 3664 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 3665 type: string 3666 matchPattern: 3667 description: MatchPattern matches fqdn by pattern 3668 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 3669 type: string 3670 type: object 3671 type: array 3672 http: 3673 description: HTTP specific rules. 3674 items: 3675 description: |- 3676 PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. 3677 3678 All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 3679 properties: 3680 headers: 3681 description: Headers is a list of HTTP headers 3682 which must be present in the request. If omitted 3683 or empty, requests are allowed regardless 3684 of headers present. 3685 items: 3686 type: string 3687 type: array 3688 host: 3689 description: |- 3690 Host is an extended POSIX regex matched against the host header of a request, e.g. "foo.com" 3691 3692 If omitted or empty, the value of the host header is ignored. 3693 format: idn-hostname 3694 type: string 3695 method: 3696 description: |- 3697 Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... 3698 3699 If omitted or empty, all methods are allowed. 3700 type: string 3701 path: 3702 description: |- 3703 Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 3704 3705 If omitted or empty, all paths are all allowed. 3706 type: string 3707 type: object 3708 type: array 3709 kafka: 3710 description: Kafka-specific rules. 3711 items: 3712 description: PortRuleKafka is a list of Kafka protocol 3713 constraints. All fields are optional, if all fields 3714 are empty or missing, the rule will match all 3715 Kafka messages. 3716 properties: 3717 apiKey: 3718 description: |- 3719 APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 3720 3721 If omitted or empty, all keys are allowed. 3722 type: string 3723 apiVersion: 3724 description: |- 3725 APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. 3726 3727 If omitted or empty, all versions are allowed. 3728 type: string 3729 clientID: 3730 description: |- 3731 ClientID is the client identifier as provided in the request. 3732 3733 From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. 3734 3735 If omitted or empty, all client identifiers are allowed. 3736 type: string 3737 role: 3738 description: 'Role is a case-insensitive string 3739 and describes a group of API keysnecessary 3740 to perform certain higher level Kafka operations 3741 such as"produce" or "consume". An APIGroup 3742 automatically expands into all APIKeysrequired 3743 to perform the specified higher level operation.The 3744 following values are supported:- "produce": 3745 Allow producing to the topics specified in 3746 the rule- "consume": Allow consuming from 3747 the topics specified in the ruleThis field 3748 is incompatible with the APIKey field, either 3749 APIKey or Rolemay be specified. If omitted 3750 or empty, the field has no effect and the 3751 logic of the APIKey field applies.' 3752 enum: 3753 - produce 3754 - consume 3755 type: string 3756 topic: 3757 description: |- 3758 Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. 3759 3760 This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255 3761 3762 If omitted or empty, all topics are allowed. 3763 maxLength: 255 3764 type: string 3765 type: object 3766 type: array 3767 l7: 3768 description: Generic Key-Value pair rules. 3769 items: 3770 description: PortRuleL7 is a map of {key,value} 3771 pairs which is passed to the parser referenced 3772 in l7proto. It is up to the parser to define what 3773 to do with the map data. If omitted or empty, 3774 all requests are allowed. Both keys and values 3775 must be strings. 3776 type: object 3777 type: array 3778 l7proto: 3779 description: Parser type name that uses Key-Value 3780 pair rules. 3781 type: string 3782 type: object 3783 type: object 3784 type: array 3785 toRequires: 3786 description: |- 3787 ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to reach other endpoints. These additional constraints do not by themselves grant access privileges and must always be accompanied with at least one matching FromEndpoints. 3788 3789 Example: Any Endpoint with the label "team=A" requires any endpoint to which it communicates to also carry the label "team=A". 3790 items: 3791 description: A label selector is a label query over a set 3792 of resources. The result of matchLabels and matchExpressions 3793 are ANDed. An empty label selector matches all objects. 3794 A null label selector matches no objects. 3795 properties: 3796 matchExpressions: 3797 description: matchExpressions is a list of label selector 3798 requirements. The requirements are ANDed. 3799 items: 3800 description: A label selector requirement is a selector 3801 that contains values, a key, and an operator that 3802 relates the key and values. 3803 properties: 3804 key: 3805 description: key is the label key that the selector 3806 applies to. 3807 type: string 3808 operator: 3809 description: operator represents a key's relationship 3810 to a set of values. Valid operators are In, NotIn, 3811 Exists and DoesNotExist. 3812 enum: 3813 - In 3814 - NotIn 3815 - Exists 3816 - DoesNotExist 3817 type: string 3818 values: 3819 description: values is an array of string values. 3820 If the operator is In or NotIn, the values array 3821 must be non-empty. If the operator is Exists or 3822 DoesNotExist, the values array must be empty. 3823 This array is replaced during a strategic merge 3824 patch. 3825 items: 3826 type: string 3827 type: array 3828 required: 3829 - key 3830 - operator 3831 type: object 3832 type: array 3833 matchLabels: 3834 description: matchLabels is a map of {key,value} pairs. 3835 A single {key,value} in the matchLabels map is equivalent 3836 to an element of matchExpressions, whose key field is 3837 "key", the operator is "In", and the values array contains 3838 only "value". The requirements are ANDed. 3839 type: object 3840 type: object 3841 type: array 3842 toServices: 3843 description: |- 3844 ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. 3845 3846 Example: Any endpoint with the label "app=backend-app" is allowed to initiate connections to all cidrs backing the "external-service" service 3847 items: 3848 description: Service wraps around selectors for services 3849 properties: 3850 k8sService: 3851 description: K8sServiceNamespace is an abstraction for 3852 the k8s service + namespace types. 3853 properties: 3854 namespace: 3855 type: string 3856 serviceName: 3857 type: string 3858 type: object 3859 k8sServiceSelector: 3860 description: ServiceSelector is a label selector for k8s 3861 services 3862 properties: 3863 namespace: 3864 type: string 3865 selector: 3866 description: A label selector is a label query over 3867 a set of resources. The result of matchLabels and 3868 matchExpressions are ANDed. An empty label selector 3869 matches all objects. A null label selector matches 3870 no objects. 3871 properties: 3872 matchExpressions: 3873 description: matchExpressions is a list of label 3874 selector requirements. The requirements are 3875 ANDed. 3876 items: 3877 description: A label selector requirement is 3878 a selector that contains values, a key, and 3879 an operator that relates the key and values. 3880 properties: 3881 key: 3882 description: key is the label key that the 3883 selector applies to. 3884 type: string 3885 operator: 3886 description: operator represents a key's 3887 relationship to a set of values. Valid 3888 operators are In, NotIn, Exists and DoesNotExist. 3889 enum: 3890 - In 3891 - NotIn 3892 - Exists 3893 - DoesNotExist 3894 type: string 3895 values: 3896 description: values is an array of string 3897 values. If the operator is In or NotIn, 3898 the values array must be non-empty. If 3899 the operator is Exists or DoesNotExist, 3900 the values array must be empty. This array 3901 is replaced during a strategic merge patch. 3902 items: 3903 type: string 3904 type: array 3905 required: 3906 - key 3907 - operator 3908 type: object 3909 type: array 3910 matchLabels: 3911 description: matchLabels is a map of {key,value} 3912 pairs. A single {key,value} in the matchLabels 3913 map is equivalent to an element of matchExpressions, 3914 whose key field is "key", the operator is "In", 3915 and the values array contains only "value". 3916 The requirements are ANDed. 3917 type: object 3918 type: object 3919 required: 3920 - selector 3921 type: object 3922 type: object 3923 type: array 3924 type: object 3925 type: array 3926 endpointSelector: 3927 description: A label selector is a label query over a set of resources. 3928 The result of matchLabels and matchExpressions are ANDed. An empty 3929 label selector matches all objects. A null label selector matches 3930 no objects. 3931 properties: 3932 matchExpressions: 3933 description: matchExpressions is a list of label selector requirements. 3934 The requirements are ANDed. 3935 items: 3936 description: A label selector requirement is a selector that 3937 contains values, a key, and an operator that relates the key 3938 and values. 3939 properties: 3940 key: 3941 description: key is the label key that the selector applies 3942 to. 3943 type: string 3944 operator: 3945 description: operator represents a key's relationship to 3946 a set of values. Valid operators are In, NotIn, Exists 3947 and DoesNotExist. 3948 enum: 3949 - In 3950 - NotIn 3951 - Exists 3952 - DoesNotExist 3953 type: string 3954 values: 3955 description: values is an array of string values. If the 3956 operator is In or NotIn, the values array must be non-empty. 3957 If the operator is Exists or DoesNotExist, the values 3958 array must be empty. This array is replaced during a strategic 3959 merge patch. 3960 items: 3961 type: string 3962 type: array 3963 required: 3964 - key 3965 - operator 3966 type: object 3967 type: array 3968 matchLabels: 3969 description: matchLabels is a map of {key,value} pairs. A single 3970 {key,value} in the matchLabels map is equivalent to an element 3971 of matchExpressions, whose key field is "key", the operator 3972 is "In", and the values array contains only "value". The requirements 3973 are ANDed. 3974 type: object 3975 type: object 3976 ingress: 3977 description: Ingress is a list of IngressRule which are enforced at 3978 ingress. If omitted or empty, this rule does not apply at ingress. 3979 items: 3980 description: |- 3981 IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. 3982 3983 - All members of this structure are optional. If omitted or empty, the 3984 member will have no effect on the rule. 3985 3986 - If multiple members are set, all of them need to match in order for 3987 the rule to take effect. The exception to this rule is FromRequires field; 3988 the effects of any Requires field in any rule will apply to all other 3989 rules as well. 3990 3991 - For now, combining ToPorts, FromCIDR, and FromEndpoints in the same rule 3992 is not supported and any such rules will be rejected. In the future, this 3993 will be supported and if multiple members of this structure are specified, 3994 then all members must match in order for the rule to take effect. The 3995 exception to this rule is the Requires field, the effects of any Requires 3996 field in any rule will apply to all other rules as well. 3997 properties: 3998 fromCIDR: 3999 description: |- 4000 FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. 4001 4002 Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.3.9.1 4003 items: 4004 description: CIDR is a CIDR prefix / IP Block. 4005 oneOf: 4006 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 4007 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 4008 type: string 4009 type: array 4010 fromCIDRSet: 4011 description: |- 4012 FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. 4013 4014 Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. 4015 items: 4016 description: CIDRRule is a rule that specifies a CIDR prefix 4017 to/from which outside communication is allowed, along with 4018 an optional list of subnets within that CIDR prefix to/from 4019 which outside communication is not allowed. 4020 properties: 4021 cidr: 4022 description: CIDR is a CIDR prefix / IP Block. 4023 oneOf: 4024 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 4025 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 4026 type: string 4027 except: 4028 description: ExceptCIDRs is a list of IP blocks which 4029 the endpoint subject to the rule is not allowed to initiate 4030 connections to. These CIDR prefixes should be contained 4031 within Cidr. These exceptions are only applied to the 4032 Cidr in this CIDRRule, and do not apply to any other 4033 CIDR prefixes in any other CIDRRules. 4034 items: 4035 description: CIDR is a CIDR prefix / IP Block. 4036 oneOf: 4037 - pattern: ^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$ 4038 - pattern: ^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$ 4039 type: string 4040 type: array 4041 required: 4042 - cidr 4043 type: object 4044 type: array 4045 fromEndpoints: 4046 description: |- 4047 FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. 4048 4049 Example: Any endpoint with the label "role=backend" can be consumed by any endpoint carrying the label "role=frontend". 4050 items: 4051 description: A label selector is a label query over a set 4052 of resources. The result of matchLabels and matchExpressions 4053 are ANDed. An empty label selector matches all objects. 4054 A null label selector matches no objects. 4055 properties: 4056 matchExpressions: 4057 description: matchExpressions is a list of label selector 4058 requirements. The requirements are ANDed. 4059 items: 4060 description: A label selector requirement is a selector 4061 that contains values, a key, and an operator that 4062 relates the key and values. 4063 properties: 4064 key: 4065 description: key is the label key that the selector 4066 applies to. 4067 type: string 4068 operator: 4069 description: operator represents a key's relationship 4070 to a set of values. Valid operators are In, NotIn, 4071 Exists and DoesNotExist. 4072 enum: 4073 - In 4074 - NotIn 4075 - Exists 4076 - DoesNotExist 4077 type: string 4078 values: 4079 description: values is an array of string values. 4080 If the operator is In or NotIn, the values array 4081 must be non-empty. If the operator is Exists or 4082 DoesNotExist, the values array must be empty. 4083 This array is replaced during a strategic merge 4084 patch. 4085 items: 4086 type: string 4087 type: array 4088 required: 4089 - key 4090 - operator 4091 type: object 4092 type: array 4093 matchLabels: 4094 description: matchLabels is a map of {key,value} pairs. 4095 A single {key,value} in the matchLabels map is equivalent 4096 to an element of matchExpressions, whose key field is 4097 "key", the operator is "In", and the values array contains 4098 only "value". The requirements are ANDed. 4099 type: object 4100 type: object 4101 type: array 4102 fromEntities: 4103 description: FromEntities is a list of special entities which 4104 the endpoint subject to the rule is allowed to receive connections 4105 from. Supported entities are `world`, `cluster`, `host`, and 4106 `init` 4107 items: 4108 type: string 4109 type: array 4110 fromRequires: 4111 description: |- 4112 FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. 4113 4114 Example: Any Endpoint with the label "team=A" requires consuming endpoint to also carry the label "team=A". 4115 items: 4116 description: A label selector is a label query over a set 4117 of resources. The result of matchLabels and matchExpressions 4118 are ANDed. An empty label selector matches all objects. 4119 A null label selector matches no objects. 4120 properties: 4121 matchExpressions: 4122 description: matchExpressions is a list of label selector 4123 requirements. The requirements are ANDed. 4124 items: 4125 description: A label selector requirement is a selector 4126 that contains values, a key, and an operator that 4127 relates the key and values. 4128 properties: 4129 key: 4130 description: key is the label key that the selector 4131 applies to. 4132 type: string 4133 operator: 4134 description: operator represents a key's relationship 4135 to a set of values. Valid operators are In, NotIn, 4136 Exists and DoesNotExist. 4137 enum: 4138 - In 4139 - NotIn 4140 - Exists 4141 - DoesNotExist 4142 type: string 4143 values: 4144 description: values is an array of string values. 4145 If the operator is In or NotIn, the values array 4146 must be non-empty. If the operator is Exists or 4147 DoesNotExist, the values array must be empty. 4148 This array is replaced during a strategic merge 4149 patch. 4150 items: 4151 type: string 4152 type: array 4153 required: 4154 - key 4155 - operator 4156 type: object 4157 type: array 4158 matchLabels: 4159 description: matchLabels is a map of {key,value} pairs. 4160 A single {key,value} in the matchLabels map is equivalent 4161 to an element of matchExpressions, whose key field is 4162 "key", the operator is "In", and the values array contains 4163 only "value". The requirements are ANDed. 4164 type: object 4165 type: object 4166 type: array 4167 toPorts: 4168 description: |- 4169 ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. 4170 4171 Example: Any endpoint with the label "app=httpd" can only accept incoming connections on port 80/tcp. 4172 items: 4173 description: PortRule is a list of ports/protocol combinations 4174 with optional Layer 7 rules which must be met. 4175 properties: 4176 ports: 4177 description: |- 4178 Ports is a list of L4 port/protocol 4179 4180 If omitted or empty but RedirectPort is set, then all ports of the endpoint subject to either the ingress or egress rule are being redirected. 4181 items: 4182 description: PortProtocol specifies an L4 port with 4183 an optional transport protocol 4184 properties: 4185 port: 4186 description: Port is an L4 port number. For now 4187 the string will be strictly parsed as a single 4188 uint16. In the future, this field may support 4189 ranges in the form "1024-2048 4190 pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})$ 4191 type: string 4192 protocol: 4193 description: 'Protocol is the L4 protocol. If omitted 4194 or empty, any protocol matches. Accepted values: 4195 "TCP", "UDP", ""/"ANY"\n\nMatching on ICMP is 4196 not supported.' 4197 enum: 4198 - TCP 4199 - UDP 4200 - ANY 4201 type: string 4202 required: 4203 - port 4204 type: object 4205 type: array 4206 redirectPort: 4207 description: RedirectPort is the L4 port which, if set, 4208 all traffic matching the Ports is being redirected to. 4209 Whatever listener behind that port becomes responsible 4210 to enforce the port rules and is also responsible to 4211 reinject all traffic back and ensure it reaches its 4212 original destination. 4213 format: uint16 4214 type: integer 4215 rules: 4216 description: L7Rules is a union of port level rule types. 4217 Mixing of different port level rule types is disallowed, 4218 so exactly one of the following must be set. If none 4219 are specified, then no additional port level rules are 4220 applied. 4221 properties: 4222 dns: 4223 description: DNS specific rules 4224 items: 4225 description: FQDNRule is a rule that specifies an 4226 fully qualified domain name to which outside communication 4227 is allowed 4228 properties: 4229 matchName: 4230 description: MatchName matches fqdn name 4231 pattern: ^(([a-zA-Z0-9]|[a-zA-Z0-9][a-zA-Z0-9\-]*[a-zA-Z0-9])\.)*([A-Za-z0-9]|[A-Za-z0-9][A-Za-z0-9\-]*[A-Za-z0-9])\.?$ 4232 type: string 4233 matchPattern: 4234 description: MatchPattern matches fqdn by pattern 4235 pattern: ^(([a-zA-Z0-9\*]|[a-zA-Z0-9\*][a-zA-Z0-9\-\*]*[a-zA-Z0-9\*])\.)*([A-Za-z0-9\*]|[A-Za-z0-9\*][A-Za-z0-9\-\*]*[A-Za-z0-9\*])\.?$ 4236 type: string 4237 type: object 4238 type: array 4239 http: 4240 description: HTTP specific rules. 4241 items: 4242 description: |- 4243 PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. 4244 4245 All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 4246 properties: 4247 headers: 4248 description: Headers is a list of HTTP headers 4249 which must be present in the request. If omitted 4250 or empty, requests are allowed regardless 4251 of headers present. 4252 items: 4253 type: string 4254 type: array 4255 host: 4256 description: |- 4257 Host is an extended POSIX regex matched against the host header of a request, e.g. "foo.com" 4258 4259 If omitted or empty, the value of the host header is ignored. 4260 format: idn-hostname 4261 type: string 4262 method: 4263 description: |- 4264 Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... 4265 4266 If omitted or empty, all methods are allowed. 4267 type: string 4268 path: 4269 description: |- 4270 Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986. 4271 4272 If omitted or empty, all paths are all allowed. 4273 type: string 4274 type: object 4275 type: array 4276 kafka: 4277 description: Kafka-specific rules. 4278 items: 4279 description: PortRuleKafka is a list of Kafka protocol 4280 constraints. All fields are optional, if all fields 4281 are empty or missing, the rule will match all 4282 Kafka messages. 4283 properties: 4284 apiKey: 4285 description: |- 4286 APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys 4287 4288 If omitted or empty, all keys are allowed. 4289 type: string 4290 apiVersion: 4291 description: |- 4292 APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. 4293 4294 If omitted or empty, all versions are allowed. 4295 type: string 4296 clientID: 4297 description: |- 4298 ClientID is the client identifier as provided in the request. 4299 4300 From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. 4301 4302 If omitted or empty, all client identifiers are allowed. 4303 type: string 4304 role: 4305 description: 'Role is a case-insensitive string 4306 and describes a group of API keysnecessary 4307 to perform certain higher level Kafka operations 4308 such as"produce" or "consume". An APIGroup 4309 automatically expands into all APIKeysrequired 4310 to perform the specified higher level operation.The 4311 following values are supported:- "produce": 4312 Allow producing to the topics specified in 4313 the rule- "consume": Allow consuming from 4314 the topics specified in the ruleThis field 4315 is incompatible with the APIKey field, either 4316 APIKey or Rolemay be specified. If omitted 4317 or empty, the field has no effect and the 4318 logic of the APIKey field applies.' 4319 enum: 4320 - produce 4321 - consume 4322 type: string 4323 topic: 4324 description: |- 4325 Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. 4326 4327 This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255 4328 4329 If omitted or empty, all topics are allowed. 4330 maxLength: 255 4331 type: string 4332 type: object 4333 type: array 4334 l7: 4335 description: Generic Key-Value pair rules. 4336 items: 4337 description: PortRuleL7 is a map of {key,value} 4338 pairs which is passed to the parser referenced 4339 in l7proto. It is up to the parser to define what 4340 to do with the map data. If omitted or empty, 4341 all requests are allowed. Both keys and values 4342 must be strings. 4343 type: object 4344 type: array 4345 l7proto: 4346 description: Parser type name that uses Key-Value 4347 pair rules. 4348 type: string 4349 type: object 4350 type: object 4351 type: array 4352 type: object 4353 type: array 4354 labels: 4355 description: Labels is a list of optional strings which can be used 4356 to re-identify the rule or to store metadata. It is possible to 4357 lookup or delete strings based on labels. Labels are not required 4358 to be unique, multiple rules can have overlapping or identical labels. 4359 items: 4360 description: Label is the cilium's representation of a container 4361 label. 4362 properties: 4363 key: 4364 type: string 4365 source: 4366 description: 'Source can be one of the values present in const.go 4367 (e.g.: LabelSourceContainer)' 4368 type: string 4369 value: 4370 type: string 4371 required: 4372 - key 4373 type: object 4374 type: array 4375 required: 4376 - endpointSelector 4377 type: object 4378 type: array 4379 version: v2 4380 versions: 4381 - name: v2 4382 served: true 4383 storage: true