github.com/tigera/api@v0.0.0-20240320170621-278e89a8c5fb/pkg/apis/projectcalico/v3/globalnetworkpolicy.go (about) 1 // Copyright (c) 2017,2019-2021 Tigera, Inc. All rights reserved. 2 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package v3 16 17 import ( 18 metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" 19 ) 20 21 const ( 22 KindGlobalNetworkPolicy = "GlobalNetworkPolicy" 23 KindGlobalNetworkPolicyList = "GlobalNetworkPolicyList" 24 ) 25 26 // +genclient:nonNamespaced 27 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 28 29 // GlobalNetworkPolicyList is a list of Policy objects. 30 type GlobalNetworkPolicyList struct { 31 metav1.TypeMeta `json:",inline"` 32 metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 33 34 Items []GlobalNetworkPolicy `json:"items" protobuf:"bytes,2,rep,name=items"` 35 } 36 37 // +genclient 38 // +genclient:nonNamespaced 39 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object 40 41 type GlobalNetworkPolicy struct { 42 metav1.TypeMeta `json:",inline"` 43 metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"` 44 45 Spec GlobalNetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"` 46 } 47 48 type GlobalNetworkPolicySpec struct { 49 // The name of the tier that this policy belongs to. If this is omitted, the default 50 // tier (name is "default") is assumed. The specified tier must exist in order to create 51 // security policies within the tier, the "default" tier is created automatically if it 52 // does not exist, this means for deployments requiring only a single Tier, the tier name 53 // may be omitted on all policy management requests. 54 Tier string `json:"tier,omitempty" validate:"omitempty,name"` 55 // Order is an optional field that specifies the order in which the policy is applied. 56 // Policies with higher "order" are applied after those with lower 57 // order within the same tier. If the order is omitted, it may be considered to be "infinite" - i.e. the 58 // policy will be applied last. Policies with identical order will be applied in 59 // alphanumerical order based on the Policy "Name" within the tier. 60 Order *float64 `json:"order,omitempty"` 61 // The ordered set of ingress rules. Each rule contains a set of packet match criteria and 62 // a corresponding action to apply. 63 Ingress []Rule `json:"ingress,omitempty" validate:"omitempty,dive"` 64 // The ordered set of egress rules. Each rule contains a set of packet match criteria and 65 // a corresponding action to apply. 66 Egress []Rule `json:"egress,omitempty" validate:"omitempty,dive"` 67 // The selector is an expression used to pick out the endpoints that the policy should 68 // be applied to. 69 // 70 // Selector expressions follow this syntax: 71 // 72 // label == "string_literal" -> comparison, e.g. my_label == "foo bar" 73 // label != "string_literal" -> not equal; also matches if label is not present 74 // label in { "a", "b", "c", ... } -> true if the value of label X is one of "a", "b", "c" 75 // label not in { "a", "b", "c", ... } -> true if the value of label X is not one of "a", "b", "c" 76 // has(label_name) -> True if that label is present 77 // ! expr -> negation of expr 78 // expr && expr -> Short-circuit and 79 // expr || expr -> Short-circuit or 80 // ( expr ) -> parens for grouping 81 // all() or the empty selector -> matches all endpoints. 82 // 83 // Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive 84 // but they do not support escape characters. 85 // 86 // Examples (with made-up labels): 87 // 88 // type == "webserver" && deployment == "prod" 89 // type in {"frontend", "backend"} 90 // deployment != "dev" 91 // ! has(label_name) 92 Selector string `json:"selector,omitempty" validate:"selector"` 93 // Types indicates whether this policy applies to ingress, or to egress, or to both. When 94 // not explicitly specified (and so the value on creation is empty or nil), Calico defaults 95 // Types according to what Ingress and Egress rules are present in the policy. The 96 // default is: 97 // 98 // - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are 99 // also no Ingress rules) 100 // 101 // - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules 102 // 103 // - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. 104 // 105 // When the policy is read back again, Types will always be one of these values, never empty 106 // or nil. 107 Types []PolicyType `json:"types,omitempty" validate:"omitempty,dive,policyType"` 108 109 // DoNotTrack indicates whether packets matched by the rules in this policy should go through 110 // the data plane's connection tracking, such as Linux conntrack. If True, the rules in 111 // this policy are applied before any data plane connection tracking, and packets allowed by 112 // this policy are marked as not to be tracked. 113 DoNotTrack bool `json:"doNotTrack,omitempty"` 114 // PreDNAT indicates to apply the rules in this policy before any DNAT. 115 PreDNAT bool `json:"preDNAT,omitempty"` 116 // ApplyOnForward indicates to apply the rules in this policy on forward traffic. 117 ApplyOnForward bool `json:"applyOnForward,omitempty"` 118 119 // ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts. 120 ServiceAccountSelector string `json:"serviceAccountSelector,omitempty" validate:"selector"` 121 122 // NamespaceSelector is an optional field for an expression used to select a pod based on namespaces. 123 NamespaceSelector string `json:"namespaceSelector,omitempty" validate:"selector"` 124 125 // PerformanceHints contains a list of hints to Calico's policy engine to 126 // help process the policy more efficiently. Hints never change the 127 // enforcement behaviour of the policy. 128 // 129 // Currently, the only available hint is "AssumeNeededOnEveryNode". When 130 // that hint is set on a policy, Felix will act as if the policy matches 131 // a local endpoint even if it does not. This is useful for "preloading" 132 // any large static policies that are known to be used on every node. 133 // If the policy is _not_ used on a particular node then the work 134 // done to preload the policy (and to maintain it) is wasted. 135 PerformanceHints []PolicyPerformanceHint `json:"performanceHints,omitempty" validate:"omitempty,unique,dive,oneof=AssumeNeededOnEveryNode"` 136 } 137 138 // NewGlobalNetworkPolicy creates a new (zeroed) GlobalNetworkPolicy struct with the TypeMetadata initialised to the current 139 // version. 140 func NewGlobalNetworkPolicy() *GlobalNetworkPolicy { 141 return &GlobalNetworkPolicy{ 142 TypeMeta: metav1.TypeMeta{ 143 Kind: KindGlobalNetworkPolicy, 144 APIVersion: GroupVersionCurrent, 145 }, 146 } 147 }