github.com/tigera/api@v0.0.0-20240320170621-278e89a8c5fb/pkg/apis/projectcalico/v3/policy_common.go (about) 1 // Copyright (c) 2017-2018,2020-2021 Tigera, Inc. All rights reserved. 2 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package v3 16 17 import ( 18 "github.com/tigera/api/pkg/lib/numorstring" 19 ) 20 21 // PolicyType enumerates the possible values of the PolicySpec Types field. 22 type PolicyType string 23 24 const ( 25 PolicyTypeIngress PolicyType = "Ingress" 26 PolicyTypeEgress PolicyType = "Egress" 27 ) 28 29 // A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy 30 // and security Profiles reference rules - separated out as a list of rules for both 31 // ingress and egress packet matching. 32 // 33 // Each positive match criteria has a negated version, prefixed with "Not". All the match 34 // criteria within a rule must be satisfied for a packet to match. A single rule can contain 35 // the positive and negative version of a match and both must be satisfied for the rule to match. 36 type Rule struct { 37 Action Action `json:"action" validate:"action"` 38 // IPVersion is an optional field that restricts the rule to only match a specific IP 39 // version. 40 IPVersion *int `json:"ipVersion,omitempty" validate:"omitempty,ipVersion"` 41 // Protocol is an optional field that restricts the rule to only apply to traffic of 42 // a specific IP protocol. Required if any of the EntityRules contain Ports 43 // (because ports only apply to certain protocols). 44 // 45 // Must be one of these string values: "TCP", "UDP", "ICMP", "ICMPv6", "SCTP", "UDPLite" 46 // or an integer in the range 1-255. 47 Protocol *numorstring.Protocol `json:"protocol,omitempty" validate:"omitempty"` 48 // ICMP is an optional field that restricts the rule to apply to a specific type and 49 // code of ICMP traffic. This should only be specified if the Protocol field is set to 50 // "ICMP" or "ICMPv6". 51 ICMP *ICMPFields `json:"icmp,omitempty" validate:"omitempty"` 52 // NotProtocol is the negated version of the Protocol field. 53 NotProtocol *numorstring.Protocol `json:"notProtocol,omitempty" validate:"omitempty"` 54 // NotICMP is the negated version of the ICMP field. 55 NotICMP *ICMPFields `json:"notICMP,omitempty" validate:"omitempty"` 56 // Source contains the match criteria that apply to source entity. 57 Source EntityRule `json:"source,omitempty" validate:"omitempty"` 58 // Destination contains the match criteria that apply to destination entity. 59 Destination EntityRule `json:"destination,omitempty" validate:"omitempty"` 60 61 // HTTP contains match criteria that apply to HTTP requests. 62 HTTP *HTTPMatch `json:"http,omitempty" validate:"omitempty"` 63 64 // Metadata contains additional information for this rule 65 Metadata *RuleMetadata `json:"metadata,omitempty" validate:"omitempty"` 66 } 67 68 // HTTPPath specifies an HTTP path to match. It may be either of the form: 69 // exact: <path>: which matches the path exactly or 70 // prefix: <path-prefix>: which matches the path prefix 71 type HTTPPath struct { 72 Exact string `json:"exact,omitempty" validate:"omitempty"` 73 Prefix string `json:"prefix,omitempty" validate:"omitempty"` 74 } 75 76 // HTTPMatch is an optional field that apply only to HTTP requests 77 // The Methods and Path fields are joined with AND 78 type HTTPMatch struct { 79 // Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed 80 // HTTP Methods (e.g. GET, PUT, etc.) 81 // Multiple methods are OR'd together. 82 Methods []string `json:"methods,omitempty" validate:"omitempty"` 83 // Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed 84 // HTTP Paths. 85 // Multiple paths are OR'd together. 86 // e.g: 87 // - exact: /foo 88 // - prefix: /bar 89 // NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it. 90 Paths []HTTPPath `json:"paths,omitempty" validate:"omitempty"` 91 } 92 93 // ICMPFields defines structure for ICMP and NotICMP sub-struct for ICMP code and type 94 type ICMPFields struct { 95 // Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request 96 // (i.e. pings). 97 Type *int `json:"type,omitempty" validate:"omitempty,gte=0,lte=254"` 98 // Match on a specific ICMP code. If specified, the Type value must also be specified. 99 // This is a technical limitation imposed by the kernel's iptables firewall, which 100 // Calico uses to enforce the rule. 101 Code *int `json:"code,omitempty" validate:"omitempty,gte=0,lte=255"` 102 } 103 104 // An EntityRule is a sub-component of a Rule comprising the match criteria specific 105 // to a particular entity (that is either the source or destination). 106 // 107 // A source EntityRule matches the source endpoint and originating traffic. 108 // A destination EntityRule matches the destination endpoint and terminating traffic. 109 type EntityRule struct { 110 // Nets is an optional field that restricts the rule to only apply to traffic that 111 // originates from (or terminates at) IP addresses in any of the given subnets. 112 Nets []string `json:"nets,omitempty" validate:"omitempty,dive,net"` 113 114 // Selector is an optional field that contains a selector expression (see Policy for 115 // sample syntax). Only traffic that originates from (terminates at) endpoints matching 116 // the selector will be matched. 117 // 118 // Note that: in addition to the negated version of the Selector (see NotSelector below), the 119 // selector expression syntax itself supports negation. The two types of negation are subtly 120 // different. One negates the set of matched endpoints, the other negates the whole match: 121 // 122 // Selector = "!has(my_label)" matches packets that are from other Calico-controlled 123 // endpoints that do not have the label "my_label". 124 // 125 // NotSelector = "has(my_label)" matches packets that are not from Calico-controlled 126 // endpoints that do have the label "my_label". 127 // 128 // The effect is that the latter will accept packets from non-Calico sources whereas the 129 // former is limited to packets from Calico-controlled endpoints. 130 Selector string `json:"selector,omitempty" validate:"omitempty,selector"` 131 132 // NamespaceSelector is an optional field that contains a selector expression. Only traffic 133 // that originates from (or terminates at) endpoints within the selected namespaces will be 134 // matched. When both NamespaceSelector and another selector are defined on the same rule, then only 135 // workload endpoints that are matched by both selectors will be selected by the rule. 136 // 137 // For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting 138 // only workload endpoints in the same namespace as the NetworkPolicy. 139 // 140 // For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting 141 // only GlobalNetworkSet or HostEndpoint. 142 // 143 // For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload 144 // endpoints across all namespaces. 145 NamespaceSelector string `json:"namespaceSelector,omitempty" validate:"omitempty,selector"` 146 147 // Services is an optional field that contains options for matching Kubernetes Services. 148 // If specified, only traffic that originates from or terminates at endpoints within the selected 149 // service(s) will be matched, and only to/from each endpoint's port. 150 // 151 // Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, 152 // NotNets or ServiceAccounts. 153 // 154 // Ports and NotPorts can only be specified with Services on ingress rules. 155 Services *ServiceMatch `json:"services,omitempty" validate:"omitempty"` 156 157 // Ports is an optional field that restricts the rule to only apply to traffic that has a 158 // source (destination) port that matches one of these ranges/values. This value is a 159 // list of integers or strings that represent ranges of ports. 160 // 161 // Since only some protocols have ports, if any ports are specified it requires the 162 // Protocol match in the Rule to be set to "TCP" or "UDP". 163 Ports []numorstring.Port `json:"ports,omitempty" validate:"omitempty,dive"` 164 165 // Domains is an optional field, valid for egress Allow rules only, that restricts the rule 166 // to apply only to traffic to one of the specified domains. If this field is specified, 167 // Action must be Allow, and Nets and Selector must both be left empty. 168 Domains []string `json:"domains,omitempty" validate:"omitempty,dive,wildname"` 169 170 // NotNets is the negated version of the Nets field. 171 NotNets []string `json:"notNets,omitempty" validate:"omitempty,dive,net"` 172 173 // NotSelector is the negated version of the Selector field. See Selector field for 174 // subtleties with negated selectors. 175 NotSelector string `json:"notSelector,omitempty" validate:"omitempty,selector"` 176 177 // NotPorts is the negated version of the Ports field. 178 // Since only some protocols have ports, if any ports are specified it requires the 179 // Protocol match in the Rule to be set to "TCP" or "UDP". 180 NotPorts []numorstring.Port `json:"notPorts,omitempty" validate:"omitempty,dive"` 181 182 // ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or 183 // terminates at) a pod running as a matching service account. 184 ServiceAccounts *ServiceAccountMatch `json:"serviceAccounts,omitempty" validate:"omitempty"` 185 } 186 187 type ServiceMatch struct { 188 // Name specifies the name of a Kubernetes Service to match. 189 Name string `json:"name,omitempty" validate:"omitempty,name"` 190 191 // Namespace specifies the namespace of the given Service. If left empty, the rule 192 // will match within this policy's namespace. 193 Namespace string `json:"namespace,omitempty" validate:"omitempty,name"` 194 } 195 196 type ServiceAccountMatch struct { 197 // Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates 198 // at) a pod running as a service account whose name is in the list. 199 Names []string `json:"names,omitempty" validate:"omitempty"` 200 201 // Selector is an optional field that restricts the rule to only apply to traffic that originates from 202 // (or terminates at) a pod running as a service account that matches the given label selector. 203 // If both Names and Selector are specified then they are AND'ed. 204 Selector string `json:"selector,omitempty" validate:"omitempty,selector"` 205 } 206 207 type Action string 208 209 const ( 210 Allow Action = "Allow" 211 Deny Action = "Deny" 212 Log Action = "Log" 213 Pass Action = "Pass" 214 ) 215 216 type StagedAction string 217 218 const ( 219 StagedActionSet StagedAction = "Set" 220 StagedActionDelete StagedAction = "Delete" 221 StagedActionLearn StagedAction = "Learn" 222 StagedActionIgnore StagedAction = "Ignore" 223 ) 224 225 type RuleMetadata struct { 226 // Annotations is a set of key value pairs that give extra information about the rule 227 Annotations map[string]string `json:"annotations,omitempty"` 228 }