github.com/verrazzano/verrazzano@v1.7.0/platform-operator/helm_config/charts/verrazzano-cluster-agent/crds/clusters.verrazzano.io_verrazzanoprojects.yaml (about) 1 # Copyright (c) 2021, 2023, Oracle and/or its affiliates. 2 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl. 3 --- 4 apiVersion: apiextensions.k8s.io/v1 5 kind: CustomResourceDefinition 6 metadata: 7 annotations: 8 controller-gen.kubebuilder.io/version: v0.9.2 9 creationTimestamp: null 10 name: verrazzanoprojects.clusters.verrazzano.io 11 spec: 12 group: clusters.verrazzano.io 13 names: 14 kind: VerrazzanoProject 15 listKind: VerrazzanoProjectList 16 plural: verrazzanoprojects 17 shortNames: 18 - vp 19 - vps 20 singular: verrazzanoproject 21 scope: Namespaced 22 versions: 23 - name: v1alpha1 24 schema: 25 openAPIV3Schema: 26 description: VerrazzanoProject specifies the Verrazzano Projects API. 27 properties: 28 apiVersion: 29 description: 'APIVersion defines the versioned schema of this representation 30 of an object. Servers should convert recognized schemas to the latest 31 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 32 type: string 33 kind: 34 description: 'Kind is a string value representing the REST resource this 35 object represents. Servers may infer this from the endpoint the client 36 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 37 type: string 38 metadata: 39 type: object 40 spec: 41 description: The desired state of a Verrazzano Project resource. 42 properties: 43 placement: 44 description: Clusters on which the namespaces are to be created. 45 properties: 46 clusters: 47 description: List of clusters. 48 items: 49 description: Cluster contains the name of a single cluster. 50 properties: 51 name: 52 description: The name of a cluster. 53 type: string 54 required: 55 - name 56 type: object 57 type: array 58 required: 59 - clusters 60 type: object 61 template: 62 description: The project template. 63 properties: 64 namespaces: 65 description: The list of application namespaces to create for 66 this project. 67 items: 68 description: NamespaceTemplate contains the metadata and specification 69 of a Kubernetes namespace. 70 properties: 71 metadata: 72 type: object 73 x-kubernetes-preserve-unknown-fields: true 74 spec: 75 description: The specification of a namespace. 76 properties: 77 finalizers: 78 description: 'Finalizers is an opaque list of values 79 that must be empty to permanently remove object from 80 storage. More info: https://kubernetes.io/docs/tasks/administer-cluster/namespaces/' 81 items: 82 description: FinalizerName is the name identifying 83 a finalizer during namespace lifecycle. 84 type: string 85 type: array 86 type: object 87 type: object 88 type: array 89 networkPolicies: 90 description: Network policies applied to namespaces in the project. 91 items: 92 description: NetworkPolicyTemplate contains the metadata and 93 specification of a Kubernetes NetworkPolicy. <div class="alert 94 alert-warning" role="alert"> <h4 class="alert-heading">NOTE</h4> 95 To add an application NetworkPolicy, see <a href="../../../docs/networking/security/#networkpolicies-for-applications">NetworkPolicies 96 for applications</a>. </div> 97 properties: 98 metadata: 99 type: object 100 x-kubernetes-preserve-unknown-fields: true 101 spec: 102 description: The specification of a network policy. 103 properties: 104 egress: 105 description: List of egress rules to be applied to the 106 selected pods. Outgoing traffic is allowed if there 107 are no NetworkPolicies selecting the pod (and cluster 108 policy otherwise allows the traffic), OR if the traffic 109 matches at least one egress rule across all of the 110 NetworkPolicy objects whose podSelector matches the 111 pod. If this field is empty then this NetworkPolicy 112 limits all outgoing traffic (and serves solely to 113 ensure that the pods it selects are isolated by default). 114 This field is beta-level in 1.8 115 items: 116 description: NetworkPolicyEgressRule describes a particular 117 set of traffic that is allowed out of pods matched 118 by a NetworkPolicySpec's podSelector. The traffic 119 must match both ports and to. This type is beta-level 120 in 1.8 121 properties: 122 ports: 123 description: List of destination ports for outgoing 124 traffic. Each item in this list is combined 125 using a logical OR. If this field is empty or 126 missing, this rule matches all ports (traffic 127 not restricted by port). If this field is present 128 and contains at least one item, then this rule 129 allows traffic only if the traffic matches at 130 least one port in the list. 131 items: 132 description: NetworkPolicyPort describes a port 133 to allow traffic on 134 properties: 135 endPort: 136 description: If set, indicates that the 137 range of ports from port to endPort, inclusive, 138 should be allowed by the policy. This 139 field cannot be defined if the port field 140 is not defined or if the port field is 141 defined as a named (string) port. The 142 endPort must be equal or greater than 143 port. 144 format: int32 145 type: integer 146 port: 147 anyOf: 148 - type: integer 149 - type: string 150 description: The port on the given protocol. 151 This can either be a numerical or named 152 port on a pod. If this field is not provided, 153 this matches all port names and numbers. 154 If present, only traffic on the specified 155 protocol AND port will be matched. 156 x-kubernetes-int-or-string: true 157 protocol: 158 default: TCP 159 description: The protocol (TCP, UDP, or 160 SCTP) which traffic must match. If not 161 specified, this field defaults to TCP. 162 type: string 163 type: object 164 type: array 165 to: 166 description: List of destinations for outgoing 167 traffic of pods selected for this rule. Items 168 in this list are combined using a logical OR 169 operation. If this field is empty or missing, 170 this rule matches all destinations (traffic 171 not restricted by destination). If this field 172 is present and contains at least one item, this 173 rule allows traffic only if the traffic matches 174 at least one item in the to list. 175 items: 176 description: NetworkPolicyPeer describes a peer 177 to allow traffic to/from. Only certain combinations 178 of fields are allowed 179 properties: 180 ipBlock: 181 description: IPBlock defines policy on a 182 particular IPBlock. If this field is set 183 then neither of the other fields can be. 184 properties: 185 cidr: 186 description: CIDR is a string representing 187 the IP Block Valid examples are "192.168.1.1/24" 188 or "2001:db9::/64" 189 type: string 190 except: 191 description: Except is a slice of CIDRs 192 that should not be included within 193 an IP Block Valid examples are "192.168.1.1/24" 194 or "2001:db9::/64" Except values will 195 be rejected if they are outside the 196 CIDR range 197 items: 198 type: string 199 type: array 200 required: 201 - cidr 202 type: object 203 namespaceSelector: 204 description: "Selects Namespaces using cluster-scoped 205 labels. This field follows standard label 206 selector semantics; if present but empty, 207 it selects all namespaces. \n If PodSelector 208 is also set, then the NetworkPolicyPeer 209 as a whole selects the Pods matching PodSelector 210 in the Namespaces selected by NamespaceSelector. 211 Otherwise it selects all Pods in the Namespaces 212 selected by NamespaceSelector." 213 properties: 214 matchExpressions: 215 description: matchExpressions is a list 216 of label selector requirements. The 217 requirements are ANDed. 218 items: 219 description: A label selector requirement 220 is a selector that contains values, 221 a key, and an operator that relates 222 the key and values. 223 properties: 224 key: 225 description: key is the label 226 key that the selector applies 227 to. 228 type: string 229 operator: 230 description: operator represents 231 a key's relationship to a set 232 of values. Valid operators are 233 In, NotIn, Exists and DoesNotExist. 234 type: string 235 values: 236 description: values is an array 237 of string values. If the operator 238 is In or NotIn, the values array 239 must be non-empty. If the operator 240 is Exists or DoesNotExist, the 241 values array must be empty. 242 This array is replaced during 243 a strategic merge patch. 244 items: 245 type: string 246 type: array 247 required: 248 - key 249 - operator 250 type: object 251 type: array 252 matchLabels: 253 additionalProperties: 254 type: string 255 description: matchLabels is a map of 256 {key,value} pairs. A single {key,value} 257 in the matchLabels map is equivalent 258 to an element of matchExpressions, 259 whose key field is "key", the operator 260 is "In", and the values array contains 261 only "value". The requirements are 262 ANDed. 263 type: object 264 type: object 265 x-kubernetes-map-type: atomic 266 podSelector: 267 description: "This is a label selector which 268 selects Pods. This field follows standard 269 label selector semantics; if present but 270 empty, it selects all pods. \n If NamespaceSelector 271 is also set, then the NetworkPolicyPeer 272 as a whole selects the Pods matching PodSelector 273 in the Namespaces selected by NamespaceSelector. 274 Otherwise it selects the Pods matching 275 PodSelector in the policy's own Namespace." 276 properties: 277 matchExpressions: 278 description: matchExpressions is a list 279 of label selector requirements. The 280 requirements are ANDed. 281 items: 282 description: A label selector requirement 283 is a selector that contains values, 284 a key, and an operator that relates 285 the key and values. 286 properties: 287 key: 288 description: key is the label 289 key that the selector applies 290 to. 291 type: string 292 operator: 293 description: operator represents 294 a key's relationship to a set 295 of values. Valid operators are 296 In, NotIn, Exists and DoesNotExist. 297 type: string 298 values: 299 description: values is an array 300 of string values. If the operator 301 is In or NotIn, the values array 302 must be non-empty. If the operator 303 is Exists or DoesNotExist, the 304 values array must be empty. 305 This array is replaced during 306 a strategic merge patch. 307 items: 308 type: string 309 type: array 310 required: 311 - key 312 - operator 313 type: object 314 type: array 315 matchLabels: 316 additionalProperties: 317 type: string 318 description: matchLabels is a map of 319 {key,value} pairs. A single {key,value} 320 in the matchLabels map is equivalent 321 to an element of matchExpressions, 322 whose key field is "key", the operator 323 is "In", and the values array contains 324 only "value". The requirements are 325 ANDed. 326 type: object 327 type: object 328 x-kubernetes-map-type: atomic 329 type: object 330 type: array 331 type: object 332 type: array 333 ingress: 334 description: List of ingress rules to be applied to 335 the selected pods. Traffic is allowed to a pod if 336 there are no NetworkPolicies selecting the pod (and 337 cluster policy otherwise allows the traffic), OR if 338 the traffic source is the pod's local node, OR if 339 the traffic matches at least one ingress rule across 340 all of the NetworkPolicy objects whose podSelector 341 matches the pod. If this field is empty then this 342 NetworkPolicy does not allow any traffic (and serves 343 solely to ensure that the pods it selects are isolated 344 by default) 345 items: 346 description: NetworkPolicyIngressRule describes a 347 particular set of traffic that is allowed to the 348 pods matched by a NetworkPolicySpec's podSelector. 349 The traffic must match both ports and from. 350 properties: 351 from: 352 description: List of sources which should be able 353 to access the pods selected for this rule. Items 354 in this list are combined using a logical OR 355 operation. If this field is empty or missing, 356 this rule matches all sources (traffic not restricted 357 by source). If this field is present and contains 358 at least one item, this rule allows traffic 359 only if the traffic matches at least one item 360 in the from list. 361 items: 362 description: NetworkPolicyPeer describes a peer 363 to allow traffic to/from. Only certain combinations 364 of fields are allowed 365 properties: 366 ipBlock: 367 description: IPBlock defines policy on a 368 particular IPBlock. If this field is set 369 then neither of the other fields can be. 370 properties: 371 cidr: 372 description: CIDR is a string representing 373 the IP Block Valid examples are "192.168.1.1/24" 374 or "2001:db9::/64" 375 type: string 376 except: 377 description: Except is a slice of CIDRs 378 that should not be included within 379 an IP Block Valid examples are "192.168.1.1/24" 380 or "2001:db9::/64" Except values will 381 be rejected if they are outside the 382 CIDR range 383 items: 384 type: string 385 type: array 386 required: 387 - cidr 388 type: object 389 namespaceSelector: 390 description: "Selects Namespaces using cluster-scoped 391 labels. This field follows standard label 392 selector semantics; if present but empty, 393 it selects all namespaces. \n If PodSelector 394 is also set, then the NetworkPolicyPeer 395 as a whole selects the Pods matching PodSelector 396 in the Namespaces selected by NamespaceSelector. 397 Otherwise it selects all Pods in the Namespaces 398 selected by NamespaceSelector." 399 properties: 400 matchExpressions: 401 description: matchExpressions is a list 402 of label selector requirements. The 403 requirements are ANDed. 404 items: 405 description: A label selector requirement 406 is a selector that contains values, 407 a key, and an operator that relates 408 the key and values. 409 properties: 410 key: 411 description: key is the label 412 key that the selector applies 413 to. 414 type: string 415 operator: 416 description: operator represents 417 a key's relationship to a set 418 of values. Valid operators are 419 In, NotIn, Exists and DoesNotExist. 420 type: string 421 values: 422 description: values is an array 423 of string values. If the operator 424 is In or NotIn, the values array 425 must be non-empty. If the operator 426 is Exists or DoesNotExist, the 427 values array must be empty. 428 This array is replaced during 429 a strategic merge patch. 430 items: 431 type: string 432 type: array 433 required: 434 - key 435 - operator 436 type: object 437 type: array 438 matchLabels: 439 additionalProperties: 440 type: string 441 description: matchLabels is a map of 442 {key,value} pairs. A single {key,value} 443 in the matchLabels map is equivalent 444 to an element of matchExpressions, 445 whose key field is "key", the operator 446 is "In", and the values array contains 447 only "value". The requirements are 448 ANDed. 449 type: object 450 type: object 451 x-kubernetes-map-type: atomic 452 podSelector: 453 description: "This is a label selector which 454 selects Pods. This field follows standard 455 label selector semantics; if present but 456 empty, it selects all pods. \n If NamespaceSelector 457 is also set, then the NetworkPolicyPeer 458 as a whole selects the Pods matching PodSelector 459 in the Namespaces selected by NamespaceSelector. 460 Otherwise it selects the Pods matching 461 PodSelector in the policy's own Namespace." 462 properties: 463 matchExpressions: 464 description: matchExpressions is a list 465 of label selector requirements. The 466 requirements are ANDed. 467 items: 468 description: A label selector requirement 469 is a selector that contains values, 470 a key, and an operator that relates 471 the key and values. 472 properties: 473 key: 474 description: key is the label 475 key that the selector applies 476 to. 477 type: string 478 operator: 479 description: operator represents 480 a key's relationship to a set 481 of values. Valid operators are 482 In, NotIn, Exists and DoesNotExist. 483 type: string 484 values: 485 description: values is an array 486 of string values. If the operator 487 is In or NotIn, the values array 488 must be non-empty. If the operator 489 is Exists or DoesNotExist, the 490 values array must be empty. 491 This array is replaced during 492 a strategic merge patch. 493 items: 494 type: string 495 type: array 496 required: 497 - key 498 - operator 499 type: object 500 type: array 501 matchLabels: 502 additionalProperties: 503 type: string 504 description: matchLabels is a map of 505 {key,value} pairs. A single {key,value} 506 in the matchLabels map is equivalent 507 to an element of matchExpressions, 508 whose key field is "key", the operator 509 is "In", and the values array contains 510 only "value". The requirements are 511 ANDed. 512 type: object 513 type: object 514 x-kubernetes-map-type: atomic 515 type: object 516 type: array 517 ports: 518 description: List of ports which should be made 519 accessible on the pods selected for this rule. 520 Each item in this list is combined using a logical 521 OR. If this field is empty or missing, this 522 rule matches all ports (traffic not restricted 523 by port). If this field is present and contains 524 at least one item, then this rule allows traffic 525 only if the traffic matches at least one port 526 in the list. 527 items: 528 description: NetworkPolicyPort describes a port 529 to allow traffic on 530 properties: 531 endPort: 532 description: If set, indicates that the 533 range of ports from port to endPort, inclusive, 534 should be allowed by the policy. This 535 field cannot be defined if the port field 536 is not defined or if the port field is 537 defined as a named (string) port. The 538 endPort must be equal or greater than 539 port. 540 format: int32 541 type: integer 542 port: 543 anyOf: 544 - type: integer 545 - type: string 546 description: The port on the given protocol. 547 This can either be a numerical or named 548 port on a pod. If this field is not provided, 549 this matches all port names and numbers. 550 If present, only traffic on the specified 551 protocol AND port will be matched. 552 x-kubernetes-int-or-string: true 553 protocol: 554 default: TCP 555 description: The protocol (TCP, UDP, or 556 SCTP) which traffic must match. If not 557 specified, this field defaults to TCP. 558 type: string 559 type: object 560 type: array 561 type: object 562 type: array 563 podSelector: 564 description: Selects the pods to which this NetworkPolicy 565 object applies. The array of ingress rules is applied 566 to any pods selected by this field. Multiple network 567 policies can select the same set of pods. In this 568 case, the ingress rules for each are combined additively. 569 This field is NOT optional and follows standard label 570 selector semantics. An empty podSelector matches all 571 pods in this namespace. 572 properties: 573 matchExpressions: 574 description: matchExpressions is a list of label 575 selector requirements. The requirements are ANDed. 576 items: 577 description: A label selector requirement is a 578 selector that contains values, a key, and an 579 operator that relates the key and values. 580 properties: 581 key: 582 description: key is the label key that the 583 selector applies to. 584 type: string 585 operator: 586 description: operator represents a key's relationship 587 to a set of values. Valid operators are 588 In, NotIn, Exists and DoesNotExist. 589 type: string 590 values: 591 description: values is an array of string 592 values. If the operator is In or NotIn, 593 the values array must be non-empty. If the 594 operator is Exists or DoesNotExist, the 595 values array must be empty. This array is 596 replaced during a strategic merge patch. 597 items: 598 type: string 599 type: array 600 required: 601 - key 602 - operator 603 type: object 604 type: array 605 matchLabels: 606 additionalProperties: 607 type: string 608 description: matchLabels is a map of {key,value} 609 pairs. A single {key,value} in the matchLabels 610 map is equivalent to an element of matchExpressions, 611 whose key field is "key", the operator is "In", 612 and the values array contains only "value". The 613 requirements are ANDed. 614 type: object 615 type: object 616 x-kubernetes-map-type: atomic 617 policyTypes: 618 description: List of rule types that the NetworkPolicy 619 relates to. Valid options are ["Ingress"], ["Egress"], 620 or ["Ingress", "Egress"]. If this field is not specified, 621 it will default based on the existence of Ingress 622 or Egress rules; policies that contain an Egress section 623 are assumed to affect Egress, and all policies (whether 624 or not they contain an Ingress section) are assumed 625 to affect Ingress. If you want to write an egress-only 626 policy, you must explicitly specify policyTypes [ 627 "Egress" ]. Likewise, if you want to write a policy 628 that specifies that no egress is allowed, you must 629 specify a policyTypes value that include "Egress" 630 (since such a policy would not include an Egress section 631 and would otherwise default to just [ "Ingress" ]). 632 This field is beta-level in 1.8 633 items: 634 description: PolicyType string describes the NetworkPolicy 635 type This type is beta-level in 1.8 636 type: string 637 type: array 638 required: 639 - podSelector 640 type: object 641 type: object 642 type: array 643 security: 644 description: The project security configuration. 645 properties: 646 projectAdminSubjects: 647 description: The subjects to bind to the `verrazzano-project-admin` 648 role. 649 items: 650 description: Subject contains a reference to the object 651 or user identities a role binding applies to. This can 652 either hold a direct API object reference, or a value 653 for non-objects such as user and group names. 654 properties: 655 apiGroup: 656 description: APIGroup holds the API group of the referenced 657 subject. Defaults to "" for ServiceAccount subjects. 658 Defaults to "rbac.authorization.k8s.io" for User and 659 Group subjects. 660 type: string 661 kind: 662 description: Kind of object being referenced. Values 663 defined by this API group are "User", "Group", and 664 "ServiceAccount". If the Authorizer does not recognized 665 the kind value, the Authorizer should report an error. 666 type: string 667 name: 668 description: Name of the object being referenced. 669 type: string 670 namespace: 671 description: Namespace of the referenced object. If 672 the object kind is non-namespace, such as "User" or 673 "Group", and this value is not empty the Authorizer 674 should report an error. 675 type: string 676 required: 677 - kind 678 - name 679 type: object 680 x-kubernetes-map-type: atomic 681 type: array 682 projectMonitorSubjects: 683 description: The subjects to bind to the `verrazzano-project-monitoring` 684 role. 685 items: 686 description: Subject contains a reference to the object 687 or user identities a role binding applies to. This can 688 either hold a direct API object reference, or a value 689 for non-objects such as user and group names. 690 properties: 691 apiGroup: 692 description: APIGroup holds the API group of the referenced 693 subject. Defaults to "" for ServiceAccount subjects. 694 Defaults to "rbac.authorization.k8s.io" for User and 695 Group subjects. 696 type: string 697 kind: 698 description: Kind of object being referenced. Values 699 defined by this API group are "User", "Group", and 700 "ServiceAccount". If the Authorizer does not recognized 701 the kind value, the Authorizer should report an error. 702 type: string 703 name: 704 description: Name of the object being referenced. 705 type: string 706 namespace: 707 description: Namespace of the referenced object. If 708 the object kind is non-namespace, such as "User" or 709 "Group", and this value is not empty the Authorizer 710 should report an error. 711 type: string 712 required: 713 - kind 714 - name 715 type: object 716 x-kubernetes-map-type: atomic 717 type: array 718 type: object 719 required: 720 - namespaces 721 type: object 722 required: 723 - placement 724 - template 725 type: object 726 status: 727 description: The observed state of a Verrazzano Project resource. 728 properties: 729 clusters: 730 description: Status information for each cluster. 731 items: 732 description: ClusterLevelStatus describes the status of the multicluster 733 resource in a specific cluster. 734 properties: 735 lastUpdateTime: 736 description: Last update time of the resource state in this 737 cluster. 738 type: string 739 message: 740 description: Message details about the status in this cluster. 741 type: string 742 name: 743 description: Name of the cluster. 744 type: string 745 state: 746 description: State of the resource in this cluster. 747 type: string 748 required: 749 - lastUpdateTime 750 - name 751 - state 752 type: object 753 type: array 754 conditions: 755 description: The current state of a multicluster resource. 756 items: 757 description: Condition describes current state of a multicluster 758 resource. 759 properties: 760 lastTransitionTime: 761 description: Last time the condition transitioned from one status 762 to another. 763 type: string 764 message: 765 description: A message with details about the last transition. 766 type: string 767 status: 768 description: 'Status of the condition: one of `True`, `False`, 769 or `Unknown`.' 770 type: string 771 type: 772 description: Type of condition. 773 type: string 774 required: 775 - status 776 - type 777 type: object 778 type: array 779 state: 780 description: 'The state of the multicluster resource. State values 781 are case-sensitive and formatted as follows: <ul><li>`Failed`: deployment 782 to cluster failed</li><li>`Pending`: deployment to cluster is in 783 progress</li><li>`Succeeded`: deployment to cluster successfully 784 completed</li></ul>' 785 type: string 786 type: object 787 required: 788 - spec 789 type: object 790 served: true 791 storage: true 792 subresources: 793 status: {}