k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/cluster/addons/calico-policy-controller/globalnetworkpolicy-crd.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1 2 kind: CustomResourceDefinition 3 metadata: 4 labels: 5 addonmanager.kubernetes.io/mode: Reconcile 6 name: globalnetworkpolicies.crd.projectcalico.org 7 spec: 8 group: crd.projectcalico.org 9 names: 10 kind: GlobalNetworkPolicy 11 listKind: GlobalNetworkPolicyList 12 plural: globalnetworkpolicies 13 singular: globalnetworkpolicy 14 scope: Cluster 15 versions: 16 - name: v1 17 schema: 18 openAPIV3Schema: 19 properties: 20 apiVersion: 21 description: 'APIVersion defines the versioned schema of this representation 22 of an object. Servers should convert recognized schemas to the latest 23 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 24 type: string 25 kind: 26 description: 'Kind is a string value representing the REST resource this 27 object represents. Servers may infer this from the endpoint the client 28 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 29 type: string 30 metadata: 31 type: object 32 spec: 33 properties: 34 applyOnForward: 35 description: ApplyOnForward indicates to apply the rules in this policy 36 on forward traffic. 37 type: boolean 38 doNotTrack: 39 description: DoNotTrack indicates whether packets matched by the rules 40 in this policy should go through the data plane's connection tracking, 41 such as Linux conntrack. If True, the rules in this policy are 42 applied before any data plane connection tracking, and packets allowed 43 by this policy are marked as not to be tracked. 44 type: boolean 45 egress: 46 description: The ordered set of egress rules. Each rule contains 47 a set of packet match criteria and a corresponding action to apply. 48 items: 49 description: "A Rule encapsulates a set of match criteria and an 50 action. Both selector-based security Policy and security Profiles 51 reference rules - separated out as a list of rules for both ingress 52 and egress packet matching. \n Each positive match criteria has 53 a negated version, prefixed with ”Not”. All the match criteria 54 within a rule must be satisfied for a packet to match. A single 55 rule can contain the positive and negative version of a match 56 and both must be satisfied for the rule to match." 57 properties: 58 action: 59 type: string 60 destination: 61 description: Destination contains the match criteria that apply 62 to destination entity. 63 properties: 64 namespaceSelector: 65 description: "NamespaceSelector is an optional field that 66 contains a selector expression. Only traffic that originates 67 from (or terminates at) endpoints within the selected 68 namespaces will be matched. When both NamespaceSelector 69 and Selector are defined on the same rule, then only workload 70 endpoints that are matched by both selectors will be selected 71 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 72 implies that the Selector is limited to selecting only 73 workload endpoints in the same namespace as the NetworkPolicy. 74 \n For NetworkPolicy, `global()` NamespaceSelector implies 75 that the Selector is limited to selecting only GlobalNetworkSet 76 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 77 NamespaceSelector implies the Selector applies to workload 78 endpoints across all namespaces." 79 type: string 80 nets: 81 description: Nets is an optional field that restricts the 82 rule to only apply to traffic that originates from (or 83 terminates at) IP addresses in any of the given subnets. 84 items: 85 type: string 86 type: array 87 notNets: 88 description: NotNets is the negated version of the Nets 89 field. 90 items: 91 type: string 92 type: array 93 notPorts: 94 description: NotPorts is the negated version of the Ports 95 field. Since only some protocols have ports, if any ports 96 are specified it requires the Protocol match in the Rule 97 to be set to "TCP" or "UDP". 98 items: 99 anyOf: 100 - type: integer 101 - type: string 102 pattern: ^.* 103 x-kubernetes-int-or-string: true 104 type: array 105 notSelector: 106 description: NotSelector is the negated version of the Selector 107 field. See Selector field for subtleties with negated 108 selectors. 109 type: string 110 ports: 111 description: "Ports is an optional field that restricts 112 the rule to only apply to traffic that has a source (destination) 113 port that matches one of these ranges/values. This value 114 is a list of integers or strings that represent ranges 115 of ports. \n Since only some protocols have ports, if 116 any ports are specified it requires the Protocol match 117 in the Rule to be set to \"TCP\" or \"UDP\"." 118 items: 119 anyOf: 120 - type: integer 121 - type: string 122 pattern: ^.* 123 x-kubernetes-int-or-string: true 124 type: array 125 selector: 126 description: "Selector is an optional field that contains 127 a selector expression (see Policy for sample syntax). 128 \ Only traffic that originates from (terminates at) endpoints 129 matching the selector will be matched. \n Note that: in 130 addition to the negated version of the Selector (see NotSelector 131 below), the selector expression syntax itself supports 132 negation. The two types of negation are subtly different. 133 One negates the set of matched endpoints, the other negates 134 the whole match: \n \tSelector = \"!has(my_label)\" matches 135 packets that are from other Calico-controlled \tendpoints 136 that do not have the label “my_label”. \n \tNotSelector 137 = \"has(my_label)\" matches packets that are not from 138 Calico-controlled \tendpoints that do have the label “my_label”. 139 \n The effect is that the latter will accept packets from 140 non-Calico sources whereas the former is limited to packets 141 from Calico-controlled endpoints." 142 type: string 143 serviceAccounts: 144 description: ServiceAccounts is an optional field that restricts 145 the rule to only apply to traffic that originates from 146 (or terminates at) a pod running as a matching service 147 account. 148 properties: 149 names: 150 description: Names is an optional field that restricts 151 the rule to only apply to traffic that originates 152 from (or terminates at) a pod running as a service 153 account whose name is in the list. 154 items: 155 type: string 156 type: array 157 selector: 158 description: Selector is an optional field that restricts 159 the rule to only apply to traffic that originates 160 from (or terminates at) a pod running as a service 161 account that matches the given label selector. If 162 both Names and Selector are specified then they are 163 AND'ed. 164 type: string 165 type: object 166 type: object 167 http: 168 description: HTTP contains match criteria that apply to HTTP 169 requests. 170 properties: 171 methods: 172 description: Methods is an optional field that restricts 173 the rule to apply only to HTTP requests that use one of 174 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 175 methods are OR'd together. 176 items: 177 type: string 178 type: array 179 paths: 180 description: 'Paths is an optional field that restricts 181 the rule to apply to HTTP requests that use one of the 182 listed HTTP Paths. Multiple paths are OR''d together. 183 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 184 ONLY specify either a `exact` or a `prefix` match. The 185 validator will check for it.' 186 items: 187 description: 'HTTPPath specifies an HTTP path to match. 188 It may be either of the form: exact: <path>: which matches 189 the path exactly or prefix: <path-prefix>: which matches 190 the path prefix' 191 properties: 192 exact: 193 type: string 194 prefix: 195 type: string 196 type: object 197 type: array 198 type: object 199 icmp: 200 description: ICMP is an optional field that restricts the rule 201 to apply to a specific type and code of ICMP traffic. This 202 should only be specified if the Protocol field is set to "ICMP" 203 or "ICMPv6". 204 properties: 205 code: 206 description: Match on a specific ICMP code. If specified, 207 the Type value must also be specified. This is a technical 208 limitation imposed by the kernel’s iptables firewall, 209 which Calico uses to enforce the rule. 210 type: integer 211 type: 212 description: Match on a specific ICMP type. For example 213 a value of 8 refers to ICMP Echo Request (i.e. pings). 214 type: integer 215 type: object 216 ipVersion: 217 description: IPVersion is an optional field that restricts the 218 rule to only match a specific IP version. 219 type: integer 220 metadata: 221 description: Metadata contains additional information for this 222 rule 223 properties: 224 annotations: 225 additionalProperties: 226 type: string 227 description: Annotations is a set of key value pairs that 228 give extra information about the rule 229 type: object 230 type: object 231 notICMP: 232 description: NotICMP is the negated version of the ICMP field. 233 properties: 234 code: 235 description: Match on a specific ICMP code. If specified, 236 the Type value must also be specified. This is a technical 237 limitation imposed by the kernel’s iptables firewall, 238 which Calico uses to enforce the rule. 239 type: integer 240 type: 241 description: Match on a specific ICMP type. For example 242 a value of 8 refers to ICMP Echo Request (i.e. pings). 243 type: integer 244 type: object 245 notProtocol: 246 anyOf: 247 - type: integer 248 - type: string 249 description: NotProtocol is the negated version of the Protocol 250 field. 251 pattern: ^.* 252 x-kubernetes-int-or-string: true 253 protocol: 254 anyOf: 255 - type: integer 256 - type: string 257 description: "Protocol is an optional field that restricts the 258 rule to only apply to traffic of a specific IP protocol. Required 259 if any of the EntityRules contain Ports (because ports only 260 apply to certain protocols). \n Must be one of these string 261 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 262 \"UDPLite\" or an integer in the range 1-255." 263 pattern: ^.* 264 x-kubernetes-int-or-string: true 265 source: 266 description: Source contains the match criteria that apply to 267 source entity. 268 properties: 269 namespaceSelector: 270 description: "NamespaceSelector is an optional field that 271 contains a selector expression. Only traffic that originates 272 from (or terminates at) endpoints within the selected 273 namespaces will be matched. When both NamespaceSelector 274 and Selector are defined on the same rule, then only workload 275 endpoints that are matched by both selectors will be selected 276 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 277 implies that the Selector is limited to selecting only 278 workload endpoints in the same namespace as the NetworkPolicy. 279 \n For NetworkPolicy, `global()` NamespaceSelector implies 280 that the Selector is limited to selecting only GlobalNetworkSet 281 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 282 NamespaceSelector implies the Selector applies to workload 283 endpoints across all namespaces." 284 type: string 285 nets: 286 description: Nets is an optional field that restricts the 287 rule to only apply to traffic that originates from (or 288 terminates at) IP addresses in any of the given subnets. 289 items: 290 type: string 291 type: array 292 notNets: 293 description: NotNets is the negated version of the Nets 294 field. 295 items: 296 type: string 297 type: array 298 notPorts: 299 description: NotPorts is the negated version of the Ports 300 field. Since only some protocols have ports, if any ports 301 are specified it requires the Protocol match in the Rule 302 to be set to "TCP" or "UDP". 303 items: 304 anyOf: 305 - type: integer 306 - type: string 307 pattern: ^.* 308 x-kubernetes-int-or-string: true 309 type: array 310 notSelector: 311 description: NotSelector is the negated version of the Selector 312 field. See Selector field for subtleties with negated 313 selectors. 314 type: string 315 ports: 316 description: "Ports is an optional field that restricts 317 the rule to only apply to traffic that has a source (destination) 318 port that matches one of these ranges/values. This value 319 is a list of integers or strings that represent ranges 320 of ports. \n Since only some protocols have ports, if 321 any ports are specified it requires the Protocol match 322 in the Rule to be set to \"TCP\" or \"UDP\"." 323 items: 324 anyOf: 325 - type: integer 326 - type: string 327 pattern: ^.* 328 x-kubernetes-int-or-string: true 329 type: array 330 selector: 331 description: "Selector is an optional field that contains 332 a selector expression (see Policy for sample syntax). 333 \ Only traffic that originates from (terminates at) endpoints 334 matching the selector will be matched. \n Note that: in 335 addition to the negated version of the Selector (see NotSelector 336 below), the selector expression syntax itself supports 337 negation. The two types of negation are subtly different. 338 One negates the set of matched endpoints, the other negates 339 the whole match: \n \tSelector = \"!has(my_label)\" matches 340 packets that are from other Calico-controlled \tendpoints 341 that do not have the label “my_label”. \n \tNotSelector 342 = \"has(my_label)\" matches packets that are not from 343 Calico-controlled \tendpoints that do have the label “my_label”. 344 \n The effect is that the latter will accept packets from 345 non-Calico sources whereas the former is limited to packets 346 from Calico-controlled endpoints." 347 type: string 348 serviceAccounts: 349 description: ServiceAccounts is an optional field that restricts 350 the rule to only apply to traffic that originates from 351 (or terminates at) a pod running as a matching service 352 account. 353 properties: 354 names: 355 description: Names is an optional field that restricts 356 the rule to only apply to traffic that originates 357 from (or terminates at) a pod running as a service 358 account whose name is in the list. 359 items: 360 type: string 361 type: array 362 selector: 363 description: Selector is an optional field that restricts 364 the rule to only apply to traffic that originates 365 from (or terminates at) a pod running as a service 366 account that matches the given label selector. If 367 both Names and Selector are specified then they are 368 AND'ed. 369 type: string 370 type: object 371 type: object 372 required: 373 - action 374 type: object 375 type: array 376 ingress: 377 description: The ordered set of ingress rules. Each rule contains 378 a set of packet match criteria and a corresponding action to apply. 379 items: 380 description: "A Rule encapsulates a set of match criteria and an 381 action. Both selector-based security Policy and security Profiles 382 reference rules - separated out as a list of rules for both ingress 383 and egress packet matching. \n Each positive match criteria has 384 a negated version, prefixed with ”Not”. All the match criteria 385 within a rule must be satisfied for a packet to match. A single 386 rule can contain the positive and negative version of a match 387 and both must be satisfied for the rule to match." 388 properties: 389 action: 390 type: string 391 destination: 392 description: Destination contains the match criteria that apply 393 to destination entity. 394 properties: 395 namespaceSelector: 396 description: "NamespaceSelector is an optional field that 397 contains a selector expression. Only traffic that originates 398 from (or terminates at) endpoints within the selected 399 namespaces will be matched. When both NamespaceSelector 400 and Selector are defined on the same rule, then only workload 401 endpoints that are matched by both selectors will be selected 402 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 403 implies that the Selector is limited to selecting only 404 workload endpoints in the same namespace as the NetworkPolicy. 405 \n For NetworkPolicy, `global()` NamespaceSelector implies 406 that the Selector is limited to selecting only GlobalNetworkSet 407 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 408 NamespaceSelector implies the Selector applies to workload 409 endpoints across all namespaces." 410 type: string 411 nets: 412 description: Nets is an optional field that restricts the 413 rule to only apply to traffic that originates from (or 414 terminates at) IP addresses in any of the given subnets. 415 items: 416 type: string 417 type: array 418 notNets: 419 description: NotNets is the negated version of the Nets 420 field. 421 items: 422 type: string 423 type: array 424 notPorts: 425 description: NotPorts is the negated version of the Ports 426 field. Since only some protocols have ports, if any ports 427 are specified it requires the Protocol match in the Rule 428 to be set to "TCP" or "UDP". 429 items: 430 anyOf: 431 - type: integer 432 - type: string 433 pattern: ^.* 434 x-kubernetes-int-or-string: true 435 type: array 436 notSelector: 437 description: NotSelector is the negated version of the Selector 438 field. See Selector field for subtleties with negated 439 selectors. 440 type: string 441 ports: 442 description: "Ports is an optional field that restricts 443 the rule to only apply to traffic that has a source (destination) 444 port that matches one of these ranges/values. This value 445 is a list of integers or strings that represent ranges 446 of ports. \n Since only some protocols have ports, if 447 any ports are specified it requires the Protocol match 448 in the Rule to be set to \"TCP\" or \"UDP\"." 449 items: 450 anyOf: 451 - type: integer 452 - type: string 453 pattern: ^.* 454 x-kubernetes-int-or-string: true 455 type: array 456 selector: 457 description: "Selector is an optional field that contains 458 a selector expression (see Policy for sample syntax). 459 \ Only traffic that originates from (terminates at) endpoints 460 matching the selector will be matched. \n Note that: in 461 addition to the negated version of the Selector (see NotSelector 462 below), the selector expression syntax itself supports 463 negation. The two types of negation are subtly different. 464 One negates the set of matched endpoints, the other negates 465 the whole match: \n \tSelector = \"!has(my_label)\" matches 466 packets that are from other Calico-controlled \tendpoints 467 that do not have the label “my_label”. \n \tNotSelector 468 = \"has(my_label)\" matches packets that are not from 469 Calico-controlled \tendpoints that do have the label “my_label”. 470 \n The effect is that the latter will accept packets from 471 non-Calico sources whereas the former is limited to packets 472 from Calico-controlled endpoints." 473 type: string 474 serviceAccounts: 475 description: ServiceAccounts is an optional field that restricts 476 the rule to only apply to traffic that originates from 477 (or terminates at) a pod running as a matching service 478 account. 479 properties: 480 names: 481 description: Names is an optional field that restricts 482 the rule to only apply to traffic that originates 483 from (or terminates at) a pod running as a service 484 account whose name is in the list. 485 items: 486 type: string 487 type: array 488 selector: 489 description: Selector is an optional field that restricts 490 the rule to only apply to traffic that originates 491 from (or terminates at) a pod running as a service 492 account that matches the given label selector. If 493 both Names and Selector are specified then they are 494 AND'ed. 495 type: string 496 type: object 497 type: object 498 http: 499 description: HTTP contains match criteria that apply to HTTP 500 requests. 501 properties: 502 methods: 503 description: Methods is an optional field that restricts 504 the rule to apply only to HTTP requests that use one of 505 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 506 methods are OR'd together. 507 items: 508 type: string 509 type: array 510 paths: 511 description: 'Paths is an optional field that restricts 512 the rule to apply to HTTP requests that use one of the 513 listed HTTP Paths. Multiple paths are OR''d together. 514 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 515 ONLY specify either a `exact` or a `prefix` match. The 516 validator will check for it.' 517 items: 518 description: 'HTTPPath specifies an HTTP path to match. 519 It may be either of the form: exact: <path>: which matches 520 the path exactly or prefix: <path-prefix>: which matches 521 the path prefix' 522 properties: 523 exact: 524 type: string 525 prefix: 526 type: string 527 type: object 528 type: array 529 type: object 530 icmp: 531 description: ICMP is an optional field that restricts the rule 532 to apply to a specific type and code of ICMP traffic. This 533 should only be specified if the Protocol field is set to "ICMP" 534 or "ICMPv6". 535 properties: 536 code: 537 description: Match on a specific ICMP code. If specified, 538 the Type value must also be specified. This is a technical 539 limitation imposed by the kernel’s iptables firewall, 540 which Calico uses to enforce the rule. 541 type: integer 542 type: 543 description: Match on a specific ICMP type. For example 544 a value of 8 refers to ICMP Echo Request (i.e. pings). 545 type: integer 546 type: object 547 ipVersion: 548 description: IPVersion is an optional field that restricts the 549 rule to only match a specific IP version. 550 type: integer 551 metadata: 552 description: Metadata contains additional information for this 553 rule 554 properties: 555 annotations: 556 additionalProperties: 557 type: string 558 description: Annotations is a set of key value pairs that 559 give extra information about the rule 560 type: object 561 type: object 562 notICMP: 563 description: NotICMP is the negated version of the ICMP field. 564 properties: 565 code: 566 description: Match on a specific ICMP code. If specified, 567 the Type value must also be specified. This is a technical 568 limitation imposed by the kernel’s iptables firewall, 569 which Calico uses to enforce the rule. 570 type: integer 571 type: 572 description: Match on a specific ICMP type. For example 573 a value of 8 refers to ICMP Echo Request (i.e. pings). 574 type: integer 575 type: object 576 notProtocol: 577 anyOf: 578 - type: integer 579 - type: string 580 description: NotProtocol is the negated version of the Protocol 581 field. 582 pattern: ^.* 583 x-kubernetes-int-or-string: true 584 protocol: 585 anyOf: 586 - type: integer 587 - type: string 588 description: "Protocol is an optional field that restricts the 589 rule to only apply to traffic of a specific IP protocol. Required 590 if any of the EntityRules contain Ports (because ports only 591 apply to certain protocols). \n Must be one of these string 592 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 593 \"UDPLite\" or an integer in the range 1-255." 594 pattern: ^.* 595 x-kubernetes-int-or-string: true 596 source: 597 description: Source contains the match criteria that apply to 598 source entity. 599 properties: 600 namespaceSelector: 601 description: "NamespaceSelector is an optional field that 602 contains a selector expression. Only traffic that originates 603 from (or terminates at) endpoints within the selected 604 namespaces will be matched. When both NamespaceSelector 605 and Selector are defined on the same rule, then only workload 606 endpoints that are matched by both selectors will be selected 607 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 608 implies that the Selector is limited to selecting only 609 workload endpoints in the same namespace as the NetworkPolicy. 610 \n For NetworkPolicy, `global()` NamespaceSelector implies 611 that the Selector is limited to selecting only GlobalNetworkSet 612 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 613 NamespaceSelector implies the Selector applies to workload 614 endpoints across all namespaces." 615 type: string 616 nets: 617 description: Nets is an optional field that restricts the 618 rule to only apply to traffic that originates from (or 619 terminates at) IP addresses in any of the given subnets. 620 items: 621 type: string 622 type: array 623 notNets: 624 description: NotNets is the negated version of the Nets 625 field. 626 items: 627 type: string 628 type: array 629 notPorts: 630 description: NotPorts is the negated version of the Ports 631 field. Since only some protocols have ports, if any ports 632 are specified it requires the Protocol match in the Rule 633 to be set to "TCP" or "UDP". 634 items: 635 anyOf: 636 - type: integer 637 - type: string 638 pattern: ^.* 639 x-kubernetes-int-or-string: true 640 type: array 641 notSelector: 642 description: NotSelector is the negated version of the Selector 643 field. See Selector field for subtleties with negated 644 selectors. 645 type: string 646 ports: 647 description: "Ports is an optional field that restricts 648 the rule to only apply to traffic that has a source (destination) 649 port that matches one of these ranges/values. This value 650 is a list of integers or strings that represent ranges 651 of ports. \n Since only some protocols have ports, if 652 any ports are specified it requires the Protocol match 653 in the Rule to be set to \"TCP\" or \"UDP\"." 654 items: 655 anyOf: 656 - type: integer 657 - type: string 658 pattern: ^.* 659 x-kubernetes-int-or-string: true 660 type: array 661 selector: 662 description: "Selector is an optional field that contains 663 a selector expression (see Policy for sample syntax). 664 \ Only traffic that originates from (terminates at) endpoints 665 matching the selector will be matched. \n Note that: in 666 addition to the negated version of the Selector (see NotSelector 667 below), the selector expression syntax itself supports 668 negation. The two types of negation are subtly different. 669 One negates the set of matched endpoints, the other negates 670 the whole match: \n \tSelector = \"!has(my_label)\" matches 671 packets that are from other Calico-controlled \tendpoints 672 that do not have the label “my_label”. \n \tNotSelector 673 = \"has(my_label)\" matches packets that are not from 674 Calico-controlled \tendpoints that do have the label “my_label”. 675 \n The effect is that the latter will accept packets from 676 non-Calico sources whereas the former is limited to packets 677 from Calico-controlled endpoints." 678 type: string 679 serviceAccounts: 680 description: ServiceAccounts is an optional field that restricts 681 the rule to only apply to traffic that originates from 682 (or terminates at) a pod running as a matching service 683 account. 684 properties: 685 names: 686 description: Names is an optional field that restricts 687 the rule to only apply to traffic that originates 688 from (or terminates at) a pod running as a service 689 account whose name is in the list. 690 items: 691 type: string 692 type: array 693 selector: 694 description: Selector is an optional field that restricts 695 the rule to only apply to traffic that originates 696 from (or terminates at) a pod running as a service 697 account that matches the given label selector. If 698 both Names and Selector are specified then they are 699 AND'ed. 700 type: string 701 type: object 702 type: object 703 required: 704 - action 705 type: object 706 type: array 707 namespaceSelector: 708 description: NamespaceSelector is an optional field for an expression 709 used to select a pod based on namespaces. 710 type: string 711 order: 712 description: Order is an optional field that specifies the order in 713 which the policy is applied. Policies with higher "order" are applied 714 after those with lower order. If the order is omitted, it may be 715 considered to be "infinite" - i.e. the policy will be applied last. Policies 716 with identical order will be applied in alphanumerical order based 717 on the Policy "Name". 718 type: number 719 preDNAT: 720 description: PreDNAT indicates to apply the rules in this policy before 721 any DNAT. 722 type: boolean 723 selector: 724 description: "The selector is an expression used to pick pick out 725 the endpoints that the policy should be applied to. \n Selector 726 expressions follow this syntax: \n \tlabel == \"string_literal\" 727 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 728 \ -> not equal; also matches if label is not present \tlabel in 729 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 730 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 731 ... } -> true if the value of label X is not one of \"a\", \"b\", 732 \"c\" \thas(label_name) -> True if that label is present \t! expr 733 -> negation of expr \texpr && expr -> Short-circuit and \texpr 734 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 735 or the empty selector -> matches all endpoints. \n Label names are 736 allowed to contain alphanumerics, -, _ and /. String literals are 737 more permissive but they do not support escape characters. \n Examples 738 (with made-up labels): \n \ttype == \"webserver\" && deployment 739 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 740 \"dev\" \t! has(label_name)" 741 type: string 742 serviceAccountSelector: 743 description: ServiceAccountSelector is an optional field for an expression 744 used to select a pod based on service accounts. 745 type: string 746 types: 747 description: "Types indicates whether this policy applies to ingress, 748 or to egress, or to both. When not explicitly specified (and so 749 the value on creation is empty or nil), Calico defaults Types according 750 to what Ingress and Egress rules are present in the policy. The 751 default is: \n - [ PolicyTypeIngress ], if there are no Egress rules 752 (including the case where there are also no Ingress rules) \n 753 - [ PolicyTypeEgress ], if there are Egress rules but no Ingress 754 rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are 755 both Ingress and Egress rules. \n When the policy is read back again, 756 Types will always be one of these values, never empty or nil." 757 items: 758 description: PolicyType enumerates the possible values of the PolicySpec 759 Types field. 760 type: string 761 type: array 762 type: object 763 type: object 764 served: true 765 storage: true 766 status: 767 acceptedNames: 768 kind: "" 769 plural: "" 770 conditions: [] 771 storedVersions: []