k8s.io/kubernetes@v1.31.0-alpha.0.0.20240520171757-56147500dadc/cluster/addons/calico-policy-controller/networkpolicies-crd.yaml (about) 1 apiVersion: apiextensions.k8s.io/v1 2 kind: CustomResourceDefinition 3 metadata: 4 labels: 5 addonmanager.kubernetes.io/mode: Reconcile 6 name: networkpolicies.crd.projectcalico.org 7 spec: 8 group: crd.projectcalico.org 9 names: 10 kind: NetworkPolicy 11 listKind: NetworkPolicyList 12 plural: networkpolicies 13 singular: networkpolicy 14 scope: Namespaced 15 versions: 16 - name: v1 17 schema: 18 openAPIV3Schema: 19 properties: 20 apiVersion: 21 description: 'APIVersion defines the versioned schema of this representation 22 of an object. Servers should convert recognized schemas to the latest 23 internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' 24 type: string 25 kind: 26 description: 'Kind is a string value representing the REST resource this 27 object represents. Servers may infer this from the endpoint the client 28 submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' 29 type: string 30 metadata: 31 type: object 32 spec: 33 properties: 34 egress: 35 description: The ordered set of egress rules. Each rule contains 36 a set of packet match criteria and a corresponding action to apply. 37 items: 38 description: "A Rule encapsulates a set of match criteria and an 39 action. Both selector-based security Policy and security Profiles 40 reference rules - separated out as a list of rules for both ingress 41 and egress packet matching. \n Each positive match criteria has 42 a negated version, prefixed with ”Not”. All the match criteria 43 within a rule must be satisfied for a packet to match. A single 44 rule can contain the positive and negative version of a match 45 and both must be satisfied for the rule to match." 46 properties: 47 action: 48 type: string 49 destination: 50 description: Destination contains the match criteria that apply 51 to destination entity. 52 properties: 53 namespaceSelector: 54 description: "NamespaceSelector is an optional field that 55 contains a selector expression. Only traffic that originates 56 from (or terminates at) endpoints within the selected 57 namespaces will be matched. When both NamespaceSelector 58 and Selector are defined on the same rule, then only workload 59 endpoints that are matched by both selectors will be selected 60 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 61 implies that the Selector is limited to selecting only 62 workload endpoints in the same namespace as the NetworkPolicy. 63 \n For NetworkPolicy, `global()` NamespaceSelector implies 64 that the Selector is limited to selecting only GlobalNetworkSet 65 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 66 NamespaceSelector implies the Selector applies to workload 67 endpoints across all namespaces." 68 type: string 69 nets: 70 description: Nets is an optional field that restricts the 71 rule to only apply to traffic that originates from (or 72 terminates at) IP addresses in any of the given subnets. 73 items: 74 type: string 75 type: array 76 notNets: 77 description: NotNets is the negated version of the Nets 78 field. 79 items: 80 type: string 81 type: array 82 notPorts: 83 description: NotPorts is the negated version of the Ports 84 field. Since only some protocols have ports, if any ports 85 are specified it requires the Protocol match in the Rule 86 to be set to "TCP" or "UDP". 87 items: 88 anyOf: 89 - type: integer 90 - type: string 91 pattern: ^.* 92 x-kubernetes-int-or-string: true 93 type: array 94 notSelector: 95 description: NotSelector is the negated version of the Selector 96 field. See Selector field for subtleties with negated 97 selectors. 98 type: string 99 ports: 100 description: "Ports is an optional field that restricts 101 the rule to only apply to traffic that has a source (destination) 102 port that matches one of these ranges/values. This value 103 is a list of integers or strings that represent ranges 104 of ports. \n Since only some protocols have ports, if 105 any ports are specified it requires the Protocol match 106 in the Rule to be set to \"TCP\" or \"UDP\"." 107 items: 108 anyOf: 109 - type: integer 110 - type: string 111 pattern: ^.* 112 x-kubernetes-int-or-string: true 113 type: array 114 selector: 115 description: "Selector is an optional field that contains 116 a selector expression (see Policy for sample syntax). 117 \ Only traffic that originates from (terminates at) endpoints 118 matching the selector will be matched. \n Note that: in 119 addition to the negated version of the Selector (see NotSelector 120 below), the selector expression syntax itself supports 121 negation. The two types of negation are subtly different. 122 One negates the set of matched endpoints, the other negates 123 the whole match: \n \tSelector = \"!has(my_label)\" matches 124 packets that are from other Calico-controlled \tendpoints 125 that do not have the label “my_label”. \n \tNotSelector 126 = \"has(my_label)\" matches packets that are not from 127 Calico-controlled \tendpoints that do have the label “my_label”. 128 \n The effect is that the latter will accept packets from 129 non-Calico sources whereas the former is limited to packets 130 from Calico-controlled endpoints." 131 type: string 132 serviceAccounts: 133 description: ServiceAccounts is an optional field that restricts 134 the rule to only apply to traffic that originates from 135 (or terminates at) a pod running as a matching service 136 account. 137 properties: 138 names: 139 description: Names is an optional field that restricts 140 the rule to only apply to traffic that originates 141 from (or terminates at) a pod running as a service 142 account whose name is in the list. 143 items: 144 type: string 145 type: array 146 selector: 147 description: Selector is an optional field that restricts 148 the rule to only apply to traffic that originates 149 from (or terminates at) a pod running as a service 150 account that matches the given label selector. If 151 both Names and Selector are specified then they are 152 AND'ed. 153 type: string 154 type: object 155 type: object 156 http: 157 description: HTTP contains match criteria that apply to HTTP 158 requests. 159 properties: 160 methods: 161 description: Methods is an optional field that restricts 162 the rule to apply only to HTTP requests that use one of 163 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 164 methods are OR'd together. 165 items: 166 type: string 167 type: array 168 paths: 169 description: 'Paths is an optional field that restricts 170 the rule to apply to HTTP requests that use one of the 171 listed HTTP Paths. Multiple paths are OR''d together. 172 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 173 ONLY specify either a `exact` or a `prefix` match. The 174 validator will check for it.' 175 items: 176 description: 'HTTPPath specifies an HTTP path to match. 177 It may be either of the form: exact: <path>: which matches 178 the path exactly or prefix: <path-prefix>: which matches 179 the path prefix' 180 properties: 181 exact: 182 type: string 183 prefix: 184 type: string 185 type: object 186 type: array 187 type: object 188 icmp: 189 description: ICMP is an optional field that restricts the rule 190 to apply to a specific type and code of ICMP traffic. This 191 should only be specified if the Protocol field is set to "ICMP" 192 or "ICMPv6". 193 properties: 194 code: 195 description: Match on a specific ICMP code. If specified, 196 the Type value must also be specified. This is a technical 197 limitation imposed by the kernel’s iptables firewall, 198 which Calico uses to enforce the rule. 199 type: integer 200 type: 201 description: Match on a specific ICMP type. For example 202 a value of 8 refers to ICMP Echo Request (i.e. pings). 203 type: integer 204 type: object 205 ipVersion: 206 description: IPVersion is an optional field that restricts the 207 rule to only match a specific IP version. 208 type: integer 209 metadata: 210 description: Metadata contains additional information for this 211 rule 212 properties: 213 annotations: 214 additionalProperties: 215 type: string 216 description: Annotations is a set of key value pairs that 217 give extra information about the rule 218 type: object 219 type: object 220 notICMP: 221 description: NotICMP is the negated version of the ICMP field. 222 properties: 223 code: 224 description: Match on a specific ICMP code. If specified, 225 the Type value must also be specified. This is a technical 226 limitation imposed by the kernel’s iptables firewall, 227 which Calico uses to enforce the rule. 228 type: integer 229 type: 230 description: Match on a specific ICMP type. For example 231 a value of 8 refers to ICMP Echo Request (i.e. pings). 232 type: integer 233 type: object 234 notProtocol: 235 anyOf: 236 - type: integer 237 - type: string 238 description: NotProtocol is the negated version of the Protocol 239 field. 240 pattern: ^.* 241 x-kubernetes-int-or-string: true 242 protocol: 243 anyOf: 244 - type: integer 245 - type: string 246 description: "Protocol is an optional field that restricts the 247 rule to only apply to traffic of a specific IP protocol. Required 248 if any of the EntityRules contain Ports (because ports only 249 apply to certain protocols). \n Must be one of these string 250 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 251 \"UDPLite\" or an integer in the range 1-255." 252 pattern: ^.* 253 x-kubernetes-int-or-string: true 254 source: 255 description: Source contains the match criteria that apply to 256 source entity. 257 properties: 258 namespaceSelector: 259 description: "NamespaceSelector is an optional field that 260 contains a selector expression. Only traffic that originates 261 from (or terminates at) endpoints within the selected 262 namespaces will be matched. When both NamespaceSelector 263 and Selector are defined on the same rule, then only workload 264 endpoints that are matched by both selectors will be selected 265 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 266 implies that the Selector is limited to selecting only 267 workload endpoints in the same namespace as the NetworkPolicy. 268 \n For NetworkPolicy, `global()` NamespaceSelector implies 269 that the Selector is limited to selecting only GlobalNetworkSet 270 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 271 NamespaceSelector implies the Selector applies to workload 272 endpoints across all namespaces." 273 type: string 274 nets: 275 description: Nets is an optional field that restricts the 276 rule to only apply to traffic that originates from (or 277 terminates at) IP addresses in any of the given subnets. 278 items: 279 type: string 280 type: array 281 notNets: 282 description: NotNets is the negated version of the Nets 283 field. 284 items: 285 type: string 286 type: array 287 notPorts: 288 description: NotPorts is the negated version of the Ports 289 field. Since only some protocols have ports, if any ports 290 are specified it requires the Protocol match in the Rule 291 to be set to "TCP" or "UDP". 292 items: 293 anyOf: 294 - type: integer 295 - type: string 296 pattern: ^.* 297 x-kubernetes-int-or-string: true 298 type: array 299 notSelector: 300 description: NotSelector is the negated version of the Selector 301 field. See Selector field for subtleties with negated 302 selectors. 303 type: string 304 ports: 305 description: "Ports is an optional field that restricts 306 the rule to only apply to traffic that has a source (destination) 307 port that matches one of these ranges/values. This value 308 is a list of integers or strings that represent ranges 309 of ports. \n Since only some protocols have ports, if 310 any ports are specified it requires the Protocol match 311 in the Rule to be set to \"TCP\" or \"UDP\"." 312 items: 313 anyOf: 314 - type: integer 315 - type: string 316 pattern: ^.* 317 x-kubernetes-int-or-string: true 318 type: array 319 selector: 320 description: "Selector is an optional field that contains 321 a selector expression (see Policy for sample syntax). 322 \ Only traffic that originates from (terminates at) endpoints 323 matching the selector will be matched. \n Note that: in 324 addition to the negated version of the Selector (see NotSelector 325 below), the selector expression syntax itself supports 326 negation. The two types of negation are subtly different. 327 One negates the set of matched endpoints, the other negates 328 the whole match: \n \tSelector = \"!has(my_label)\" matches 329 packets that are from other Calico-controlled \tendpoints 330 that do not have the label “my_label”. \n \tNotSelector 331 = \"has(my_label)\" matches packets that are not from 332 Calico-controlled \tendpoints that do have the label “my_label”. 333 \n The effect is that the latter will accept packets from 334 non-Calico sources whereas the former is limited to packets 335 from Calico-controlled endpoints." 336 type: string 337 serviceAccounts: 338 description: ServiceAccounts is an optional field that restricts 339 the rule to only apply to traffic that originates from 340 (or terminates at) a pod running as a matching service 341 account. 342 properties: 343 names: 344 description: Names is an optional field that restricts 345 the rule to only apply to traffic that originates 346 from (or terminates at) a pod running as a service 347 account whose name is in the list. 348 items: 349 type: string 350 type: array 351 selector: 352 description: Selector is an optional field that restricts 353 the rule to only apply to traffic that originates 354 from (or terminates at) a pod running as a service 355 account that matches the given label selector. If 356 both Names and Selector are specified then they are 357 AND'ed. 358 type: string 359 type: object 360 type: object 361 required: 362 - action 363 type: object 364 type: array 365 ingress: 366 description: The ordered set of ingress rules. Each rule contains 367 a set of packet match criteria and a corresponding action to apply. 368 items: 369 description: "A Rule encapsulates a set of match criteria and an 370 action. Both selector-based security Policy and security Profiles 371 reference rules - separated out as a list of rules for both ingress 372 and egress packet matching. \n Each positive match criteria has 373 a negated version, prefixed with ”Not”. All the match criteria 374 within a rule must be satisfied for a packet to match. A single 375 rule can contain the positive and negative version of a match 376 and both must be satisfied for the rule to match." 377 properties: 378 action: 379 type: string 380 destination: 381 description: Destination contains the match criteria that apply 382 to destination entity. 383 properties: 384 namespaceSelector: 385 description: "NamespaceSelector is an optional field that 386 contains a selector expression. Only traffic that originates 387 from (or terminates at) endpoints within the selected 388 namespaces will be matched. When both NamespaceSelector 389 and Selector are defined on the same rule, then only workload 390 endpoints that are matched by both selectors will be selected 391 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 392 implies that the Selector is limited to selecting only 393 workload endpoints in the same namespace as the NetworkPolicy. 394 \n For NetworkPolicy, `global()` NamespaceSelector implies 395 that the Selector is limited to selecting only GlobalNetworkSet 396 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 397 NamespaceSelector implies the Selector applies to workload 398 endpoints across all namespaces." 399 type: string 400 nets: 401 description: Nets is an optional field that restricts the 402 rule to only apply to traffic that originates from (or 403 terminates at) IP addresses in any of the given subnets. 404 items: 405 type: string 406 type: array 407 notNets: 408 description: NotNets is the negated version of the Nets 409 field. 410 items: 411 type: string 412 type: array 413 notPorts: 414 description: NotPorts is the negated version of the Ports 415 field. Since only some protocols have ports, if any ports 416 are specified it requires the Protocol match in the Rule 417 to be set to "TCP" or "UDP". 418 items: 419 anyOf: 420 - type: integer 421 - type: string 422 pattern: ^.* 423 x-kubernetes-int-or-string: true 424 type: array 425 notSelector: 426 description: NotSelector is the negated version of the Selector 427 field. See Selector field for subtleties with negated 428 selectors. 429 type: string 430 ports: 431 description: "Ports is an optional field that restricts 432 the rule to only apply to traffic that has a source (destination) 433 port that matches one of these ranges/values. This value 434 is a list of integers or strings that represent ranges 435 of ports. \n Since only some protocols have ports, if 436 any ports are specified it requires the Protocol match 437 in the Rule to be set to \"TCP\" or \"UDP\"." 438 items: 439 anyOf: 440 - type: integer 441 - type: string 442 pattern: ^.* 443 x-kubernetes-int-or-string: true 444 type: array 445 selector: 446 description: "Selector is an optional field that contains 447 a selector expression (see Policy for sample syntax). 448 \ Only traffic that originates from (terminates at) endpoints 449 matching the selector will be matched. \n Note that: in 450 addition to the negated version of the Selector (see NotSelector 451 below), the selector expression syntax itself supports 452 negation. The two types of negation are subtly different. 453 One negates the set of matched endpoints, the other negates 454 the whole match: \n \tSelector = \"!has(my_label)\" matches 455 packets that are from other Calico-controlled \tendpoints 456 that do not have the label “my_label”. \n \tNotSelector 457 = \"has(my_label)\" matches packets that are not from 458 Calico-controlled \tendpoints that do have the label “my_label”. 459 \n The effect is that the latter will accept packets from 460 non-Calico sources whereas the former is limited to packets 461 from Calico-controlled endpoints." 462 type: string 463 serviceAccounts: 464 description: ServiceAccounts is an optional field that restricts 465 the rule to only apply to traffic that originates from 466 (or terminates at) a pod running as a matching service 467 account. 468 properties: 469 names: 470 description: Names is an optional field that restricts 471 the rule to only apply to traffic that originates 472 from (or terminates at) a pod running as a service 473 account whose name is in the list. 474 items: 475 type: string 476 type: array 477 selector: 478 description: Selector is an optional field that restricts 479 the rule to only apply to traffic that originates 480 from (or terminates at) a pod running as a service 481 account that matches the given label selector. If 482 both Names and Selector are specified then they are 483 AND'ed. 484 type: string 485 type: object 486 type: object 487 http: 488 description: HTTP contains match criteria that apply to HTTP 489 requests. 490 properties: 491 methods: 492 description: Methods is an optional field that restricts 493 the rule to apply only to HTTP requests that use one of 494 the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple 495 methods are OR'd together. 496 items: 497 type: string 498 type: array 499 paths: 500 description: 'Paths is an optional field that restricts 501 the rule to apply to HTTP requests that use one of the 502 listed HTTP Paths. Multiple paths are OR''d together. 503 e.g: - exact: /foo - prefix: /bar NOTE: Each entry may 504 ONLY specify either a `exact` or a `prefix` match. The 505 validator will check for it.' 506 items: 507 description: 'HTTPPath specifies an HTTP path to match. 508 It may be either of the form: exact: <path>: which matches 509 the path exactly or prefix: <path-prefix>: which matches 510 the path prefix' 511 properties: 512 exact: 513 type: string 514 prefix: 515 type: string 516 type: object 517 type: array 518 type: object 519 icmp: 520 description: ICMP is an optional field that restricts the rule 521 to apply to a specific type and code of ICMP traffic. This 522 should only be specified if the Protocol field is set to "ICMP" 523 or "ICMPv6". 524 properties: 525 code: 526 description: Match on a specific ICMP code. If specified, 527 the Type value must also be specified. This is a technical 528 limitation imposed by the kernel’s iptables firewall, 529 which Calico uses to enforce the rule. 530 type: integer 531 type: 532 description: Match on a specific ICMP type. For example 533 a value of 8 refers to ICMP Echo Request (i.e. pings). 534 type: integer 535 type: object 536 ipVersion: 537 description: IPVersion is an optional field that restricts the 538 rule to only match a specific IP version. 539 type: integer 540 metadata: 541 description: Metadata contains additional information for this 542 rule 543 properties: 544 annotations: 545 additionalProperties: 546 type: string 547 description: Annotations is a set of key value pairs that 548 give extra information about the rule 549 type: object 550 type: object 551 notICMP: 552 description: NotICMP is the negated version of the ICMP field. 553 properties: 554 code: 555 description: Match on a specific ICMP code. If specified, 556 the Type value must also be specified. This is a technical 557 limitation imposed by the kernel’s iptables firewall, 558 which Calico uses to enforce the rule. 559 type: integer 560 type: 561 description: Match on a specific ICMP type. For example 562 a value of 8 refers to ICMP Echo Request (i.e. pings). 563 type: integer 564 type: object 565 notProtocol: 566 anyOf: 567 - type: integer 568 - type: string 569 description: NotProtocol is the negated version of the Protocol 570 field. 571 pattern: ^.* 572 x-kubernetes-int-or-string: true 573 protocol: 574 anyOf: 575 - type: integer 576 - type: string 577 description: "Protocol is an optional field that restricts the 578 rule to only apply to traffic of a specific IP protocol. Required 579 if any of the EntityRules contain Ports (because ports only 580 apply to certain protocols). \n Must be one of these string 581 values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", 582 \"UDPLite\" or an integer in the range 1-255." 583 pattern: ^.* 584 x-kubernetes-int-or-string: true 585 source: 586 description: Source contains the match criteria that apply to 587 source entity. 588 properties: 589 namespaceSelector: 590 description: "NamespaceSelector is an optional field that 591 contains a selector expression. Only traffic that originates 592 from (or terminates at) endpoints within the selected 593 namespaces will be matched. When both NamespaceSelector 594 and Selector are defined on the same rule, then only workload 595 endpoints that are matched by both selectors will be selected 596 by the rule. \n For NetworkPolicy, an empty NamespaceSelector 597 implies that the Selector is limited to selecting only 598 workload endpoints in the same namespace as the NetworkPolicy. 599 \n For NetworkPolicy, `global()` NamespaceSelector implies 600 that the Selector is limited to selecting only GlobalNetworkSet 601 or HostEndpoint. \n For GlobalNetworkPolicy, an empty 602 NamespaceSelector implies the Selector applies to workload 603 endpoints across all namespaces." 604 type: string 605 nets: 606 description: Nets is an optional field that restricts the 607 rule to only apply to traffic that originates from (or 608 terminates at) IP addresses in any of the given subnets. 609 items: 610 type: string 611 type: array 612 notNets: 613 description: NotNets is the negated version of the Nets 614 field. 615 items: 616 type: string 617 type: array 618 notPorts: 619 description: NotPorts is the negated version of the Ports 620 field. Since only some protocols have ports, if any ports 621 are specified it requires the Protocol match in the Rule 622 to be set to "TCP" or "UDP". 623 items: 624 anyOf: 625 - type: integer 626 - type: string 627 pattern: ^.* 628 x-kubernetes-int-or-string: true 629 type: array 630 notSelector: 631 description: NotSelector is the negated version of the Selector 632 field. See Selector field for subtleties with negated 633 selectors. 634 type: string 635 ports: 636 description: "Ports is an optional field that restricts 637 the rule to only apply to traffic that has a source (destination) 638 port that matches one of these ranges/values. This value 639 is a list of integers or strings that represent ranges 640 of ports. \n Since only some protocols have ports, if 641 any ports are specified it requires the Protocol match 642 in the Rule to be set to \"TCP\" or \"UDP\"." 643 items: 644 anyOf: 645 - type: integer 646 - type: string 647 pattern: ^.* 648 x-kubernetes-int-or-string: true 649 type: array 650 selector: 651 description: "Selector is an optional field that contains 652 a selector expression (see Policy for sample syntax). 653 \ Only traffic that originates from (terminates at) endpoints 654 matching the selector will be matched. \n Note that: in 655 addition to the negated version of the Selector (see NotSelector 656 below), the selector expression syntax itself supports 657 negation. The two types of negation are subtly different. 658 One negates the set of matched endpoints, the other negates 659 the whole match: \n \tSelector = \"!has(my_label)\" matches 660 packets that are from other Calico-controlled \tendpoints 661 that do not have the label “my_label”. \n \tNotSelector 662 = \"has(my_label)\" matches packets that are not from 663 Calico-controlled \tendpoints that do have the label “my_label”. 664 \n The effect is that the latter will accept packets from 665 non-Calico sources whereas the former is limited to packets 666 from Calico-controlled endpoints." 667 type: string 668 serviceAccounts: 669 description: ServiceAccounts is an optional field that restricts 670 the rule to only apply to traffic that originates from 671 (or terminates at) a pod running as a matching service 672 account. 673 properties: 674 names: 675 description: Names is an optional field that restricts 676 the rule to only apply to traffic that originates 677 from (or terminates at) a pod running as a service 678 account whose name is in the list. 679 items: 680 type: string 681 type: array 682 selector: 683 description: Selector is an optional field that restricts 684 the rule to only apply to traffic that originates 685 from (or terminates at) a pod running as a service 686 account that matches the given label selector. If 687 both Names and Selector are specified then they are 688 AND'ed. 689 type: string 690 type: object 691 type: object 692 required: 693 - action 694 type: object 695 type: array 696 order: 697 description: Order is an optional field that specifies the order in 698 which the policy is applied. Policies with higher "order" are applied 699 after those with lower order. If the order is omitted, it may be 700 considered to be "infinite" - i.e. the policy will be applied last. Policies 701 with identical order will be applied in alphanumerical order based 702 on the Policy "Name". 703 type: number 704 selector: 705 description: "The selector is an expression used to pick pick out 706 the endpoints that the policy should be applied to. \n Selector 707 expressions follow this syntax: \n \tlabel == \"string_literal\" 708 \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" 709 \ -> not equal; also matches if label is not present \tlabel in 710 { \"a\", \"b\", \"c\", ... } -> true if the value of label X is 711 one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", 712 ... } -> true if the value of label X is not one of \"a\", \"b\", 713 \"c\" \thas(label_name) -> True if that label is present \t! expr 714 -> negation of expr \texpr && expr -> Short-circuit and \texpr 715 || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() 716 or the empty selector -> matches all endpoints. \n Label names are 717 allowed to contain alphanumerics, -, _ and /. String literals are 718 more permissive but they do not support escape characters. \n Examples 719 (with made-up labels): \n \ttype == \"webserver\" && deployment 720 == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != 721 \"dev\" \t! has(label_name)" 722 type: string 723 serviceAccountSelector: 724 description: ServiceAccountSelector is an optional field for an expression 725 used to select a pod based on service accounts. 726 type: string 727 types: 728 description: "Types indicates whether this policy applies to ingress, 729 or to egress, or to both. When not explicitly specified (and so 730 the value on creation is empty or nil), Calico defaults Types according 731 to what Ingress and Egress are present in the policy. The default 732 is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including 733 the case where there are also no Ingress rules) \n - [ PolicyTypeEgress 734 ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, 735 PolicyTypeEgress ], if there are both Ingress and Egress rules. 736 \n When the policy is read back again, Types will always be one 737 of these values, never empty or nil." 738 items: 739 description: PolicyType enumerates the possible values of the PolicySpec 740 Types field. 741 type: string 742 type: array 743 type: object 744 type: object 745 served: true 746 storage: true 747 status: 748 acceptedNames: 749 kind: "" 750 plural: "" 751 conditions: [] 752 storedVersions: []