diff --git a/crd.projectcalico.org/alertexception_v1.json b/crd.projectcalico.org/alertexception_v1.json new file mode 100644 index 00000000..72dd1a07 --- /dev/null +++ b/crd.projectcalico.org/alertexception_v1.json @@ -0,0 +1,50 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "AlertExceptionSpec contains the specification for an alert exception resource.", + "properties": { + "description": { + "description": "The description is displayed by the UI.", + "type": "string" + }, + "endTime": { + "description": "EndTime defines the end time at which this alert exception will expire. If omitted the alert exception filtering will continue indefinitely.", + "format": "date-time", + "type": "string" + }, + "selector": { + "description": "Selector defines a query string for alert events to be excluded from UI search results.", + "type": "string" + }, + "startTime": { + "description": "StartTime defines the start time from which this alert exception will take effect. If the value is in the past, matched alerts will be filtered immediately. If the value is changed to a future time, alert exceptions will restart at that time.", + "format": "date-time", + "type": "string" + } + }, + "required": [ + "description", + "selector", + "startTime" + ], + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "AlertExceptionStatus contains the status of an alert exception.", + "type": "object" + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/bgpconfiguration_v1.json b/crd.projectcalico.org/bgpconfiguration_v1.json new file mode 100644 index 00000000..920ec885 --- /dev/null +++ b/crd.projectcalico.org/bgpconfiguration_v1.json @@ -0,0 +1,171 @@ +{ + "description": "BGPConfiguration contains the configuration for any BGP routing.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "BGPConfigurationSpec contains the values of the BGP configuration.", + "properties": { + "asNumber": { + "description": "ASNumber is the default AS number used by a node. [Default: 64512]", + "format": "int32", + "type": "integer" + }, + "bindMode": { + "description": "BindMode indicates whether to listen for BGP connections on all addresses (None) or only on the node's canonical IP address Node.Spec.BGP.IPvXAddress (NodeIP). Default behaviour is to listen for BGP connections on all addresses.", + "type": "string" + }, + "communities": { + "description": "Communities is a list of BGP community values and their arbitrary names for tagging routes.", + "items": { + "description": "Community contains standard or large community value and its name.", + "properties": { + "name": { + "description": "Name given to community value.", + "type": "string" + }, + "value": { + "description": "Value must be of format `aa:nn` or `aa:nn:mm`. For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number. For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number. Where, `aa` is an AS Number, `nn` and `mm` are per-AS identifier.", + "pattern": "^(\\d+):(\\d+)$|^(\\d+):(\\d+):(\\d+)$", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "extensions": { + "additionalProperties": { + "type": "string" + }, + "description": "Extensions is a mapping of keys to values that can be used in custom BGP templates", + "type": "object" + }, + "listenPort": { + "description": "ListenPort is the port where BGP protocol should listen. Defaults to 179", + "maximum": 65535, + "minimum": 1, + "type": "integer" + }, + "logSeverityScreen": { + "description": "LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: INFO]", + "type": "string" + }, + "nodeMeshMaxRestartTime": { + "description": "Time to allow for software restart for node-to-mesh peerings. When specified, this is configured as the graceful restart timeout. When not specified, the BIRD default of 120s is used. This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled", + "type": "string" + }, + "nodeMeshPassword": { + "description": "Optional BGP password for full node-to-mesh peerings. This field can only be set on the default BGPConfiguration instance and requires that NodeMesh is enabled", + "properties": { + "secretKeyRef": { + "description": "Selects a key of a secret in the node pod's namespace.", + "properties": { + "key": { + "description": "The key of the secret to select from. Must be a valid secret key.", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?", + "type": "string" + }, + "optional": { + "description": "Specify whether the Secret or its key must be defined", + "type": "boolean" + } + }, + "required": [ + "key" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "nodeToNodeMeshEnabled": { + "description": "NodeToNodeMeshEnabled sets whether full node to node BGP mesh is enabled. [Default: true]", + "type": "boolean" + }, + "prefixAdvertisements": { + "description": "PrefixAdvertisements contains per-prefix advertisement configuration.", + "items": { + "description": "PrefixAdvertisement configures advertisement properties for the specified CIDR.", + "properties": { + "cidr": { + "description": "CIDR for which properties should be advertised.", + "type": "string" + }, + "communities": { + "description": "Communities can be list of either community names already defined in `Specs.Communities` or community value of format `aa:nn` or `aa:nn:mm`. For standard community use `aa:nn` format, where `aa` and `nn` are 16 bit number. For large community use `aa:nn:mm` format, where `aa`, `nn` and `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and `mm` are per-AS identifier.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "serviceClusterIPs": { + "description": "ServiceClusterIPs are the CIDR blocks from which service cluster IPs are allocated. If specified, Calico will advertise these blocks, as well as any cluster IPs within them.", + "items": { + "description": "ServiceClusterIPBlock represents a single allowed ClusterIP CIDR block.", + "properties": { + "cidr": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "serviceExternalIPs": { + "description": "ServiceExternalIPs are the CIDR blocks for Kubernetes Service External IPs. Kubernetes Service ExternalIPs will only be advertised if they are within one of these blocks.", + "items": { + "description": "ServiceExternalIPBlock represents a single allowed External IP CIDR block.", + "properties": { + "cidr": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "serviceLoadBalancerIPs": { + "description": "ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress IPs will only be advertised if they are within one of these blocks.", + "items": { + "description": "ServiceLoadBalancerIPBlock represents a single allowed LoadBalancer IP CIDR block.", + "properties": { + "cidr": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/bgpfilter_v1.json b/crd.projectcalico.org/bgpfilter_v1.json new file mode 100644 index 00000000..e8cbddce --- /dev/null +++ b/crd.projectcalico.org/bgpfilter_v1.json @@ -0,0 +1,123 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "BGPFilterSpec contains the IPv4 and IPv6 filter rules of the BGP Filter.", + "properties": { + "exportV4": { + "description": "The ordered set of IPv4 BGPFilter rules acting on exporting routes to a peer.", + "items": { + "description": "BGPFilterRuleV4 defines a BGP filter rule consisting a single IPv4 CIDR block and a filter action for this CIDR.", + "properties": { + "action": { + "type": "string" + }, + "cidr": { + "type": "string" + }, + "matchOperator": { + "type": "string" + } + }, + "required": [ + "action", + "cidr", + "matchOperator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "exportV6": { + "description": "The ordered set of IPv6 BGPFilter rules acting on exporting routes to a peer.", + "items": { + "description": "BGPFilterRuleV6 defines a BGP filter rule consisting a single IPv6 CIDR block and a filter action for this CIDR.", + "properties": { + "action": { + "type": "string" + }, + "cidr": { + "type": "string" + }, + "matchOperator": { + "type": "string" + } + }, + "required": [ + "action", + "cidr", + "matchOperator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "importV4": { + "description": "The ordered set of IPv4 BGPFilter rules acting on importing routes from a peer.", + "items": { + "description": "BGPFilterRuleV4 defines a BGP filter rule consisting a single IPv4 CIDR block and a filter action for this CIDR.", + "properties": { + "action": { + "type": "string" + }, + "cidr": { + "type": "string" + }, + "matchOperator": { + "type": "string" + } + }, + "required": [ + "action", + "cidr", + "matchOperator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "importV6": { + "description": "The ordered set of IPv6 BGPFilter rules acting on importing routes from a peer.", + "items": { + "description": "BGPFilterRuleV6 defines a BGP filter rule consisting a single IPv6 CIDR block and a filter action for this CIDR.", + "properties": { + "action": { + "type": "string" + }, + "cidr": { + "type": "string" + }, + "matchOperator": { + "type": "string" + } + }, + "required": [ + "action", + "cidr", + "matchOperator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/bgppeer_v1.json b/crd.projectcalico.org/bgppeer_v1.json new file mode 100644 index 00000000..c2565b5f --- /dev/null +++ b/crd.projectcalico.org/bgppeer_v1.json @@ -0,0 +1,128 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "BGPPeerSpec contains the specification for a BGPPeer resource.", + "properties": { + "asNumber": { + "description": "The AS Number of the peer.", + "format": "int32", + "type": "integer" + }, + "birdGatewayMode": { + "description": "Specifies the BIRD \"gateway\" mode, i.e. method for computing the immediate next hop for each received route, for peerings generated by this BGPPeer resource. Default value \"Recursive\" means \"gateway recursive\". \"DirectIfDirectlyConnected\" means to configure \"gateway direct\" when the peer is directly connected.", + "type": "string" + }, + "extensions": { + "additionalProperties": { + "type": "string" + }, + "description": "Extensions is a mapping of keys to values that can be used in custom BGP templates", + "type": "object" + }, + "externalNetwork": { + "description": "Name of the external network to which this peer belongs.", + "type": "string" + }, + "failureDetectionMode": { + "description": "Specifies whether and how to detect loss of connectivity on the peerings generated by this BGPPeer resource. Default value \"None\" means nothing beyond BGP's own (slow) hold timer. \"BFDIfDirectlyConnected\" means to use BFD when the peer is directly connected.", + "type": "string" + }, + "filters": { + "description": "The ordered set of BGPFilters applied on this BGP peer.", + "items": { + "type": "string" + }, + "type": "array" + }, + "keepOriginalNextHop": { + "description": "Option to keep the original nexthop field when routes are sent to a BGP Peer. Setting \"true\" configures the selected BGP Peers node to use the \"next hop keep;\" instead of \"next hop self;\"(default) in the specific branch of the Node on \"bird.cfg\".", + "type": "boolean" + }, + "maxRestartTime": { + "description": "Time to allow for software restart. When specified, this is configured as the graceful restart timeout when RestartMode is \"GracefulRestart\", and as the LLGR stale time when RestartMode is \"LongLivedGracefulRestart\". When not specified, the BIRD defaults are used, which are 120s for \"GracefulRestart\" and 3600s for \"LongLivedGracefulRestart\".", + "type": "string" + }, + "node": { + "description": "The node name identifying the Calico node instance that is targeted by this peer. If this is not set, and no nodeSelector is specified, then this BGP peer selects all nodes in the cluster.", + "type": "string" + }, + "nodeSelector": { + "description": "Selector for the nodes that should have this peering. When this is set, the Node field must be empty.", + "type": "string" + }, + "numAllowedLocalASNumbers": { + "description": "Maximum number of local AS numbers that are allowed in the AS path for received routes. This removes BGP loop prevention and should only be used if absolutely necesssary.", + "format": "int32", + "type": "integer" + }, + "password": { + "description": "Optional BGP password for the peerings generated by this BGPPeer resource.", + "properties": { + "secretKeyRef": { + "description": "Selects a key of a secret in the node pod's namespace.", + "properties": { + "key": { + "description": "The key of the secret to select from. Must be a valid secret key.", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?", + "type": "string" + }, + "optional": { + "description": "Specify whether the Secret or its key must be defined", + "type": "boolean" + } + }, + "required": [ + "key" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "peerIP": { + "description": "The IP address of the peer followed by an optional port number to peer with. If port number is given, format should be `[]:port` or `:` for IPv4. If optional port number is not set, and this peer IP and ASNumber belongs to a calico/node with ListenPort set in BGPConfiguration, then we use that port to peer.", + "type": "string" + }, + "peerSelector": { + "description": "Selector for the remote nodes to peer with. When this is set, the PeerIP and ASNumber fields must be empty. For each peering between the local node and selected remote nodes, we configure an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The remote AS number comes from the remote node's NodeBGPSpec.ASNumber, or the global default if that is not set.", + "type": "string" + }, + "reachableBy": { + "description": "Add an exact, i.e. /32, static route toward peer IP in order to prevent route flapping. ReachableBy contains the address of the gateway which peer can be reached by.", + "type": "string" + }, + "restartMode": { + "description": "Specifies restart behaviour to configure on the peerings generated by this BGPPeer resource. Default value \"GracefulRestart\" means traditional graceful restart. \"LongLivedGracefulRestart\" means LLGR according to draft-uttaro-idr-bgp-persistence-05.", + "type": "string" + }, + "sourceAddress": { + "description": "Specifies whether and how to configure a source address for the peerings generated by this BGPPeer resource. Default value \"UseNodeIP\" means to configure the node IP as the source address. \"None\" means not to configure a source address.", + "type": "string" + }, + "ttlSecurity": { + "description": "TTLSecurity enables the generalized TTL security mechanism (GTSM) which protects against spoofed packets by ignoring received packets with a smaller than expected TTL value. The provided value is the number of hops (edges) between the peers.", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/blockaffinity_v1.json b/crd.projectcalico.org/blockaffinity_v1.json new file mode 100644 index 00000000..2c8f42ba --- /dev/null +++ b/crd.projectcalico.org/blockaffinity_v1.json @@ -0,0 +1,42 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "BlockAffinitySpec contains the specification for a BlockAffinity resource.", + "properties": { + "cidr": { + "type": "string" + }, + "deleted": { + "description": "Deleted indicates that this block affinity is being deleted. This field is a string for compatibility with older releases that mistakenly treat this field as a string.", + "type": "string" + }, + "node": { + "type": "string" + }, + "state": { + "type": "string" + } + }, + "required": [ + "cidr", + "deleted", + "node", + "state" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/caliconodestatus_v1.json b/crd.projectcalico.org/caliconodestatus_v1.json new file mode 100644 index 00000000..f6b73756 --- /dev/null +++ b/crd.projectcalico.org/caliconodestatus_v1.json @@ -0,0 +1,287 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus resource.", + "properties": { + "classes": { + "description": "Classes declares the types of information to monitor for this calico/node, and allows for selective status reporting about certain subsets of information.", + "items": { + "type": "string" + }, + "type": "array" + }, + "node": { + "description": "The node name identifies the Calico node instance for node status.", + "type": "string" + }, + "updatePeriodSeconds": { + "description": "UpdatePeriodSeconds is the period at which CalicoNodeStatus should be updated. Set to 0 to disable CalicoNodeStatus refresh. Maximum update period is one day.", + "format": "int32", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. No validation needed for status since it is updated by Calico.", + "properties": { + "agent": { + "description": "Agent holds agent status on the node.", + "properties": { + "birdV4": { + "description": "BIRDV4 represents the latest observed status of bird4.", + "properties": { + "lastBootTime": { + "description": "LastBootTime holds the value of lastBootTime from bird.ctl output.", + "type": "string" + }, + "lastReconfigurationTime": { + "description": "LastReconfigurationTime holds the value of lastReconfigTime from bird.ctl output.", + "type": "string" + }, + "routerID": { + "description": "Router ID used by bird.", + "type": "string" + }, + "state": { + "description": "The state of the BGP Daemon.", + "type": "string" + }, + "version": { + "description": "Version of the BGP daemon", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "birdV6": { + "description": "BIRDV6 represents the latest observed status of bird6.", + "properties": { + "lastBootTime": { + "description": "LastBootTime holds the value of lastBootTime from bird.ctl output.", + "type": "string" + }, + "lastReconfigurationTime": { + "description": "LastReconfigurationTime holds the value of lastReconfigTime from bird.ctl output.", + "type": "string" + }, + "routerID": { + "description": "Router ID used by bird.", + "type": "string" + }, + "state": { + "description": "The state of the BGP Daemon.", + "type": "string" + }, + "version": { + "description": "Version of the BGP daemon", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "bgp": { + "description": "BGP holds node BGP status.", + "properties": { + "numberEstablishedV4": { + "description": "The total number of IPv4 established bgp sessions.", + "type": "integer" + }, + "numberEstablishedV6": { + "description": "The total number of IPv6 established bgp sessions.", + "type": "integer" + }, + "numberNotEstablishedV4": { + "description": "The total number of IPv4 non-established bgp sessions.", + "type": "integer" + }, + "numberNotEstablishedV6": { + "description": "The total number of IPv6 non-established bgp sessions.", + "type": "integer" + }, + "peersV4": { + "description": "PeersV4 represents IPv4 BGP peers status on the node.", + "items": { + "description": "CalicoNodePeer contains the status of BGP peers on the node.", + "properties": { + "peerIP": { + "description": "IP address of the peer whose condition we are reporting.", + "type": "string" + }, + "since": { + "description": "Since the state or reason last changed.", + "type": "string" + }, + "state": { + "description": "State is the BGP session state.", + "type": "string" + }, + "type": { + "description": "Type indicates whether this peer is configured via the node-to-node mesh, or via en explicit global or per-node BGPPeer object.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "peersV6": { + "description": "PeersV6 represents IPv6 BGP peers status on the node.", + "items": { + "description": "CalicoNodePeer contains the status of BGP peers on the node.", + "properties": { + "peerIP": { + "description": "IP address of the peer whose condition we are reporting.", + "type": "string" + }, + "since": { + "description": "Since the state or reason last changed.", + "type": "string" + }, + "state": { + "description": "State is the BGP session state.", + "type": "string" + }, + "type": { + "description": "Type indicates whether this peer is configured via the node-to-node mesh, or via en explicit global or per-node BGPPeer object.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "required": [ + "numberEstablishedV4", + "numberEstablishedV6", + "numberNotEstablishedV4", + "numberNotEstablishedV6" + ], + "type": "object", + "additionalProperties": false + }, + "lastUpdated": { + "description": "LastUpdated is a timestamp representing the server time when CalicoNodeStatus object last updated. It is represented in RFC3339 form and is in UTC.", + "format": "date-time", + "nullable": true, + "type": "string" + }, + "routes": { + "description": "Routes reports routes known to the Calico BGP daemon on the node.", + "properties": { + "routesV4": { + "description": "RoutesV4 represents IPv4 routes on the node.", + "items": { + "description": "CalicoNodeRoute contains the status of BGP routes on the node.", + "properties": { + "destination": { + "description": "Destination of the route.", + "type": "string" + }, + "gateway": { + "description": "Gateway for the destination.", + "type": "string" + }, + "interface": { + "description": "Interface for the destination", + "type": "string" + }, + "learnedFrom": { + "description": "LearnedFrom contains information regarding where this route originated.", + "properties": { + "peerIP": { + "description": "If sourceType is NodeMesh or BGPPeer, IP address of the router that sent us this route.", + "type": "string" + }, + "sourceType": { + "description": "Type of the source where a route is learned from.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type indicates if the route is being used for forwarding or not.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "routesV6": { + "description": "RoutesV6 represents IPv6 routes on the node.", + "items": { + "description": "CalicoNodeRoute contains the status of BGP routes on the node.", + "properties": { + "destination": { + "description": "Destination of the route.", + "type": "string" + }, + "gateway": { + "description": "Gateway for the destination.", + "type": "string" + }, + "interface": { + "description": "Interface for the destination", + "type": "string" + }, + "learnedFrom": { + "description": "LearnedFrom contains information regarding where this route originated.", + "properties": { + "peerIP": { + "description": "If sourceType is NodeMesh or BGPPeer, IP address of the router that sent us this route.", + "type": "string" + }, + "sourceType": { + "description": "Type of the source where a route is learned from.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": { + "description": "Type indicates if the route is being used for forwarding or not.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/clusterinformation_v1.json b/crd.projectcalico.org/clusterinformation_v1.json new file mode 100644 index 00000000..daae1bd5 --- /dev/null +++ b/crd.projectcalico.org/clusterinformation_v1.json @@ -0,0 +1,48 @@ +{ + "description": "ClusterInformation contains the cluster specific information.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "ClusterInformationSpec contains the values of describing the cluster.", + "properties": { + "calicoVersion": { + "description": "CalicoVersion is the version of Calico that the cluster is running", + "type": "string" + }, + "clusterGUID": { + "description": "ClusterGUID is the GUID of the cluster", + "type": "string" + }, + "clusterType": { + "description": "ClusterType describes the type of the cluster", + "type": "string" + }, + "cnxVersion": { + "description": "CNXVersion is the version of CNX that the cluster is running", + "type": "string" + }, + "datastoreReady": { + "description": "DatastoreReady is used during significant datastore migrations to signal to components such as Felix that it should wait before accessing the datastore.", + "type": "boolean" + }, + "variant": { + "description": "Variant declares which variant of Calico should be active.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/deeppacketinspection_v1.json b/crd.projectcalico.org/deeppacketinspection_v1.json new file mode 100644 index 00000000..eac5ff6d --- /dev/null +++ b/crd.projectcalico.org/deeppacketinspection_v1.json @@ -0,0 +1,81 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "DeepPacketInspectionSpec contains the values of the deep packet inspection.", + "properties": { + "selector": { + "description": "The selector is an expression used to pick out the endpoints for which deep packet inspection should be performed on. The selector will only match endpoints in the same namespace as the DeepPacketInspection resource. \n Selector expressions follow this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not equal; also matches if label is not present \tlabel in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) -> True if that label is present \t! expr -> negation of expr \texpr && expr -> Short-circuit and \texpr || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples (with made-up labels): \n \ttype == \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != \"dev\" \t! has(label_name)", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "DeepPacketInspectionStatus contains status of deep packet inspection in each node.", + "properties": { + "nodes": { + "items": { + "properties": { + "active": { + "properties": { + "lastUpdated": { + "description": "Timestamp of when the active status was last updated.", + "format": "date-time", + "type": "string" + }, + "success": { + "description": "Success indicates if deep packet inspection is running on all workloads matching the selector.", + "type": "boolean" + } + }, + "type": "object", + "additionalProperties": false + }, + "errorConditions": { + "items": { + "properties": { + "lastUpdated": { + "description": "Timestamp of when this error message was added.", + "format": "date-time", + "type": "string" + }, + "message": { + "description": "Message from deep packet inspection error.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "maxItems": 10, + "type": "array" + }, + "node": { + "description": "Node identifies with a physical node from the cluster via its hostname.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/externalnetwork_v1.json b/crd.projectcalico.org/externalnetwork_v1.json new file mode 100644 index 00000000..27acb5f5 --- /dev/null +++ b/crd.projectcalico.org/externalnetwork_v1.json @@ -0,0 +1,31 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "ExternalNetworkSpec contains the specification for a external network resource.", + "properties": { + "routeTableIndex": { + "description": "The index of a linux kernel routing table that should be used for the routes associated with the external network. The value should be unique for each external network. The value should not be in the range of `RouteTableRanges` field in FelixConfiguration. The kernel routing table index should not be used by other processes on the node.", + "format": "int32", + "type": "integer" + } + }, + "required": [ + "routeTableIndex" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/felixconfiguration_v1.json b/crd.projectcalico.org/felixconfiguration_v1.json new file mode 100644 index 00000000..b5dc6211 --- /dev/null +++ b/crd.projectcalico.org/felixconfiguration_v1.json @@ -0,0 +1,1044 @@ +{ + "description": "Felix Configuration contains the configuration for Felix.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "FelixConfigurationSpec contains the values of the Felix configuration.", + "properties": { + "allowIPIPPacketsFromWorkloads": { + "description": "AllowIPIPPacketsFromWorkloads controls whether Felix will add a rule to drop IPIP encapsulated traffic from workloads [Default: false]", + "type": "boolean" + }, + "allowVXLANPacketsFromWorkloads": { + "description": "AllowVXLANPacketsFromWorkloads controls whether Felix will add a rule to drop VXLAN encapsulated traffic from workloads [Default: false]", + "type": "boolean" + }, + "awsRequestTimeout": { + "description": "AWSRequestTimeout is the timeout on AWS API requests. [Default: 30s]", + "type": "string" + }, + "awsSecondaryIPRoutingRulePriority": { + "description": "AWSSecondaryIPRoutingRulePriority controls the priority that Felix will use for routing rules when programming them for AWS Secondary IP support. [Default: 101]", + "type": "integer" + }, + "awsSecondaryIPSupport": { + "description": "AWSSecondaryIPSupport controls whether Felix will try to provision AWS secondary ENIs for workloads that have IPs from IP pools that are configured with an AWS subnet ID. If the field is set to \"EnabledENIPerWorkload\" then each workload with an AWS-backed IP will be assigned its own secondary ENI. If set to \"Enabled\" then each workload with an AWS-backed IP pool will be allocated a secondary IP address on a secondary ENI; this mode requires additional IP pools to be provisioned for the host to claim IPs for the primary IP of the secondary ENIs. Accepted value must be one of \"Enabled\", \"EnabledENIPerWorkload\" or \"Disabled\". [Default: Disabled]", + "type": "string" + }, + "awsSrcDstCheck": { + "description": "Set source-destination-check on AWS EC2 instances. Accepted value must be one of \"DoNothing\", \"Enable\" or \"Disable\". [Default: DoNothing]", + "enum": [ + "DoNothing", + "Enable", + "Disable" + ], + "type": "string" + }, + "bpfConnectTimeLoadBalancingEnabled": { + "description": "BPFConnectTimeLoadBalancingEnabled when in BPF mode, controls whether Felix installs the connection-time load balancer. The connect-time load balancer is required for the host to be able to reach Kubernetes services and it improves the performance of pod-to-service connections. The only reason to disable it is for debugging purposes. [Default: true]", + "type": "boolean" + }, + "bpfDataIfacePattern": { + "description": "BPFDataIfacePattern is a regular expression that controls which interfaces Felix should attach BPF programs to in order to catch traffic to/from the network. This needs to match the interfaces that Calico workload traffic flows over as well as any interfaces that handle incoming traffic to nodeports and services from outside the cluster. It should not match the workload interfaces (usually named cali...).", + "type": "string" + }, + "bpfDisableUnprivileged": { + "description": "BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled sysctl to disable unprivileged use of BPF. This ensures that unprivileged users cannot access Calico's BPF maps and cannot insert their own BPF programs to interfere with Calico's. [Default: true]", + "type": "boolean" + }, + "bpfEnabled": { + "description": "BPFEnabled, if enabled Felix will use the BPF dataplane. [Default: false]", + "type": "boolean" + }, + "bpfEnforceRPF": { + "description": "BPFEnforceRPF enforce strict RPF on all host interfaces with BPF programs regardless of what is the per-interfaces or global setting. Possible values are Disabled, Strict or Loose. [Default: Loose]", + "type": "string" + }, + "bpfExtToServiceConnmark": { + "description": "BPFExtToServiceConnmark in BPF mode, control a 32bit mark that is set on connections from an external client to a local service. This mark allows us to control how packets of that connection are routed within the host and how is routing interpreted by RPF check. [Default: 0]", + "type": "integer" + }, + "bpfExternalServiceMode": { + "description": "BPFExternalServiceMode in BPF mode, controls how connections from outside the cluster to services (node ports and cluster IPs) are forwarded to remote workloads. If set to \"Tunnel\" then both request and response traffic is tunneled to the remote node. If set to \"DSR\", the request traffic is tunneled but the response traffic is sent directly from the remote node. In \"DSR\" mode, the remote node appears to use the IP of the ingress node; this requires a permissive L2 network. [Default: Tunnel]", + "type": "string" + }, + "bpfHostConntrackBypass": { + "description": "BPFHostConntrackBypass Controls whether to bypass Linux conntrack in BPF mode for workloads and services. [Default: true - bypass Linux conntrack]", + "type": "boolean" + }, + "bpfKubeProxyEndpointSlicesEnabled": { + "description": "BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls whether Felix's embedded kube-proxy accepts EndpointSlices or not.", + "type": "boolean" + }, + "bpfKubeProxyIptablesCleanupEnabled": { + "description": "BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF mode, Felix will proactively clean up the upstream Kubernetes kube-proxy's iptables chains. Should only be enabled if kube-proxy is not running. [Default: true]", + "type": "boolean" + }, + "bpfKubeProxyMinSyncPeriod": { + "description": "BPFKubeProxyMinSyncPeriod, in BPF mode, controls the minimum time between updates to the dataplane for Felix's embedded kube-proxy. Lower values give reduced set-up latency. Higher values reduce Felix CPU usage by batching up more work. [Default: 1s]", + "type": "string" + }, + "bpfLogLevel": { + "description": "BPFLogLevel controls the log level of the BPF programs when in BPF dataplane mode. One of \"Off\", \"Info\", or \"Debug\". The logs are emitted to the BPF trace pipe, accessible with the command `tc exec bpf debug`. [Default: Off].", + "type": "string" + }, + "bpfMapSizeConntrack": { + "description": "BPFMapSizeConntrack sets the size for the conntrack map. This map must be large enough to hold an entry for each active connection. Warning: changing the size of the conntrack map can cause disruption.", + "type": "integer" + }, + "bpfMapSizeIPSets": { + "description": "BPFMapSizeIPSets sets the size for ipsets map. The IP sets map must be large enough to hold an entry for each endpoint matched by every selector in the source/destination matches in network policy. Selectors such as \"all()\" can result in large numbers of entries (one entry per endpoint in that case).", + "type": "integer" + }, + "bpfMapSizeIfState": { + "description": "BPFMapSizeIfState sets the size for ifstate map. The ifstate map must be large enough to hold an entry for each device (host + workloads) on a host.", + "type": "integer" + }, + "bpfMapSizeNATAffinity": { + "type": "integer" + }, + "bpfMapSizeNATBackend": { + "description": "BPFMapSizeNATBackend sets the size for nat back end map. This is the total number of endpoints. This is mostly more than the size of the number of services.", + "type": "integer" + }, + "bpfMapSizeNATFrontend": { + "description": "BPFMapSizeNATFrontend sets the size for nat front end map. FrontendMap should be large enough to hold an entry for each nodeport, external IP and each port in each service.", + "type": "integer" + }, + "bpfMapSizeRoute": { + "description": "BPFMapSizeRoute sets the size for the routes map. The routes map should be large enough to hold one entry per workload and a handful of entries per host (enough to cover its own IPs and tunnel IPs).", + "type": "integer" + }, + "bpfPSNATPorts": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "BPFPSNATPorts sets the range from which we randomly pick a port if there is a source port collision. This should be within the ephemeral range as defined by RFC 6056 (1024\u201365535) and preferably outside the ephemeral ranges used by common operating systems. Linux uses 32768\u201360999, while others mostly use the IANA defined range 49152\u201365535. It is not necessarily a problem if this range overlaps with the operating systems. Both ends of the range are inclusive. [Default: 20000:29999]", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "bpfPolicyDebugEnabled": { + "description": "BPFPolicyDebugEnabled when true, Felix records detailed information about the BPF policy programs, which can be examined with the calico-bpf command-line tool.", + "type": "boolean" + }, + "captureDir": { + "description": "CaptureDir controls directory to store file capture. [Default: /var/log/calico/pcap]", + "minLength": 1, + "type": "string" + }, + "captureMaxFiles": { + "description": "CaptureMaxFiles controls number of rotated capture file to keep. [Default: 2]", + "minimum": 1, + "type": "integer" + }, + "captureMaxSizeBytes": { + "description": "CaptureMaxSizeBytes controls the max size of a file capture. [Default: 10000000]", + "minimum": 1, + "type": "integer" + }, + "captureRotationSeconds": { + "description": "CaptureRotationSeconds controls the time rotation of a packet capture. [Default: 3600]", + "minimum": 1, + "type": "integer" + }, + "chainInsertMode": { + "description": "ChainInsertMode controls whether Felix hooks the kernel's top-level iptables chains by inserting a rule at the top of the chain or by appending a rule at the bottom. insert is the safe default since it prevents Calico's rules from being bypassed. If you switch to append mode, be sure that the other rules in the chains signal acceptance by falling through to the Calico rules, otherwise the Calico policy will be bypassed. [Default: insert]", + "type": "string" + }, + "dataplaneDriver": { + "description": "DataplaneDriver filename of the external dataplane driver to use. Only used if UseInternalDataplaneDriver is set to false.", + "type": "string" + }, + "dataplaneWatchdogTimeout": { + "description": "DataplaneWatchdogTimeout is the readiness/liveness timeout used for Felix's (internal) dataplane driver. Increase this value if you experience spurious non-ready or non-live events when Felix is under heavy load. Decrease the value to get felix to report non-live or non-ready more quickly. [Default: 90s] \n Deprecated: replaced by the generic HealthTimeoutOverrides.", + "type": "string" + }, + "debugDisableLogDropping": { + "type": "boolean" + }, + "debugMemoryProfilePath": { + "type": "string" + }, + "debugSimulateCalcGraphHangAfter": { + "type": "string" + }, + "debugSimulateDataplaneHangAfter": { + "type": "string" + }, + "defaultEndpointToHostAction": { + "description": "DefaultEndpointToHostAction controls what happens to traffic that goes from a workload endpoint to the host itself (after the traffic hits the endpoint egress policy). By default Calico blocks traffic from workload endpoints to the host itself with an iptables \"DROP\" action. If you want to allow some or all traffic from endpoint to host, set this parameter to RETURN or ACCEPT. Use RETURN if you have your own rules in the iptables \"INPUT\" chain; Calico will insert its rules at the top of that chain, then \"RETURN\" packets to the \"INPUT\" chain once it has completed processing workload endpoint egress policy. Use ACCEPT to unconditionally accept packets from workloads after processing workload endpoint egress policy. [Default: Drop]", + "type": "string" + }, + "deletedMetricsRetentionSecs": { + "type": "integer" + }, + "deviceRouteProtocol": { + "description": "This defines the route protocol added to programmed device routes, by default this will be RTPROT_BOOT when left blank.", + "type": "integer" + }, + "deviceRouteSourceAddress": { + "description": "This is the IPv4 source address to use on programmed device routes. By default the source address is left blank, leaving the kernel to choose the source address used.", + "type": "string" + }, + "deviceRouteSourceAddressIPv6": { + "description": "This is the IPv6 source address to use on programmed device routes. By default the source address is left blank, leaving the kernel to choose the source address used.", + "type": "string" + }, + "disableConntrackInvalidCheck": { + "type": "boolean" + }, + "dnsCacheEpoch": { + "description": "An arbitrary number that can be changed, at runtime, to tell Felix to discard all its learnt DNS information. [Default: 0].", + "type": "integer" + }, + "dnsCacheFile": { + "description": "The name of the file that Felix uses to preserve learnt DNS information when restarting. [Default: \"/var/run/calico/felix-dns-cache.txt\"].", + "type": "string" + }, + "dnsCacheSaveInterval": { + "description": "The periodic interval at which Felix saves learnt DNS information to the cache file. [Default: 60s].", + "type": "string" + }, + "dnsExtraTTL": { + "description": "Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name or IP's advertised TTL. [Default: 0s].", + "type": "string" + }, + "dnsLogsFileAggregationKind": { + "description": "DNSLogsFileAggregationKind is used to choose the type of aggregation for DNS log entries. [Default: 1 - client name prefix aggregation]. Accepted values are 0 and 1. 0 - No aggregation. 1 - Aggregate over clients with the same name prefix.", + "type": "integer" + }, + "dnsLogsFileDirectory": { + "description": "DNSLogsFileDirectory sets the directory where DNS log files are stored. [Default: /var/log/calico/dnslogs]", + "type": "string" + }, + "dnsLogsFileEnabled": { + "description": "DNSLogsFileEnabled controls logging DNS logs to a file. If false no DNS logging to file will occur. [Default: false]", + "type": "boolean" + }, + "dnsLogsFileIncludeLabels": { + "description": "DNSLogsFileIncludeLabels is used to configure if endpoint labels are included in a DNS log entry written to file. [Default: true]", + "type": "boolean" + }, + "dnsLogsFileMaxFileSizeMB": { + "description": "DNSLogsFileMaxFileSizeMB sets the max size in MB of DNS log files before rotation. [Default: 100]", + "type": "integer" + }, + "dnsLogsFileMaxFiles": { + "description": "DNSLogsFileMaxFiles sets the number of DNS log files to keep. [Default: 5]", + "type": "integer" + }, + "dnsLogsFilePerNodeLimit": { + "description": "Limit on the number of DNS logs that can be emitted within each flush interval. When this limit has been reached, Felix counts the number of unloggable DNS responses within the flush interval, and emits a WARNING log with that count at the same time as it flushes the buffered DNS logs. [Default: 0, meaning no limit]", + "type": "integer" + }, + "dnsLogsFlushInterval": { + "description": "DNSLogsFlushInterval configures the interval at which Felix exports DNS logs. [Default: 300s]", + "type": "string" + }, + "dnsLogsLatency": { + "description": "DNSLogsLatency indicates to include measurements of DNS request/response latency in each DNS log. [Default: true]", + "type": "boolean" + }, + "dnsPacketsNfqueueID": { + "description": "DNSPacketsNfqueueID is the NFQUEUE ID to use for capturing DNS packets to ensure programming IPSets occurs before the response is released. Used when DNSPolicyMode is DelayDNSResponse. [Default: 101]", + "type": "integer" + }, + "dnsPacketsNfqueueMaxHoldDuration": { + "description": "DNSPacketsNfqueueMaxHoldDuration is the max length of time to hold on to a DNS response while waiting for the the dataplane to be programmed. Used when DNSPolicyMode is DelayDNSResponse. [Default: 3s]", + "type": "string" + }, + "dnsPacketsNfqueueSize": { + "description": "DNSPacketsNfqueueSize is the size of the NFQUEUE for captured DNS packets. This is the maximum number of DNS packets that may be queued awaiting programming in the dataplane. Used when DNSPolicyMode is DelayDNSResponse. [Default: 100]", + "type": "integer" + }, + "dnsPolicyMode": { + "description": "DNSPolicyMode specifies how DNS policy programming will be handled. DelayDeniedPacket - Felix delays any denied packet that traversed a policy that included egress domain matches, but did not match. The packet is released after a fixed time, or after the destination IP address was programmed. DelayDNSResponse - Felix delays any DNS response until related IPSets are programmed. This introduces some latency to all DNS packets (even when no IPSet programming is required), but it ensures policy hit statistics are accurate. This is the recommended setting when you are making use of staged policies or policy rule hit statistics. NoDelay - Felix does not introduce any delay to the packets. DNS rules may not have been programmed by the time the first packet traverses the policy rules. Client applications need to handle reconnection attempts if initial connection attempts fail. This may be problematic for some applications or for very low DNS TTLs. \n On Windows, or when using the eBPF dataplane, this setting is ignored and \"NoDelay\" is always used. \n [Default: DelayDeniedPacket]", + "enum": [ + "NoDelay", + "DelayDeniedPacket", + "DelayDNSResponse" + ], + "type": "string" + }, + "dnsPolicyNfqueueID": { + "description": "DNSPolicyNfqueueID is the NFQUEUE ID to use for DNS Policy re-evaluation when the domains IP hasn't been programmed to ipsets yet. Used when DNSPolicyMode is DelayDeniedPacket. [Default: 100]", + "type": "integer" + }, + "dnsPolicyNfqueueSize": { + "description": "DNSPolicyNfqueueID is the size of the NFQUEUE for DNS policy re-evaluation. This is the maximum number of denied packets that may be queued up pending re-evaluation. Used when DNSPolicyMode is DelayDeniedPacket. [Default: 100]", + "type": "integer" + }, + "dnsTrustedServers": { + "description": "The DNS servers that Felix should trust. Each entry here must be `[:]` - indicating an explicit DNS server IP - or `k8s-service:[/][:port]` - indicating a Kubernetes DNS service. `` defaults to the first service port, or 53 for an IP, and `` to `kube-system`. An IPv6 address with a port must use the square brackets convention, for example `[fd00:83a6::12]:5353`.Note that Felix (calico-node) will need RBAC permission to read the details of each service specified by a `k8s-service:...` form. [Default: \"k8s-service:kube-dns\"].", + "items": { + "type": "string" + }, + "type": "array" + }, + "dropActionOverride": { + "description": "DropActionOverride overrides the Drop action in Felix, optionally changing the behavior to Accept, and optionally adding Log. Possible values are Drop, LogAndDrop, Accept, LogAndAccept. [Default: Drop]", + "type": "string" + }, + "egressGatewayPollFailureCount": { + "description": "EgressGatewayPollFailureCount is the minimum number of poll failures before a remote Egress Gateway is considered to have failed.", + "type": "integer" + }, + "egressGatewayPollInterval": { + "description": "EgressGatewayPollInterval is the interval at which Felix will poll remote egress gateways to check their health. Only Egress Gateways with a named \"health\" port will be polled in this way. Egress Gateways that fail the health check will be taken our of use as if they have been deleted.", + "type": "string" + }, + "egressIPRoutingRulePriority": { + "description": "EgressIPRoutingRulePriority controls the priority value to use for the egress IP routing rule. [Default: 100]", + "type": "integer" + }, + "egressIPSupport": { + "description": "EgressIPSupport defines three different support modes for egress IP function. [Default: Disabled] - Disabled: Egress IP function is disabled. - EnabledPerNamespace: Egress IP function is enabled and can be configured on a per-namespace basis; per-pod egress annotations are ignored. - EnabledPerNamespaceOrPerPod: Egress IP function is enabled and can be configured per-namespace or per-pod, with per-pod egress annotations overriding namespace annotations.", + "type": "string" + }, + "egressIPVXLANPort": { + "description": "EgressIPVXLANPort is the port number of vxlan tunnel device for egress traffic. [Default: 4790]", + "type": "integer" + }, + "egressIPVXLANVNI": { + "description": "EgressIPVXLANVNI is the VNI ID of vxlan tunnel device for egress traffic. [Default: 4097]", + "type": "integer" + }, + "endpointReportingDelay": { + "type": "string" + }, + "endpointReportingEnabled": { + "type": "boolean" + }, + "externalNetworkRoutingRulePriority": { + "description": "ExternalNetworkRoutingRulePriority controls the priority value to use for the external network routing rule. [Default: 102]", + "type": "integer" + }, + "externalNetworkSupport": { + "description": "ExternalNetworkSupport defines two different support modes for external network function. [Default: Disabled] - Disabled: External network function is disabled. - Enabled: External network function is enabled.", + "type": "string" + }, + "externalNodesList": { + "description": "ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes which may source tunnel traffic and have the tunneled traffic be accepted at calico nodes.", + "items": { + "type": "string" + }, + "type": "array" + }, + "failsafeInboundHostPorts": { + "description": "FailsafeInboundHostPorts is a list of UDP/TCP ports and CIDRs that Felix will allow incoming traffic to host endpoints on irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For back-compatibility, if the protocol is not specified, it defaults to \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all inbound host ports, use the value none. The default value allows ssh access and DHCP. [Default: tcp:22, udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]", + "items": { + "description": "ProtoPort is combination of protocol, port, and CIDR. Protocol and port must be specified.", + "properties": { + "net": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + } + }, + "required": [ + "port", + "protocol" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "failsafeOutboundHostPorts": { + "description": "FailsafeOutboundHostPorts is a list of UDP/TCP ports and CIDRs that Felix will allow outgoing traffic from host endpoints to irrespective of the security policy. This is useful to avoid accidentally cutting off a host with incorrect configuration. For back-compatibility, if the protocol is not specified, it defaults to \"tcp\". If a CIDR is not specified, it will allow traffic from all addresses. To disable all outbound host ports, use the value none. The default value opens etcd's standard ports to ensure that Felix does not get cut off from etcd as well as allowing DHCP and DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667, udp:53, udp:67]", + "items": { + "description": "ProtoPort is combination of protocol, port, and CIDR. Protocol and port must be specified.", + "properties": { + "net": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "type": "string" + } + }, + "required": [ + "port", + "protocol" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "featureDetectOverride": { + "description": "FeatureDetectOverride is used to override the feature detection. Values are specified in a comma separated list with no spaces, example; \"SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=\". \"true\" or \"false\" will force the feature, empty or omitted values are auto-detected.", + "type": "string" + }, + "floatingIPs": { + "description": "FloatingIPs configures whether or not Felix will program floating IP addresses.", + "enum": [ + "Enabled", + "Disabled" + ], + "type": "string" + }, + "flowLogsAggregationThresholdBytes": { + "description": "FlowLogsAggregationThresholdBytes is used specify how far behind the external pipeline that reads flow logs can be. Default is 8192 bytes. This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true.", + "type": "integer" + }, + "flowLogsCollectProcessInfo": { + "description": "FlowLogsCollectProcessInfo, if enabled Felix will load the kprobe BPF programs to collect process info. [Default: false]", + "type": "boolean" + }, + "flowLogsCollectProcessPath": { + "description": "When FlowLogsCollectProcessPath and FlowLogsCollectProcessInfo are both enabled, each flow log will include information about the process that is sending or receiving the packets in that flow: the `process_name` field will contain the full path of the process executable, and the `process_args` field will have the arguments with which the executable was invoked. Process information will not be reported for connections which use raw sockets.", + "type": "boolean" + }, + "flowLogsCollectTcpStats": { + "description": "FlowLogsCollectTcpStats enables flow logs reporting TCP socket stats", + "type": "boolean" + }, + "flowLogsCollectorDebugTrace": { + "description": "When FlowLogsCollectorDebugTrace is set to true, enables the logs in the collector to be printed in their entirety.", + "type": "boolean" + }, + "flowLogsDynamicAggregationEnabled": { + "description": "FlowLogsDynamicAggregationEnabled is used to enable/disable dynamically changing aggregation levels. Default is true.", + "type": "boolean" + }, + "flowLogsEnableHostEndpoint": { + "description": "FlowLogsEnableHostEndpoint enables Flow logs reporting for HostEndpoints.", + "type": "boolean" + }, + "flowLogsEnableNetworkSets": { + "description": "FlowLogsEnableNetworkSets enables Flow logs reporting for GlobalNetworkSets.", + "type": "boolean" + }, + "flowLogsFileAggregationKindForAllowed": { + "description": "FlowLogsFileAggregationKindForAllowed is used to choose the type of aggregation for flow log entries created for allowed connections. [Default: 2 - pod prefix name based aggregation]. Accepted values are 0, 1 and 2. 0 - No aggregation. 1 - Source port based aggregation. 2 - Pod prefix name based aggreagation.", + "type": "integer" + }, + "flowLogsFileAggregationKindForDenied": { + "description": "FlowLogsFileAggregationKindForDenied is used to choose the type of aggregation for flow log entries created for denied connections. [Default: 1 - source port based aggregation]. Accepted values are 0, 1 and 2. 0 - No aggregation. 1 - Source port based aggregation. 2 - Pod prefix name based aggregation. 3 - No destination ports based aggregation.", + "type": "integer" + }, + "flowLogsFileDirectory": { + "description": "FlowLogsFileDirectory sets the directory where flow logs files are stored.", + "type": "string" + }, + "flowLogsFileDomainsLimit": { + "description": "FlowLogsFileDomainsLimit is used to configure the number of (destination) domains to include in the flow log. These are not included for workload or host endpoint destinations. [Default: 5]", + "type": "integer" + }, + "flowLogsFileEnabled": { + "description": "FlowLogsFileEnabled when set to true, enables logging flow logs to a file. If false no flow logging to file will occur.", + "type": "boolean" + }, + "flowLogsFileEnabledForAllowed": { + "description": "FlowLogsFileEnabledForAllowed is used to enable/disable flow logs entries created for allowed connections. Default is true. This parameter only takes effect when FlowLogsFileReporterEnabled is set to true.", + "type": "boolean" + }, + "flowLogsFileEnabledForDenied": { + "description": "FlowLogsFileEnabledForDenied is used to enable/disable flow logs entries created for denied flows. Default is true. This parameter only takes effect when FlowLogsFileReporterEnabled is set to true.", + "type": "boolean" + }, + "flowLogsFileIncludeLabels": { + "description": "FlowLogsFileIncludeLabels is used to configure if endpoint labels are included in a Flow log entry written to file.", + "type": "boolean" + }, + "flowLogsFileIncludePolicies": { + "description": "FlowLogsFileIncludePolicies is used to configure if policy information are included in a Flow log entry written to file.", + "type": "boolean" + }, + "flowLogsFileIncludeService": { + "description": "FlowLogsFileIncludeService is used to configure if the destination service is included in a Flow log entry written to file. The service information can only be included if the flow was explicitly determined to be directed at the service (e.g. when the pre-DNAT destination corresponds to the service ClusterIP and port).", + "type": "boolean" + }, + "flowLogsFileMaxFileSizeMB": { + "description": "FlowLogsFileMaxFileSizeMB sets the max size in MB of flow logs files before rotation.", + "type": "integer" + }, + "flowLogsFileMaxFiles": { + "description": "FlowLogsFileMaxFiles sets the number of log files to keep.", + "type": "integer" + }, + "flowLogsFileNatOutgoingPortLimit": { + "description": "FlowLogsFileNatOutgoingPortLimit is used to specify the maximum number of distinct post SNAT ports that will appear in the flowLogs. Default value is 3", + "type": "integer" + }, + "flowLogsFilePerFlowProcessArgsLimit": { + "description": "FlowLogsFilePerFlowProcessArgsLimit is used to specify the maximum number of distinct process args that will appear in the flowLogs. Default value is 5", + "type": "integer" + }, + "flowLogsFilePerFlowProcessLimit": { + "description": "FlowLogsFilePerFlowProcessLimit, is used to specify the maximum number of flow log entries with distinct process information beyond which process information will be aggregated. [Default: 2]", + "type": "integer" + }, + "flowLogsFlushInterval": { + "description": "FlowLogsFlushInterval configures the interval at which Felix exports flow logs.", + "type": "string" + }, + "flowLogsMaxOriginalIPsIncluded": { + "description": "FlowLogsMaxOriginalIPsIncluded specifies the number of unique IP addresses (if relevant) that should be included in Flow logs.", + "type": "integer" + }, + "flowLogsPositionFilePath": { + "description": "FlowLogsPositionFilePath is used specify the position of the external pipeline that reads flow logs. Default is /var/log/calico/flows.log.pos. This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true.", + "type": "string" + }, + "genericXDPEnabled": { + "description": "GenericXDPEnabled enables Generic XDP so network cards that don't support XDP offload or driver modes can use XDP. This is not recommended since it doesn't provide better performance than iptables. [Default: false]", + "type": "boolean" + }, + "healthEnabled": { + "type": "boolean" + }, + "healthHost": { + "type": "string" + }, + "healthPort": { + "type": "integer" + }, + "healthTimeoutOverrides": { + "description": "HealthTimeoutOverrides allows the internal watchdog timeouts of individual subcomponents to be overriden. This is useful for working around \"false positive\" liveness timeouts that can occur in particularly stressful workloads or if CPU is constrained. For a list of active subcomponents, see Felix's logs.", + "items": { + "properties": { + "name": { + "type": "string" + }, + "timeout": { + "type": "string" + } + }, + "required": [ + "name", + "timeout" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "interfaceExclude": { + "description": "InterfaceExclude is a comma-separated list of interfaces that Felix should exclude when monitoring for host endpoints. The default value ensures that Felix ignores Kubernetes' IPVS dummy interface, which is used internally by kube-proxy. If you want to exclude multiple interface names using a single value, the list supports regular expressions. For regular expressions you must wrap the value with '/'. For example having values '/^kube/,veth1' will exclude all interfaces that begin with 'kube' and also the interface 'veth1'. [Default: kube-ipvs0]", + "type": "string" + }, + "interfacePrefix": { + "description": "InterfacePrefix is the interface name prefix that identifies workload endpoints and so distinguishes them from host endpoint interfaces. Note: in environments other than bare metal, the orchestrators configure this appropriately. For example our Kubernetes and Docker integrations set the 'cali' value, and our OpenStack integration sets the 'tap' value. [Default: cali]", + "type": "string" + }, + "interfaceRefreshInterval": { + "description": "InterfaceRefreshInterval is the period at which Felix rescans local interfaces to verify their state. The rescan can be disabled by setting the interval to 0.", + "type": "string" + }, + "ipipEnabled": { + "description": "IPIPEnabled overrides whether Felix should configure an IPIP interface on the host. Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)]", + "type": "boolean" + }, + "ipipMTU": { + "description": "IPIPMTU is the MTU to set on the tunnel device. See Configuring MTU [Default: 1440]", + "type": "integer" + }, + "ipsecAllowUnsecuredTraffic": { + "description": "IPSecAllowUnsecuredTraffic controls whether non-IPsec traffic is allowed in addition to IPsec traffic. Enabling this negates the anti-spoofing protections of IPsec but it is useful when migrating to/from IPsec. [Default: false]", + "type": "boolean" + }, + "ipsecESPAlgorithm": { + "description": "IPSecESAlgorithm sets IPSec ESP algorithm. Default is NIST suite B recommendation. [Default: aes128gcm16-ecp256]", + "type": "string" + }, + "ipsecIKEAlgorithm": { + "description": "IPSecIKEAlgorithm sets IPSec IKE algorithm. Default is NIST suite B recommendation. [Default: aes128gcm16-prfsha256-ecp256]", + "type": "string" + }, + "ipsecLogLevel": { + "description": "IPSecLogLevel controls log level for IPSec components. Set to None for no logging. A generic log level terminology is used [None, Notice, Info, Debug, Verbose]. [Default: Info]", + "type": "string" + }, + "ipsecMode": { + "description": "IPSecMode controls which mode IPSec is operating on. Default value means IPSec is not enabled. [Default: \"\"]", + "type": "string" + }, + "ipsecPolicyRefreshInterval": { + "description": "IPSecPolicyRefreshInterval is the interval at which Felix will check the kernel's IPsec policy tables and repair any inconsistencies. [Default: 600s]", + "type": "string" + }, + "ipsetsRefreshInterval": { + "description": "IpsetsRefreshInterval is the period at which Felix re-checks all iptables state to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable iptables refresh. [Default: 90s]", + "type": "string" + }, + "iptablesBackend": { + "description": "IptablesBackend specifies which backend of iptables will be used. The default is legacy.", + "type": "string" + }, + "iptablesFilterAllowAction": { + "type": "string" + }, + "iptablesLockFilePath": { + "description": "IptablesLockFilePath is the location of the iptables lock file. You may need to change this if the lock file is not in its standard location (for example if you have mapped it into Felix's container at a different path). [Default: /run/xtables.lock]", + "type": "string" + }, + "iptablesLockProbeInterval": { + "description": "IptablesLockProbeInterval is the time that Felix will wait between attempts to acquire the iptables lock if it is not available. Lower values make Felix more responsive when the lock is contended, but use more CPU. [Default: 50ms]", + "type": "string" + }, + "iptablesLockTimeout": { + "description": "IptablesLockTimeout is the time that Felix will wait for the iptables lock, or 0, to disable. To use this feature, Felix must share the iptables lock file with all other processes that also take the lock. When running Felix inside a container, this requires the /run directory of the host to be mounted into the calico/node or calico/felix container. [Default: 0s disabled]", + "type": "string" + }, + "iptablesMangleAllowAction": { + "type": "string" + }, + "iptablesMarkMask": { + "description": "IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xff000000]", + "format": "int32", + "type": "integer" + }, + "iptablesNATOutgoingInterfaceFilter": { + "type": "string" + }, + "iptablesPostWriteCheckInterval": { + "description": "IptablesPostWriteCheckInterval is the period after Felix has done a write to the dataplane that it schedules an extra read back in order to check the write was not clobbered by another process. This should only occur if another application on the system doesn't respect the iptables lock. [Default: 1s]", + "type": "string" + }, + "iptablesRefreshInterval": { + "description": "IptablesRefreshInterval is the period at which Felix re-checks the IP sets in the dataplane to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable IP sets refresh. Note: the default for this value is lower than the other refresh intervals as a workaround for a Linux kernel bug that was fixed in kernel version 4.11. If you are using v4.11 or greater you may want to set this to, a higher value to reduce Felix CPU usage. [Default: 10s]", + "type": "string" + }, + "ipv6Support": { + "description": "IPv6Support controls whether Felix enables support for IPv6 (if supported by the in-use dataplane).", + "type": "boolean" + }, + "kubeMasqueradeBit": { + "description": "KubeMasqueradeBit should be set to the same value as --iptables-masquerade-bit of kube-proxy when TPROXY is used. The default is the same as kube-proxy default thus only needs a change if kube-proxy is using a non-standard setting. Must be within the range of 0-31. [Default: 14]", + "type": "integer" + }, + "kubeNodePortRanges": { + "description": "KubeNodePortRanges holds list of port ranges used for service node ports. Only used if felix detects kube-proxy running in ipvs mode. Felix uses these ranges to separate host and workload traffic. [Default: 30000:32767].", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "l7LogsFileAggregationDestinationInfo": { + "description": "L7LogsFileAggregationDestinationInfo is used to choose the type of aggregation for the destination metadata on L7 log entries. [Default: IncludeL7DestinationInfo - include destination metadata]. Accepted values are IncludeL7DestinationInfo and ExcludeL7DestinationInfo. IncludeL7DestinationInfo - Include destination metadata in the logs. ExcludeL7DestinationInfo - Aggregate over all other fields ignoring the destination aggregated name, namespace, and type.", + "type": "string" + }, + "l7LogsFileAggregationHTTPHeaderInfo": { + "description": "L7LogsFileAggregationHTTPHeaderInfo is used to choose the type of aggregation for HTTP header data on L7 log entries. [Default: ExcludeL7HTTPHeaderInfo - http header info removal]. Accepted values are IncludeL7HTTPHeaderInfo and ExcludeL7HTTPHeaderInfo. IncludeL7HTTPHeaderInfo - Include HTTP header data in the logs. ExcludeL7HTTPHeaderInfo - Aggregate over all other fields ignoring the user agent and log type.", + "type": "string" + }, + "l7LogsFileAggregationHTTPMethod": { + "description": "L7LogsFileAggregationHTTPMethod is used to choose the type of aggregation for the HTTP request method on L7 log entries. [Default: IncludeL7HTTPMethod - include the HTTP method]. Accepted values are IncludeL7HTTPMethod and ExcludeL7HTTPMethod. IncludeL7HTTPMethod - Include HTTP method in the logs. ExcludeL7HTTPMethod - Aggregate over all other fields ignoring the HTTP method.", + "type": "string" + }, + "l7LogsFileAggregationNumURLPath": { + "description": "L7LogsFileAggregationNumURLPath is used to choose the number of components in the url path to display. This allows for the url to be truncated in case parts of the path provide no value. Setting this value to negative will allow all parts of the path to be displayed. [Default: 5].", + "type": "integer" + }, + "l7LogsFileAggregationResponseCode": { + "description": "L7LogsFileAggregationResponseCode is used to choose the type of aggregation for the response code on L7 log entries. [Default: IncludeL7ResponseCode - include the response code]. Accepted values are IncludeL7ResponseCode and ExcludeL7ResponseCode. IncludeL7ResponseCode - Include the response code in the logs. ExcludeL7ResponseCode - Aggregate over all other fields ignoring the response code.", + "type": "string" + }, + "l7LogsFileAggregationServiceInfo": { + "description": "L7LogsFileAggregationServiceInfo is used to choose the type of aggregation for the service data on L7 log entries. [Default: IncludeL7ServiceInfo - include service data]. Accepted values are IncludeL7ServiceInfo and ExcludeL7ServiceInfo. IncludeL7ServiceInfo - Include service data in the logs. ExcludeL7ServiceInfo - Aggregate over all other fields ignoring the service name, namespace, and port.", + "type": "string" + }, + "l7LogsFileAggregationSourceInfo": { + "description": "L7LogsFileAggregationExcludeSourceInfo is used to choose the type of aggregation for the source metadata on L7 log entries. [Default: IncludeL7SourceInfoNoPort - include all source metadata except for the source port]. Accepted values are IncludeL7SourceInfo, IncludeL7SourceInfoNoPort, and ExcludeL7SourceInfo. IncludeL7SourceInfo - Include source metadata in the logs. IncludeL7SourceInfoNoPort - Include source metadata in the logs excluding the source port. ExcludeL7SourceInfo - Aggregate over all other fields ignoring the source aggregated name, namespace, and type.", + "type": "string" + }, + "l7LogsFileAggregationTrimURL": { + "description": "L7LogsFileAggregationTrimURL is used to choose the type of aggregation for the url on L7 log entries. [Default: IncludeL7FullURL - include the full URL up to however many path components are allowed by L7LogsFileAggregationNumURLPath]. Accepted values are 0 and 1. IncludeL7FullURL - Include the full URL up to however many path components are allowed by L7LogsFileAggregationNumURLPath. TrimURLQuery - Aggregate over all other fields ignoring the query parameters on the URL. TrimURLQueryAndPath - Aggregate over all other fields and the base URL only. ExcludeL7URL - Aggregate over all other fields ignoring the URL entirely.", + "type": "string" + }, + "l7LogsFileAggregationURLCharLimit": { + "description": "Limit on the length of the URL collected in L7 logs. When a URL length reaches this limit it is sliced off, and the sliced URL is sent to log storage. [Default: 250]", + "type": "integer" + }, + "l7LogsFileDirectory": { + "description": "L7LogsFileDirectory sets the directory where L7 log files are stored. [Default: /var/log/calico/l7logs]", + "type": "string" + }, + "l7LogsFileEnabled": { + "description": "L7LogsFileEnabled controls logging L7 logs to a file. If false no L7 logging to file will occur. [Default: true]", + "type": "boolean" + }, + "l7LogsFileMaxFileSizeMB": { + "description": "L7LogsFileMaxFileSizeMB sets the max size in MB of L7 log files before rotation. [Default: 100]", + "type": "integer" + }, + "l7LogsFileMaxFiles": { + "description": "L7LogsFileMaxFiles sets the number of L7 log files to keep. [Default: 5]", + "type": "integer" + }, + "l7LogsFilePerNodeLimit": { + "description": "Limit on the number of L7 logs that can be emitted within each flush interval. When this limit has been reached, Felix counts the number of unloggable L7 responses within the flush interval, and emits a WARNING log with that count at the same time as it flushes the buffered L7 logs. A value of 0 means no limit. [Default: 1500]", + "type": "integer" + }, + "l7LogsFlushInterval": { + "description": "L7LogsFlushInterval configures the interval at which Felix exports L7 logs. [Default: 300s]", + "type": "string" + }, + "logDebugFilenameRegex": { + "description": "LogDebugFilenameRegex controls which source code files have their Debug log output included in the logs. Only logs from files with names that match the given regular expression are included. The filter only applies to Debug level logs.", + "type": "string" + }, + "logDropActionOverride": { + "description": "LogDropActionOverride specifies whether or not to include the DropActionOverride in the logs when it is triggered.", + "type": "boolean" + }, + "logFilePath": { + "description": "LogFilePath is the full path to the Felix log. Set to none to disable file logging. [Default: /var/log/calico/felix.log]", + "type": "string" + }, + "logPrefix": { + "description": "LogPrefix is the log prefix that Felix uses when rendering LOG rules. [Default: calico-packet]", + "type": "string" + }, + "logSeverityFile": { + "description": "LogSeverityFile is the log severity above which logs are sent to the log file. [Default: Info]", + "type": "string" + }, + "logSeverityScreen": { + "description": "LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]", + "type": "string" + }, + "logSeveritySys": { + "description": "LogSeveritySys is the log severity above which logs are sent to the syslog. Set to None for no logging to syslog. [Default: Info]", + "type": "string" + }, + "maxIpsetSize": { + "type": "integer" + }, + "metadataAddr": { + "description": "MetadataAddr is the IP address or domain name of the server that can answer VM queries for cloud-init metadata. In OpenStack, this corresponds to the machine running nova-api (or in Ubuntu, nova-api-metadata). A value of none (case insensitive) means that Felix should not set up any NAT rule for the metadata path. [Default: 127.0.0.1]", + "type": "string" + }, + "metadataPort": { + "description": "MetadataPort is the port of the metadata server. This, combined with global.MetadataAddr (if not 'None'), is used to set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. In most cases this should not need to be changed [Default: 8775].", + "type": "integer" + }, + "mtuIfacePattern": { + "description": "MTUIfacePattern is a regular expression that controls which interfaces Felix should scan in order to calculate the host's MTU. This should not match workload interfaces (usually named cali...).", + "type": "string" + }, + "natOutgoingAddress": { + "description": "NATOutgoingAddress specifies an address to use when performing source NAT for traffic in a natOutgoing pool that is leaving the network. By default the address used is an address on the interface the traffic is leaving on (ie it uses the iptables MASQUERADE target)", + "type": "string" + }, + "natPortRange": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "NATPortRange specifies the range of ports that is used for port mapping when doing outgoing NAT. When unset the default behavior of the network stack is used.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "netlinkTimeout": { + "type": "string" + }, + "nfNetlinkBufSize": { + "type": "string" + }, + "openstackRegion": { + "description": "OpenstackRegion is the name of the region that a particular Felix belongs to. In a multi-region Calico/OpenStack deployment, this must be configured somehow for each Felix (here in the datamodel, or in felix.cfg or the environment on each compute node), and must match the [calico] openstack_region value configured in neutron.conf on each node. [Default: Empty]", + "type": "string" + }, + "policySyncPathPrefix": { + "description": "PolicySyncPathPrefix is used to by Felix to communicate policy changes to external services, like Application layer policy. [Default: Empty]", + "type": "string" + }, + "prometheusGoMetricsEnabled": { + "description": "PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]", + "type": "boolean" + }, + "prometheusMetricsCAFile": { + "type": "string" + }, + "prometheusMetricsCertFile": { + "description": "TLS credentials for this port.", + "type": "string" + }, + "prometheusMetricsEnabled": { + "description": "PrometheusMetricsEnabled enables the Prometheus metrics server in Felix if set to true. [Default: false]", + "type": "boolean" + }, + "prometheusMetricsHost": { + "description": "PrometheusMetricsHost is the host that the Prometheus metrics server should bind to. [Default: empty]", + "type": "string" + }, + "prometheusMetricsKeyFile": { + "type": "string" + }, + "prometheusMetricsPort": { + "description": "PrometheusMetricsPort is the TCP port that the Prometheus metrics server should bind to. [Default: 9091]", + "type": "integer" + }, + "prometheusProcessMetricsEnabled": { + "description": "PrometheusProcessMetricsEnabled disables process metrics collection, which the Prometheus client does by default, when set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]", + "type": "boolean" + }, + "prometheusReporterCAFile": { + "type": "string" + }, + "prometheusReporterCertFile": { + "type": "string" + }, + "prometheusReporterEnabled": { + "description": "Felix Denied Packet Metrics configuration parameters.", + "type": "boolean" + }, + "prometheusReporterKeyFile": { + "type": "string" + }, + "prometheusReporterPort": { + "type": "integer" + }, + "prometheusWireGuardMetricsEnabled": { + "description": "PrometheusWireGuardMetricsEnabled disables wireguard metrics collection, which the Prometheus client does by default, when set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true]", + "type": "boolean" + }, + "removeExternalRoutes": { + "description": "Whether or not to remove device routes that have not been programmed by Felix. Disabling this will allow external applications to also add device routes. This is enabled by default which means we will remove externally added routes.", + "type": "boolean" + }, + "reportingInterval": { + "description": "ReportingInterval is the interval at which Felix reports its status into the datastore or 0 to disable. Must be non-zero in OpenStack deployments. [Default: 30s]", + "type": "string" + }, + "reportingTTL": { + "description": "ReportingTTL is the time-to-live setting for process-wide status reports. [Default: 90s]", + "type": "string" + }, + "routeRefreshInterval": { + "description": "RouteRefreshInterval is the period at which Felix re-checks the routes in the dataplane to ensure that no other process has accidentally broken Calico's rules. Set to 0 to disable route refresh. [Default: 90s]", + "type": "string" + }, + "routeSource": { + "description": "RouteSource configures where Felix gets its routing information. - WorkloadIPs: use workload endpoints to construct routes. - CalicoIPAM: the default - use IPAM data to construct routes.", + "type": "string" + }, + "routeSyncDisabled": { + "description": "RouteSyncDisabled will disable all operations performed on the route table. Set to true to run in network-policy mode only.", + "type": "boolean" + }, + "routeTableRange": { + "description": "Deprecated in favor of RouteTableRanges. Calico programs additional Linux route tables for various purposes. RouteTableRange specifies the indices of the route tables that Calico should use.", + "properties": { + "max": { + "type": "integer" + }, + "min": { + "type": "integer" + } + }, + "required": [ + "max", + "min" + ], + "type": "object", + "additionalProperties": false + }, + "routeTableRanges": { + "description": "Calico programs additional Linux route tables for various purposes. RouteTableRanges specifies a set of table index ranges that Calico should use. Deprecates`RouteTableRange`, overrides `RouteTableRange`.", + "items": { + "properties": { + "max": { + "type": "integer" + }, + "min": { + "type": "integer" + } + }, + "required": [ + "max", + "min" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "serviceLoopPrevention": { + "description": "When service IP advertisement is enabled, prevent routing loops to service IPs that are not in use, by dropping or rejecting packets that do not get DNAT'd by kube-proxy. Unless set to \"Disabled\", in which case such routing loops continue to be allowed. [Default: Drop]", + "type": "string" + }, + "sidecarAccelerationEnabled": { + "description": "SidecarAccelerationEnabled enables experimental sidecar acceleration [Default: false]", + "type": "boolean" + }, + "statsDumpFilePath": { + "type": "string" + }, + "syslogReporterAddress": { + "type": "string" + }, + "syslogReporterNetwork": { + "type": "string" + }, + "tproxyMode": { + "description": "TPROXYMode sets whether traffic is directed through a transparent proxy for further processing or not and how is the proxying done. [Default: Disabled]", + "type": "string" + }, + "tproxyPort": { + "description": "TPROXYPort sets to which port proxied traffic should be redirected. [Default: 16001]", + "type": "integer" + }, + "tproxyUpstreamConnMark": { + "description": "TPROXYUpstreamConnMark tells Felix which mark is used by the proxy for its upstream connections so that Felix can program the dataplane correctly. [Default: 0x17]", + "format": "int32", + "type": "integer" + }, + "usageReportingEnabled": { + "description": "UsageReportingEnabled reports anonymous Calico version number and cluster size to projectcalico.org. Logs warnings returned by the usage server. For example, if a significant security vulnerability has been discovered in the version of Calico being used. [Default: true]", + "type": "boolean" + }, + "usageReportingInitialDelay": { + "description": "UsageReportingInitialDelay controls the minimum delay before Felix makes a report. [Default: 300s]", + "type": "string" + }, + "usageReportingInterval": { + "description": "UsageReportingInterval controls the interval at which Felix makes reports. [Default: 86400s]", + "type": "string" + }, + "useInternalDataplaneDriver": { + "description": "UseInternalDataplaneDriver, if true, Felix will use its internal dataplane programming logic. If false, it will launch an external dataplane driver and communicate with it over protobuf.", + "type": "boolean" + }, + "vxlanEnabled": { + "description": "VXLANEnabled overrides whether Felix should create the VXLAN tunnel device for VXLAN networking. Optional as Felix determines this based on the existing IP pools. [Default: nil (unset)]", + "type": "boolean" + }, + "vxlanMTU": { + "description": "VXLANMTU is the MTU to set on the IPv4 VXLAN tunnel device. See Configuring MTU [Default: 1410]", + "type": "integer" + }, + "vxlanMTUV6": { + "description": "VXLANMTUV6 is the MTU to set on the IPv6 VXLAN tunnel device. See Configuring MTU [Default: 1390]", + "type": "integer" + }, + "vxlanPort": { + "type": "integer" + }, + "vxlanVNI": { + "type": "integer" + }, + "windowsDnsCacheFile": { + "description": "The name of the file that Felix uses to preserve learnt DNS information when restarting. [Default: \"c:\\\\TigeraCalico\\\\felix-dns-cache.txt\"].", + "type": "string" + }, + "windowsDnsExtraTTL": { + "description": "Extra time to keep IPs and alias names that are learnt from DNS, in addition to each name or IP's advertised TTL. The default value is 120s which is same as the default value of ServicePointManager.DnsRefreshTimeout on .net framework. [Default: 120s].", + "type": "string" + }, + "windowsFlowLogsFileDirectory": { + "description": "WindowsFlowLogsFileDirectory sets the directory where flow logs files are stored on Windows nodes. [Default: \"c:\\\\TigeraCalico\\\\flowlogs\"].", + "type": "string" + }, + "windowsFlowLogsPositionFilePath": { + "description": "WindowsFlowLogsPositionFilePath is used to specify the position of the external pipeline that reads flow logs on Windows nodes. [Default: \"c:\\\\TigeraCalico\\\\flowlogs\\\\flows.log.pos\"]. This parameter only takes effect when FlowLogsDynamicAggregationEnabled is set to true.", + "type": "string" + }, + "windowsNetworkName": { + "description": "WindowsNetworkName specifies which Windows HNS networks Felix should operate on. The default is to match networks that start with \"calico\". Supports regular expression syntax.", + "type": "string" + }, + "windowsStatsDumpFilePath": { + "description": "WindowsStatsDumpFilePath is used to specify the path of the stats dump file on Windows nodes. [Default: \"c:\\\\TigeraCalico\\\\stats\\\\dump\"]", + "type": "string" + }, + "wireguardEnabled": { + "description": "WireguardEnabled controls whether Wireguard is enabled for IPv4 (encapsulating IPv4 traffic over an IPv4 underlay network). [Default: false]", + "type": "boolean" + }, + "wireguardEnabledV6": { + "description": "WireguardEnabledV6 controls whether Wireguard is enabled for IPv6 (encapsulating IPv6 traffic over an IPv6 underlay network). [Default: false]", + "type": "boolean" + }, + "wireguardHostEncryptionEnabled": { + "description": "WireguardHostEncryptionEnabled controls whether Wireguard host-to-host encryption is enabled. [Default: false]", + "type": "boolean" + }, + "wireguardInterfaceName": { + "description": "WireguardInterfaceName specifies the name to use for the IPv4 Wireguard interface. [Default: wireguard.cali]", + "type": "string" + }, + "wireguardInterfaceNameV6": { + "description": "WireguardInterfaceNameV6 specifies the name to use for the IPv6 Wireguard interface. [Default: wg-v6.cali]", + "type": "string" + }, + "wireguardKeepAlive": { + "description": "WireguardKeepAlive controls Wireguard PersistentKeepalive option. Set 0 to disable. [Default: 0]", + "type": "string" + }, + "wireguardListeningPort": { + "description": "WireguardListeningPort controls the listening port used by IPv4 Wireguard. [Default: 51820]", + "type": "integer" + }, + "wireguardListeningPortV6": { + "description": "WireguardListeningPortV6 controls the listening port used by IPv6 Wireguard. [Default: 51821]", + "type": "integer" + }, + "wireguardMTU": { + "description": "WireguardMTU controls the MTU on the IPv4 Wireguard interface. See Configuring MTU [Default: 1440]", + "type": "integer" + }, + "wireguardMTUV6": { + "description": "WireguardMTUV6 controls the MTU on the IPv6 Wireguard interface. See Configuring MTU [Default: 1420]", + "type": "integer" + }, + "wireguardRoutingRulePriority": { + "description": "WireguardRoutingRulePriority controls the priority value to use for the Wireguard routing rule. [Default: 99]", + "type": "integer" + }, + "workloadSourceSpoofing": { + "description": "WorkloadSourceSpoofing controls whether pods can use the allowedSourcePrefixes annotation to send traffic with a source IP address that is not theirs. This is disabled by default. When set to \"Any\", pods can request any prefix.", + "type": "string" + }, + "xdpEnabled": { + "description": "XDPEnabled enables XDP acceleration for suitable untracked incoming deny rules. [Default: true]", + "type": "boolean" + }, + "xdpRefreshInterval": { + "description": "XDPRefreshInterval is the period at which Felix re-checks all XDP state to ensure that no other process has accidentally broken Calico's BPF maps or attached programs. Set to 0 to disable XDP refresh. [Default: 90s]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/globalalert_v1.json b/crd.projectcalico.org/globalalert_v1.json new file mode 100644 index 00000000..b0d6c0a8 --- /dev/null +++ b/crd.projectcalico.org/globalalert_v1.json @@ -0,0 +1,165 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "properties": { + "aggregateBy": { + "description": "An optional list of fields to aggregate results. Only used if Type is RuleBased.", + "items": { + "type": "string" + }, + "type": "array" + }, + "condition": { + "description": "Compare the value of the metric to the threshold using this condition. Only used if Type is RuleBased.", + "type": "string" + }, + "dataSet": { + "description": "DataSet determines which dataset type the Query will use. Required and used only if Type is RuleBased.", + "type": "string" + }, + "description": { + "description": "Human-readable description of the template.", + "type": "string" + }, + "detector": { + "description": "Parameters for configuring an AnomalyDetection run. Only used if Type is AnomalyDetection.", + "properties": { + "name": { + "description": "Name specifies the AnomalyDetection Detector to run.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "field": { + "description": "Which field to aggregate results by if using a metric other than count. Only used if Type is RuleBased.", + "type": "string" + }, + "lookback": { + "description": "How much data to gather at once. If Type is RuleBased, it must exceed audit log flush interval, dnsLogsFlushInterval, or flowLogsFlushInterval as appropriate.", + "type": "string" + }, + "metric": { + "description": "A metric to apply to aggregated results. count is the number of log entries matching the aggregation pattern. Others are applied only to numeric fields in the logs. Only used if Type is RuleBased.", + "type": "string" + }, + "period": { + "description": "If Type is RuleBased, it is how often the query defined will run. If Type is AnomalyDetection it is how often the detector will be run.", + "type": "string" + }, + "query": { + "description": "Which data to include from the source data set. Written in a domain-specific query language. Only used if Type is RuleBased.", + "type": "string" + }, + "severity": { + "description": "Severity of the alert for display in Manager.", + "type": "integer" + }, + "substitutions": { + "description": "An optional list of values to replace variable names in query. Only used if Type is RuleBased.", + "items": { + "description": "GlobalAlertSubstitution substitutes for the variables in the set operators of a Query.", + "properties": { + "name": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "summary": { + "description": "Template for the description field in generated events, description is used if this is omitted.", + "type": "string" + }, + "threshold": { + "description": "A numeric value to compare the value of the metric against. Only used if Type is RuleBased.", + "type": "number" + }, + "type": { + "description": "Type will dictate how the fields of the GlobalAlert will be utilized. Each Type will have different usages and defaults for the fields. [Default: RuleBased]", + "type": "string" + } + }, + "required": [ + "description", + "severity" + ], + "type": "object", + "additionalProperties": false + }, + "status": { + "properties": { + "active": { + "type": "boolean" + }, + "errorConditions": { + "items": { + "properties": { + "message": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "message", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "healthy": { + "type": "boolean" + }, + "lastEvent": { + "format": "date-time", + "type": "string" + }, + "lastExecuted": { + "format": "date-time", + "type": "string" + }, + "lastUpdate": { + "format": "date-time", + "type": "string" + } + }, + "required": [ + "active", + "healthy" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/globalalerttemplate_v1.json b/crd.projectcalico.org/globalalerttemplate_v1.json new file mode 100644 index 00000000..02509f7a --- /dev/null +++ b/crd.projectcalico.org/globalalerttemplate_v1.json @@ -0,0 +1,118 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "properties": { + "aggregateBy": { + "description": "An optional list of fields to aggregate results. Only used if Type is RuleBased.", + "items": { + "type": "string" + }, + "type": "array" + }, + "condition": { + "description": "Compare the value of the metric to the threshold using this condition. Only used if Type is RuleBased.", + "type": "string" + }, + "dataSet": { + "description": "DataSet determines which dataset type the Query will use. Required and used only if Type is RuleBased.", + "type": "string" + }, + "description": { + "description": "Human-readable description of the template.", + "type": "string" + }, + "detector": { + "description": "Parameters for configuring an AnomalyDetection run. Only used if Type is AnomalyDetection.", + "properties": { + "name": { + "description": "Name specifies the AnomalyDetection Detector to run.", + "type": "string" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "field": { + "description": "Which field to aggregate results by if using a metric other than count. Only used if Type is RuleBased.", + "type": "string" + }, + "lookback": { + "description": "How much data to gather at once. If Type is RuleBased, it must exceed audit log flush interval, dnsLogsFlushInterval, or flowLogsFlushInterval as appropriate.", + "type": "string" + }, + "metric": { + "description": "A metric to apply to aggregated results. count is the number of log entries matching the aggregation pattern. Others are applied only to numeric fields in the logs. Only used if Type is RuleBased.", + "type": "string" + }, + "period": { + "description": "If Type is RuleBased, it is how often the query defined will run. If Type is AnomalyDetection it is how often the detector will be run.", + "type": "string" + }, + "query": { + "description": "Which data to include from the source data set. Written in a domain-specific query language. Only used if Type is RuleBased.", + "type": "string" + }, + "severity": { + "description": "Severity of the alert for display in Manager.", + "type": "integer" + }, + "substitutions": { + "description": "An optional list of values to replace variable names in query. Only used if Type is RuleBased.", + "items": { + "description": "GlobalAlertSubstitution substitutes for the variables in the set operators of a Query.", + "properties": { + "name": { + "type": "string" + }, + "values": { + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "summary": { + "description": "Template for the description field in generated events, description is used if this is omitted.", + "type": "string" + }, + "threshold": { + "description": "A numeric value to compare the value of the metric against. Only used if Type is RuleBased.", + "type": "number" + }, + "type": { + "description": "Type will dictate how the fields of the GlobalAlert will be utilized. Each Type will have different usages and defaults for the fields. [Default: RuleBased]", + "type": "string" + } + }, + "required": [ + "description", + "severity" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/globalnetworkpolicy_v1.json b/crd.projectcalico.org/globalnetworkpolicy_v1.json new file mode 100644 index 00000000..050a64bc --- /dev/null +++ b/crd.projectcalico.org/globalnetworkpolicy_v1.json @@ -0,0 +1,726 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "properties": { + "applyOnForward": { + "description": "ApplyOnForward indicates to apply the rules in this policy on forward traffic.", + "type": "boolean" + }, + "doNotTrack": { + "description": "DoNotTrack indicates whether packets matched by the rules in this policy should go through the data plane's connection tracking, such as Linux conntrack. If True, the rules in this policy are applied before any data plane connection tracking, and packets allowed by this policy are marked as not to be tracked.", + "type": "boolean" + }, + "egress": { + "description": "The ordered set of egress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.", + "items": { + "description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.", + "properties": { + "action": { + "type": "string" + }, + "destination": { + "description": "Destination contains the match criteria that apply to destination entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "http": { + "description": "HTTP contains match criteria that apply to HTTP requests.", + "properties": { + "methods": { + "description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.", + "items": { + "type": "string" + }, + "type": "array" + }, + "paths": { + "description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.", + "items": { + "description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: : which matches the path exactly or prefix: : which matches the path prefix", + "properties": { + "exact": { + "type": "string" + }, + "prefix": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "icmp": { + "description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "ipVersion": { + "description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.", + "type": "integer" + }, + "metadata": { + "description": "Metadata contains additional information for this rule", + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "description": "Annotations is a set of key value pairs that give extra information about the rule", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "notICMP": { + "description": "NotICMP is the negated version of the ICMP field.", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "notProtocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "NotProtocol is the negated version of the Protocol field.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "protocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "source": { + "description": "Source contains the match criteria that apply to source entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "action" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "ingress": { + "description": "The ordered set of ingress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.", + "items": { + "description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.", + "properties": { + "action": { + "type": "string" + }, + "destination": { + "description": "Destination contains the match criteria that apply to destination entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "http": { + "description": "HTTP contains match criteria that apply to HTTP requests.", + "properties": { + "methods": { + "description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.", + "items": { + "type": "string" + }, + "type": "array" + }, + "paths": { + "description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.", + "items": { + "description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: : which matches the path exactly or prefix: : which matches the path prefix", + "properties": { + "exact": { + "type": "string" + }, + "prefix": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "icmp": { + "description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "ipVersion": { + "description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.", + "type": "integer" + }, + "metadata": { + "description": "Metadata contains additional information for this rule", + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "description": "Annotations is a set of key value pairs that give extra information about the rule", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "notICMP": { + "description": "NotICMP is the negated version of the ICMP field.", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "notProtocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "NotProtocol is the negated version of the Protocol field.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "protocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "source": { + "description": "Source contains the match criteria that apply to source entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "action" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field for an expression used to select a pod based on namespaces.", + "type": "string" + }, + "order": { + "description": "Order is an optional field that specifies the order in which the policy is applied. Policies with higher \"order\" are applied after those with lower order within the same tier. If the order is omitted, it may be considered to be \"infinite\" - i.e. the policy will be applied last. Policies with identical order will be applied in alphanumerical order based on the Policy \"Name\" within the tier.", + "type": "number" + }, + "preDNAT": { + "description": "PreDNAT indicates to apply the rules in this policy before any DNAT.", + "type": "boolean" + }, + "selector": { + "description": "The selector is an expression used to pick pick out the endpoints that the policy should be applied to. \n Selector expressions follow this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not equal; also matches if label is not present \tlabel in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) -> True if that label is present \t! expr -> negation of expr \texpr && expr -> Short-circuit and \texpr || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples (with made-up labels): \n \ttype == \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != \"dev\" \t! has(label_name)", + "type": "string" + }, + "serviceAccountSelector": { + "description": "ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts.", + "type": "string" + }, + "tier": { + "description": "The name of the tier that this policy belongs to. If this is omitted, the default tier (name is \"default\") is assumed. The specified tier must exist in order to create security policies within the tier, the \"default\" tier is created automatically if it does not exist, this means for deployments requiring only a single Tier, the tier name may be omitted on all policy management requests.", + "type": "string" + }, + "types": { + "description": "Types indicates whether this policy applies to ingress, or to egress, or to both. When not explicitly specified (and so the value on creation is empty or nil), Calico defaults Types according to what Ingress and Egress rules are present in the policy. The default is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are also no Ingress rules) \n - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. \n When the policy is read back again, Types will always be one of these values, never empty or nil.", + "items": { + "description": "PolicyType enumerates the possible values of the PolicySpec Types field.", + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/globalnetworkset_v1.json b/crd.projectcalico.org/globalnetworkset_v1.json new file mode 100644 index 00000000..8a7c08b6 --- /dev/null +++ b/crd.projectcalico.org/globalnetworkset_v1.json @@ -0,0 +1,38 @@ +{ + "description": "GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs that share labels to allow rules to refer to them via selectors. The labels of GlobalNetworkSet are not namespaced.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "GlobalNetworkSetSpec contains the specification for a NetworkSet resource.", + "properties": { + "allowedEgressDomains": { + "description": "The list of domain names that belong to this set and are honored in egress allow rules only. Domain names specified here only work to allow egress traffic from the cluster to external destinations. They don't work to _deny_ traffic to destinations specified by domain name, or to allow ingress traffic from _sources_ specified by domain name.", + "items": { + "type": "string" + }, + "type": "array" + }, + "nets": { + "description": "The list of IP networks that belong to this set.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/globalreport_v1.json b/crd.projectcalico.org/globalreport_v1.json new file mode 100644 index 00000000..5a34e01e --- /dev/null +++ b/crd.projectcalico.org/globalreport_v1.json @@ -0,0 +1,407 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "ReportSpec contains the values of the GlobalReport.", + "properties": { + "cis": { + "description": "This field contain all the parameters for configuring a CIS benchmark report.", + "properties": { + "highThreshold": { + "description": "Interpretted as a percentage to indicate at what levels of passing tests a node should be considered HIGH, MED, and LOW. - If >= HighThreshold flag as high - Otherwise, if > MedThreshold flag as med - Otherwise flag as low.", + "type": "integer" + }, + "includeUnscoredTests": { + "description": "Specifies if the report should also show results for scored/not-scored tests.", + "type": "boolean" + }, + "medThreshold": { + "type": "integer" + }, + "numFailedTests": { + "description": "Configure the number of top failed tests to show up on the report.", + "type": "integer" + }, + "resultsFilters": { + "description": "Benchmark results filters. The first matching set of filters is applied to each set of benchmark results. If there are no matching filters, the full set of benchmark results will be included in the report.", + "items": { + "description": "CISBenchmarkFilter provides filters for a set of benchmarks that match particular selection criteria.", + "properties": { + "benchmarkSelection": { + "description": "BenchmarkSelection specifies which benchmarks this filter applies to. If not specified, applies to all.", + "properties": { + "kubernetesVersion": { + "description": "KubernetesVersion is used select nodes that are running a specific version of kubelet. The full version need not be fully specified down to the patch level, in which case the significant parts of the version are matched. e.g. \"1.0\" will match versions \"1.0.1\" and \"1.0.2\" If not specified, matches all versions.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "exclude": { + "description": "Exclude is an array of test indices to exclude from the report.", + "items": { + "type": "string" + }, + "type": "array" + }, + "include": { + "description": "Include is an array of test indices to show in the report. Is additive if IncludeUnscoredTests is true. Takes precedence over Exclude.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "endpoints": { + "description": "Endpoints is used to specify which endpoints are in-scope and stored in the generated report data. Only used if endpoints data and/or audit logs are gathered in the report. If omitted, treated as everything in-scope.", + "properties": { + "namespaces": { + "description": "Namespace match restricts endpoint selection to those in the selected namespaces.", + "properties": { + "names": { + "description": "Names is an optional field that specifies a set of resources by name.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that selects a set of resources by label. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "selector": { + "description": "Selector, selects endpoints by endpoint labels. If omitted, all endpoints are included in the report data.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccount match restricts endpoint selection to those in the selected service accounts.", + "properties": { + "names": { + "description": "Names is an optional field that specifies a set of resources by name.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that selects a set of resources by label. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "jobNodeSelector": { + "additionalProperties": { + "type": "string" + }, + "description": "The node selector used to specify which nodes the report job may be scheduled on.", + "type": "object" + }, + "reportType": { + "description": "The name of the report type.", + "type": "string" + }, + "schedule": { + "description": "The report schedule specified in cron format. This specifies both the start and end times of each report, where the end time of one report becomes the start time of the next report. Separate jobs are created to generate a report, and the job generates the report data from archived audit and traffic data. To ensure this data is actually archived, the jobs to generate each report starts at a configurable time *after* the end time of the report that is being generated. The default job start delay is 30m, but is configurable through the compliance-controller environments. The cron format has minute accuracy, but only up to two values may be configured for the minute column which means you may only have at most two reports for each hour period.", + "type": "string" + }, + "suspend": { + "description": "This flag tells the controller to suspend subsequent jobs for generating reports, it does not apply to already started jobs. If jobs are resumed then the controller will start creating jobs for any reports that were missed while the job was suspended.", + "type": "boolean" + } + }, + "required": [ + "reportType" + ], + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "ReportStatus contains the status of the automated report generation.", + "properties": { + "activeReportJobs": { + "description": "The set of active report jobs.", + "items": { + "description": "ReportJob contains", + "properties": { + "end": { + "description": "The end time of the report.", + "format": "date-time", + "type": "string" + }, + "job": { + "description": "A reference to the report creation job if known.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "fieldPath": { + "description": "If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.", + "type": "string" + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", + "type": "string" + }, + "namespace": { + "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", + "type": "string" + }, + "resourceVersion": { + "description": "Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "start": { + "description": "The start time of the report.", + "format": "date-time", + "type": "string" + } + }, + "required": [ + "end", + "job", + "start" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "lastFailedReportJobs": { + "description": "The configured report jobs that have failed.", + "items": { + "description": "CompletedReportJob augments the ReportJob with completion details.", + "properties": { + "end": { + "description": "The end time of the report.", + "format": "date-time", + "type": "string" + }, + "job": { + "description": "A reference to the report creation job if known.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "fieldPath": { + "description": "If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.", + "type": "string" + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", + "type": "string" + }, + "namespace": { + "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", + "type": "string" + }, + "resourceVersion": { + "description": "Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "jobCompletionTime": { + "description": "The time the report job completed.", + "format": "date-time", + "type": "string" + }, + "start": { + "description": "The start time of the report.", + "format": "date-time", + "type": "string" + } + }, + "required": [ + "end", + "job", + "start" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "lastScheduledReportJob": { + "description": "The last scheduled report job.", + "properties": { + "end": { + "description": "The end time of the report.", + "format": "date-time", + "type": "string" + }, + "job": { + "description": "A reference to the report creation job if known.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "fieldPath": { + "description": "If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.", + "type": "string" + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", + "type": "string" + }, + "namespace": { + "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", + "type": "string" + }, + "resourceVersion": { + "description": "Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "start": { + "description": "The start time of the report.", + "format": "date-time", + "type": "string" + } + }, + "required": [ + "end", + "job", + "start" + ], + "type": "object", + "additionalProperties": false + }, + "lastSuccessfulReportJobs": { + "description": "The configured report jobs that have completed successfully.", + "items": { + "description": "CompletedReportJob augments the ReportJob with completion details.", + "properties": { + "end": { + "description": "The end time of the report.", + "format": "date-time", + "type": "string" + }, + "job": { + "description": "A reference to the report creation job if known.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "fieldPath": { + "description": "If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.", + "type": "string" + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", + "type": "string" + }, + "namespace": { + "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", + "type": "string" + }, + "resourceVersion": { + "description": "Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "jobCompletionTime": { + "description": "The time the report job completed.", + "format": "date-time", + "type": "string" + }, + "start": { + "description": "The start time of the report.", + "format": "date-time", + "type": "string" + } + }, + "required": [ + "end", + "job", + "start" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/globalreporttype_v1.json b/crd.projectcalico.org/globalreporttype_v1.json new file mode 100644 index 00000000..44636ec9 --- /dev/null +++ b/crd.projectcalico.org/globalreporttype_v1.json @@ -0,0 +1,115 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "ReportTypeSpec contains the various templates, and configuration used to render a specific type of report.", + "properties": { + "auditEventsSelection": { + "description": "What audit log data should be included in the report. If not specified, the report will contain no audit log data. The selection may be further filtered by the Report.", + "properties": { + "resources": { + "description": "Resources lists the resources that will be included in the audit logs in the ReportData. Blank fields in the listed ResourceID structs are treated as wildcards.", + "items": { + "description": "AuditResource is used to filter Audit events in the Report configuration. \n An empty field value indicates a wildcard. For example, if Resource is set to \"networkpolicies\" and all other fields are blank then this filter would include all NetworkPolicy resources across all namespaces, and would include both Calico and Kubernetes resource types.", + "properties": { + "apiGroup": { + "description": "APIGroup is the name of the API group that contains the referred object (e.g. projectcalico.org).", + "type": "string" + }, + "apiVersion": { + "description": "APIVersion is the version of the API group that contains the referred object (e.g. v3).", + "type": "string" + }, + "name": { + "description": "The resource name.", + "type": "string" + }, + "namespace": { + "description": "The resource namespace.", + "type": "string" + }, + "resource": { + "description": "The resource type. The format is the lowercase plural as used in audit event selection and RBAC configuration.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "downloadTemplates": { + "description": "The set of templates used to render the report for downloads.", + "items": { + "description": "ReportTemplate defines a template used to render a report into downloadable or UI compatible format.", + "properties": { + "description": { + "description": "A user-facing description of the template.", + "type": "string" + }, + "name": { + "description": "The name of this template. This should be unique across all template names within a ReportType. This will be used by the UI as the suffix of the downloadable file name.", + "type": "string" + }, + "template": { + "description": "The base-64 encoded go template used to render the report data.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "includeCISBenchmarkData": { + "description": "Whether to include the full cis benchmark test results in the report.", + "type": "boolean" + }, + "includeEndpointData": { + "description": "Whether to include endpoint data in the report. The actual endpoints included may be filtered by the Report, but will otherwise contain the full set of endpoints.", + "type": "boolean" + }, + "includeEndpointFlowLogData": { + "description": "Whether to include endpoint-to-endpoint flow log data in the report.", + "type": "boolean" + }, + "uiSummaryTemplate": { + "description": "The summary template, explicitly used by the UI to render a summary version of the report. This should render to json containing a sets of widgets that the UI can use to render the summary. The rendered data is returned on the list query of the reports.", + "properties": { + "description": { + "description": "A user-facing description of the template.", + "type": "string" + }, + "name": { + "description": "The name of this template. This should be unique across all template names within a ReportType. This will be used by the UI as the suffix of the downloadable file name.", + "type": "string" + }, + "template": { + "description": "The base-64 encoded go template used to render the report data.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/globalthreatfeed_v1.json b/crd.projectcalico.org/globalthreatfeed_v1.json new file mode 100644 index 00000000..e2dd2018 --- /dev/null +++ b/crd.projectcalico.org/globalthreatfeed_v1.json @@ -0,0 +1,237 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "GlobalThreatFeedSpec contains the specification of a GlobalThreatFeed resource.", + "properties": { + "content": { + "default": "IPSet", + "description": "Content describes the kind of data the data feed provides.", + "enum": [ + "IPSet", + "DomainNameSet" + ], + "type": "string" + }, + "description": { + "description": "Human-readable description of the template.", + "maxLength": 256, + "type": "string" + }, + "feedType": { + "default": "Custom", + "description": "Distinguishes between Builtin Global Threat Feeds and Custom feed types.", + "enum": [ + "Builtin", + "Custom" + ], + "type": "string" + }, + "globalNetworkSet": { + "properties": { + "labels": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "mode": { + "default": "Enabled", + "description": "Determines whether the Global Threat Feed is Enabled or Disabled.", + "enum": [ + "Enabled", + "Disabled" + ], + "type": "string" + }, + "pull": { + "properties": { + "http": { + "properties": { + "format": { + "properties": { + "csv": { + "properties": { + "columnDelimiter": { + "type": "string" + }, + "commentDelimiter": { + "type": "string" + }, + "disableRecordSizeValidation": { + "type": "boolean" + }, + "fieldName": { + "type": "string" + }, + "fieldNum": { + "type": "integer" + }, + "header": { + "type": "boolean" + }, + "recordSize": { + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "json": { + "properties": { + "path": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "newlineDelimited": { + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "headers": { + "items": { + "properties": { + "name": { + "type": "string" + }, + "value": { + "type": "string" + }, + "valueFrom": { + "properties": { + "configMapKeyRef": { + "description": "Selects a key of a ConfigMap.", + "properties": { + "key": { + "description": "The key to select.", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?", + "type": "string" + }, + "optional": { + "description": "Specify whether the ConfigMap or its key must be defined", + "type": "boolean" + } + }, + "required": [ + "key" + ], + "type": "object", + "additionalProperties": false + }, + "secretKeyRef": { + "description": "Selects a key of a secret in the pod's namespace", + "properties": { + "key": { + "description": "The key of the secret to select from. Must be a valid secret key.", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names TODO: Add other useful fields. apiVersion, kind, uid?", + "type": "string" + }, + "optional": { + "description": "Specify whether the Secret or its key must be defined", + "type": "boolean" + } + }, + "required": [ + "key" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "name" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "url": { + "type": "string" + } + }, + "required": [ + "url" + ], + "type": "object", + "additionalProperties": false + }, + "period": { + "type": "string" + } + }, + "required": [ + "http" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "status": { + "properties": { + "errorConditions": { + "items": { + "properties": { + "message": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "message", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "lastSuccessfulSearch": { + "format": "date-time", + "type": "string" + }, + "lastSuccessfulSync": { + "format": "date-time", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/hostendpoint_v1.json b/crd.projectcalico.org/hostendpoint_v1.json new file mode 100644 index 00000000..849f904a --- /dev/null +++ b/crd.projectcalico.org/hostendpoint_v1.json @@ -0,0 +1,78 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "HostEndpointSpec contains the specification for a HostEndpoint resource.", + "properties": { + "expectedIPs": { + "description": "The expected IP addresses (IPv4 and IPv6) of the endpoint. If \"InterfaceName\" is not present, Calico will look for an interface matching any of the IPs in the list and apply policy to that. Note: \tWhen using the selector match criteria in an ingress or egress security Policy \tor Profile, Calico converts the selector into a set of IP addresses. For host \tendpoints, the ExpectedIPs field is used for that purpose. (If only the interface \tname is specified, Calico does not learn the IPs of the interface for use in match \tcriteria.)", + "items": { + "type": "string" + }, + "type": "array" + }, + "interfaceName": { + "description": "Either \"*\", or the name of a specific Linux interface to apply policy to; or empty. \"*\" indicates that this HostEndpoint governs all traffic to, from or through the default network namespace of the host named by the \"Node\" field; entering and leaving that namespace via any interface, including those from/to non-host-networked local workloads. \n If InterfaceName is not \"*\", this HostEndpoint only governs traffic that enters or leaves the host through the specific interface named by InterfaceName, or - when InterfaceName is empty - through the specific interface that has one of the IPs in ExpectedIPs. Therefore, when InterfaceName is empty, at least one expected IP must be specified. Only external interfaces (such as \"eth0\") are supported here; it isn't possible for a HostEndpoint to protect traffic through a specific local workload interface. \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; initially just pre-DNAT policy. Please check Calico documentation for the latest position.", + "type": "string" + }, + "node": { + "description": "The node name identifying the Calico node instance.", + "type": "string" + }, + "ports": { + "description": "Ports contains the endpoint's named ports, which may be referenced in security policy rules.", + "items": { + "properties": { + "name": { + "type": "string" + }, + "port": { + "type": "integer" + }, + "protocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + } + }, + "required": [ + "name", + "port", + "protocol" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "profiles": { + "description": "A list of identifiers of security Profile objects that apply to this endpoint. Each profile is applied in the order that they appear in this list. Profile rules are applied after the selector-based security policy.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/ipamblock_v1.json b/crd.projectcalico.org/ipamblock_v1.json new file mode 100644 index 00000000..fecde87c --- /dev/null +++ b/crd.projectcalico.org/ipamblock_v1.json @@ -0,0 +1,94 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "IPAMBlockSpec contains the specification for an IPAMBlock resource.", + "properties": { + "affinity": { + "description": "Affinity of the block, if this block has one. If set, it will be of the form \"host:\". If not set, this block is not affine to a host.", + "type": "string" + }, + "allocations": { + "description": "Array of allocations in-use within this block. nil entries mean the allocation is free. For non-nil entries at index i, the index is the ordinal of the allocation within this block and the value is the index of the associated attributes in the Attributes array.", + "items": { + "nullable": true, + "type": "integer" + }, + "type": "array" + }, + "attributes": { + "description": "Attributes is an array of arbitrary metadata associated with allocations in the block. To find attributes for a given allocation, use the value of the allocation's entry in the Allocations array as the index of the element in this array.", + "items": { + "properties": { + "handle_id": { + "type": "string" + }, + "secondary": { + "additionalProperties": { + "type": "string" + }, + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "cidr": { + "description": "The block's CIDR.", + "type": "string" + }, + "deleted": { + "description": "Deleted is an internal boolean used to workaround a limitation in the Kubernetes API whereby deletion will not return a conflict error if the block has been updated. It should not be set manually.", + "type": "boolean" + }, + "sequenceNumber": { + "default": 0, + "description": "We store a sequence number that is updated each time the block is written. Each allocation will also store the sequence number of the block at the time of its creation. When releasing an IP, passing the sequence number associated with the allocation allows us to protect against a race condition and ensure the IP hasn't been released and re-allocated since the release request.", + "format": "int64", + "type": "integer" + }, + "sequenceNumberForAllocation": { + "additionalProperties": { + "format": "int64", + "type": "integer" + }, + "description": "Map of allocated ordinal within the block to sequence number of the block at the time of allocation. Kubernetes does not allow numerical keys for maps, so the key is cast to a string.", + "type": "object" + }, + "strictAffinity": { + "description": "StrictAffinity on the IPAMBlock is deprecated and no longer used by the code. Use IPAMConfig StrictAffinity instead.", + "type": "boolean" + }, + "unallocated": { + "description": "Unallocated is an ordered list of allocations which are free in the block.", + "items": { + "type": "integer" + }, + "type": "array" + } + }, + "required": [ + "allocations", + "attributes", + "cidr", + "strictAffinity", + "unallocated" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/ipamconfig_v1.json b/crd.projectcalico.org/ipamconfig_v1.json new file mode 100644 index 00000000..00a97c1c --- /dev/null +++ b/crd.projectcalico.org/ipamconfig_v1.json @@ -0,0 +1,39 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "IPAMConfigSpec contains the specification for an IPAMConfig resource.", + "properties": { + "autoAllocateBlocks": { + "type": "boolean" + }, + "maxBlocksPerHost": { + "description": "MaxBlocksPerHost, if non-zero, is the max number of blocks that can be affine to each host.", + "maximum": 2147483647, + "minimum": 0, + "type": "integer" + }, + "strictAffinity": { + "type": "boolean" + } + }, + "required": [ + "autoAllocateBlocks", + "strictAffinity" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/ipamhandle_v1.json b/crd.projectcalico.org/ipamhandle_v1.json new file mode 100644 index 00000000..025e4986 --- /dev/null +++ b/crd.projectcalico.org/ipamhandle_v1.json @@ -0,0 +1,39 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "IPAMHandleSpec contains the specification for an IPAMHandle resource.", + "properties": { + "block": { + "additionalProperties": { + "type": "integer" + }, + "type": "object" + }, + "deleted": { + "type": "boolean" + }, + "handleID": { + "type": "string" + } + }, + "required": [ + "block", + "handleID" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/ippool_v1.json b/crd.projectcalico.org/ippool_v1.json new file mode 100644 index 00000000..1f4cb839 --- /dev/null +++ b/crd.projectcalico.org/ippool_v1.json @@ -0,0 +1,88 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "IPPoolSpec contains the specification for an IPPool resource.", + "properties": { + "allowedUses": { + "description": "AllowedUse controls what the IP pool will be used for. If not specified or empty, defaults to [\"Tunnel\", \"Workload\"] for back-compatibility", + "items": { + "type": "string" + }, + "type": "array" + }, + "awsSubnetID": { + "description": "AWSSubnetID if specified Calico will attempt to ensure that IPs chosen from this IP pool are routed to the corresponding node by adding one or more secondary ENIs to the node and explicitly assigning the IP to one of the secondary ENIs. Important: since subnets cannot cross availability zones, it's important to use Kubernetes node selectors to avoid scheduling pods to one availability zone using an IP pool that is backed by a subnet that belongs to another availability zone. If AWSSubnetID is specified, then the CIDR of the IP pool must be contained within the specified AWS subnet.", + "type": "string" + }, + "blockSize": { + "description": "The block size to use for IP address assignments from this pool. Defaults to 26 for IPv4 and 122 for IPv6.", + "type": "integer" + }, + "cidr": { + "description": "The pool CIDR.", + "type": "string" + }, + "disableBGPExport": { + "description": "Disable exporting routes from this IP Pool's CIDR over BGP. [Default: false]", + "type": "boolean" + }, + "disabled": { + "description": "When disabled is true, Calico IPAM will not assign addresses from this pool.", + "type": "boolean" + }, + "ipip": { + "description": "Deprecated: this field is only used for APIv1 backwards compatibility. Setting this field is not allowed, this field is for internal use only.", + "properties": { + "enabled": { + "description": "When enabled is true, ipip tunneling will be used to deliver packets to destinations within this pool.", + "type": "boolean" + }, + "mode": { + "description": "The IPIP mode. This can be one of \"always\" or \"cross-subnet\". A mode of \"always\" will also use IPIP tunneling for routing to destination IP addresses within this pool. A mode of \"cross-subnet\" will only use IPIP tunneling when the destination node is on a different subnet to the originating node. The default value (if not specified) is \"always\".", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "ipipMode": { + "description": "Contains configuration for IPIP tunneling for this pool. If not specified, then this is defaulted to \"Never\" (i.e. IPIP tunneling is disabled).", + "type": "string" + }, + "nat-outgoing": { + "description": "Deprecated: this field is only used for APIv1 backwards compatibility. Setting this field is not allowed, this field is for internal use only.", + "type": "boolean" + }, + "natOutgoing": { + "description": "When nat-outgoing is true, packets sent from Calico networked containers in this pool to destinations outside of this pool will be masqueraded.", + "type": "boolean" + }, + "nodeSelector": { + "description": "Allows IPPool to allocate for a specific node by label selector.", + "type": "string" + }, + "vxlanMode": { + "description": "Contains configuration for VXLAN tunneling for this pool. If not specified, then this is defaulted to \"Never\" (i.e. VXLAN tunneling is disabled).", + "type": "string" + } + }, + "required": [ + "cidr" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/ipreservation_v1.json b/crd.projectcalico.org/ipreservation_v1.json new file mode 100644 index 00000000..8aaea0e5 --- /dev/null +++ b/crd.projectcalico.org/ipreservation_v1.json @@ -0,0 +1,30 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "IPReservationSpec contains the specification for an IPReservation resource.", + "properties": { + "reservedCIDRs": { + "description": "ReservedCIDRs is a list of CIDRs and/or IP addresses that Calico IPAM will exclude from new allocations.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/kubecontrollersconfiguration_v1.json b/crd.projectcalico.org/kubecontrollersconfiguration_v1.json new file mode 100644 index 00000000..5621618f --- /dev/null +++ b/crd.projectcalico.org/kubecontrollersconfiguration_v1.json @@ -0,0 +1,276 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "KubeControllersConfigurationSpec contains the values of the Kubernetes controllers configuration.", + "properties": { + "controllers": { + "description": "Controllers enables and configures individual Kubernetes controllers", + "properties": { + "federatedServices": { + "description": "FederatedServices enables and configures the federatedservices controller. Disabled by default.", + "properties": { + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation. [Default: 5m]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "namespace": { + "description": "Namespace enables and configures the namespace controller. Enabled by default, set to nil to disable.", + "properties": { + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "node": { + "description": "Node enables and configures the node controller. Enabled by default, set to nil to disable.", + "properties": { + "hostEndpoint": { + "description": "HostEndpoint controls syncing nodes to host endpoints. Disabled by default, set to nil to disable.", + "properties": { + "autoCreate": { + "description": "AutoCreate enables automatic creation of host endpoints for every node. [Default: Disabled]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "leakGracePeriod": { + "description": "LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked. Set to 0 to disable IP garbage collection. [Default: 15m]", + "type": "string" + }, + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]", + "type": "string" + }, + "syncLabels": { + "description": "SyncLabels controls whether to copy Kubernetes node labels to Calico nodes. [Default: Enabled]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "policy": { + "description": "Policy enables and configures the policy controller. Enabled by default, set to nil to disable.", + "properties": { + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "serviceAccount": { + "description": "ServiceAccount enables and configures the service account controller. Enabled by default, set to nil to disable.", + "properties": { + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "workloadEndpoint": { + "description": "WorkloadEndpoint enables and configures the workload endpoint controller. Enabled by default, set to nil to disable.", + "properties": { + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "debugProfilePort": { + "description": "DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling is disabled.", + "format": "int32", + "type": "integer" + }, + "etcdV3CompactionPeriod": { + "description": "EtcdV3CompactionPeriod is the period between etcdv3 compaction requests. Set to 0 to disable. [Default: 10m]", + "type": "string" + }, + "healthChecks": { + "description": "HealthChecks enables or disables support for health checks [Default: Enabled]", + "type": "string" + }, + "logSeverityScreen": { + "description": "LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]", + "type": "string" + }, + "prometheusMetricsPort": { + "description": "PrometheusMetricsPort is the TCP port that the Prometheus metrics server should bind to. Set to 0 to disable. [Default: 9094]", + "type": "integer" + } + }, + "required": [ + "controllers" + ], + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "KubeControllersConfigurationStatus represents the status of the configuration. It's useful for admins to be able to see the actual config that was applied, which can be modified by environment variables on the kube-controllers process.", + "properties": { + "environmentVars": { + "additionalProperties": { + "type": "string" + }, + "description": "EnvironmentVars contains the environment variables on the kube-controllers that influenced the RunningConfig.", + "type": "object" + }, + "runningConfig": { + "description": "RunningConfig contains the effective config that is running in the kube-controllers pod, after merging the API resource with any environment variables.", + "properties": { + "controllers": { + "description": "Controllers enables and configures individual Kubernetes controllers", + "properties": { + "federatedServices": { + "description": "FederatedServices enables and configures the federatedservices controller. Disabled by default.", + "properties": { + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation. [Default: 5m]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "namespace": { + "description": "Namespace enables and configures the namespace controller. Enabled by default, set to nil to disable.", + "properties": { + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "node": { + "description": "Node enables and configures the node controller. Enabled by default, set to nil to disable.", + "properties": { + "hostEndpoint": { + "description": "HostEndpoint controls syncing nodes to host endpoints. Disabled by default, set to nil to disable.", + "properties": { + "autoCreate": { + "description": "AutoCreate enables automatic creation of host endpoints for every node. [Default: Disabled]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "leakGracePeriod": { + "description": "LeakGracePeriod is the period used by the controller to determine if an IP address has been leaked. Set to 0 to disable IP garbage collection. [Default: 15m]", + "type": "string" + }, + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]", + "type": "string" + }, + "syncLabels": { + "description": "SyncLabels controls whether to copy Kubernetes node labels to Calico nodes. [Default: Enabled]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "policy": { + "description": "Policy enables and configures the policy controller. Enabled by default, set to nil to disable.", + "properties": { + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "serviceAccount": { + "description": "ServiceAccount enables and configures the service account controller. Enabled by default, set to nil to disable.", + "properties": { + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "workloadEndpoint": { + "description": "WorkloadEndpoint enables and configures the workload endpoint controller. Enabled by default, set to nil to disable.", + "properties": { + "reconcilerPeriod": { + "description": "ReconcilerPeriod is the period to perform reconciliation with the Calico datastore. [Default: 5m]", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "debugProfilePort": { + "description": "DebugProfilePort configures the port to serve memory and cpu profiles on. If not specified, profiling is disabled.", + "format": "int32", + "type": "integer" + }, + "etcdV3CompactionPeriod": { + "description": "EtcdV3CompactionPeriod is the period between etcdv3 compaction requests. Set to 0 to disable. [Default: 10m]", + "type": "string" + }, + "healthChecks": { + "description": "HealthChecks enables or disables support for health checks [Default: Enabled]", + "type": "string" + }, + "logSeverityScreen": { + "description": "LogSeverityScreen is the log severity above which logs are sent to the stdout. [Default: Info]", + "type": "string" + }, + "prometheusMetricsPort": { + "description": "PrometheusMetricsPort is the TCP port that the Prometheus metrics server should bind to. Set to 0 to disable. [Default: 9094]", + "type": "integer" + } + }, + "required": [ + "controllers" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/licensekey_v1.json b/crd.projectcalico.org/licensekey_v1.json new file mode 100644 index 00000000..afffdf04 --- /dev/null +++ b/crd.projectcalico.org/licensekey_v1.json @@ -0,0 +1,68 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "LicenseKeySpec contains the license key itself.", + "properties": { + "certificate": { + "description": "Certificate is used to validate the token.", + "type": "string" + }, + "token": { + "description": "Token is the JWT containing the license claims", + "type": "string" + } + }, + "required": [ + "token" + ], + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "LicenseKeyStatus contains the license key information.", + "properties": { + "expiry": { + "description": "Expiry is the expiry date of License", + "format": "date-time", + "nullable": true, + "type": "string" + }, + "features": { + "description": "List of features that are available via the applied license", + "items": { + "type": "string" + }, + "type": "array" + }, + "maxnodes": { + "description": "Maximum Number of Allowed Nodes", + "type": "integer" + }, + "package": { + "description": "License package defines type of Calico license that is being enforced", + "enum": [ + "CloudCommunity", + "CloudStarter", + "CloudPro", + "Enterprise" + ], + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/managedcluster_v1.json b/crd.projectcalico.org/managedcluster_v1.json new file mode 100644 index 00000000..ec7cb217 --- /dev/null +++ b/crd.projectcalico.org/managedcluster_v1.json @@ -0,0 +1,63 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "ManagedClusterSpec contains the specification of a ManagedCluster resource.", + "properties": { + "installationManifest": { + "description": "Field to store dynamically generated manifest for installing component into the actual application cluster corresponding to this Managed Cluster", + "type": "string" + }, + "operatorNamespace": { + "description": "The namespace of the managed cluster's operator. This value is used in the generation of the InstallationManifest.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "status": { + "properties": { + "conditions": { + "items": { + "description": "Condition contains various status information", + "properties": { + "message": { + "type": "string" + }, + "reason": { + "type": "string" + }, + "status": { + "type": "string" + }, + "type": { + "type": "string" + } + }, + "required": [ + "status", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/networkpolicy_v1.json b/crd.projectcalico.org/networkpolicy_v1.json new file mode 100644 index 00000000..45ce2430 --- /dev/null +++ b/crd.projectcalico.org/networkpolicy_v1.json @@ -0,0 +1,710 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "properties": { + "egress": { + "description": "The ordered set of egress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.", + "items": { + "description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.", + "properties": { + "action": { + "type": "string" + }, + "destination": { + "description": "Destination contains the match criteria that apply to destination entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "http": { + "description": "HTTP contains match criteria that apply to HTTP requests.", + "properties": { + "methods": { + "description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.", + "items": { + "type": "string" + }, + "type": "array" + }, + "paths": { + "description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.", + "items": { + "description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: : which matches the path exactly or prefix: : which matches the path prefix", + "properties": { + "exact": { + "type": "string" + }, + "prefix": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "icmp": { + "description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "ipVersion": { + "description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.", + "type": "integer" + }, + "metadata": { + "description": "Metadata contains additional information for this rule", + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "description": "Annotations is a set of key value pairs that give extra information about the rule", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "notICMP": { + "description": "NotICMP is the negated version of the ICMP field.", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "notProtocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "NotProtocol is the negated version of the Protocol field.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "protocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "source": { + "description": "Source contains the match criteria that apply to source entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "action" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "ingress": { + "description": "The ordered set of ingress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.", + "items": { + "description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.", + "properties": { + "action": { + "type": "string" + }, + "destination": { + "description": "Destination contains the match criteria that apply to destination entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "http": { + "description": "HTTP contains match criteria that apply to HTTP requests.", + "properties": { + "methods": { + "description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.", + "items": { + "type": "string" + }, + "type": "array" + }, + "paths": { + "description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.", + "items": { + "description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: : which matches the path exactly or prefix: : which matches the path prefix", + "properties": { + "exact": { + "type": "string" + }, + "prefix": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "icmp": { + "description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "ipVersion": { + "description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.", + "type": "integer" + }, + "metadata": { + "description": "Metadata contains additional information for this rule", + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "description": "Annotations is a set of key value pairs that give extra information about the rule", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "notICMP": { + "description": "NotICMP is the negated version of the ICMP field.", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "notProtocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "NotProtocol is the negated version of the Protocol field.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "protocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "source": { + "description": "Source contains the match criteria that apply to source entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "action" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "order": { + "description": "Order is an optional field that specifies the order in which the policy is applied. Policies with higher \"order\" are applied after those with lower order within the same tier. If the order is omitted, it may be considered to be \"infinite\" - i.e. the policy will be applied last. Policies with identical order will be applied in alphanumerical order based on the Policy \"Name\" within the tier.", + "type": "number" + }, + "selector": { + "description": "The selector is an expression used to pick pick out the endpoints that the policy should be applied to. \n Selector expressions follow this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not equal; also matches if label is not present \tlabel in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) -> True if that label is present \t! expr -> negation of expr \texpr && expr -> Short-circuit and \texpr || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples (with made-up labels): \n \ttype == \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != \"dev\" \t! has(label_name)", + "type": "string" + }, + "serviceAccountSelector": { + "description": "ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts.", + "type": "string" + }, + "tier": { + "description": "The name of the tier that this policy belongs to. If this is omitted, the default tier (name is \"default\") is assumed. The specified tier must exist in order to create security policies within the tier, the \"default\" tier is created automatically if it does not exist, this means for deployments requiring only a single Tier, the tier name may be omitted on all policy management requests.", + "type": "string" + }, + "types": { + "description": "Types indicates whether this policy applies to ingress, or to egress, or to both. When not explicitly specified (and so the value on creation is empty or nil), Calico defaults Types according to what Ingress and Egress are present in the policy. The default is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are also no Ingress rules) \n - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. \n When the policy is read back again, Types will always be one of these values, never empty or nil.", + "items": { + "description": "PolicyType enumerates the possible values of the PolicySpec Types field.", + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/networkset_v1.json b/crd.projectcalico.org/networkset_v1.json new file mode 100644 index 00000000..09a878a2 --- /dev/null +++ b/crd.projectcalico.org/networkset_v1.json @@ -0,0 +1,38 @@ +{ + "description": "NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet.", + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "NetworkSetSpec contains the specification for a NetworkSet resource.", + "properties": { + "allowedEgressDomains": { + "description": "The list of domain names that belong to this set and are honored in egress allow rules only. Domain names specified here only work to allow egress traffic from the cluster to external destinations. They don't work to _deny_ traffic to destinations specified by domain name, or to allow ingress traffic from _sources_ specified by domain name.", + "items": { + "type": "string" + }, + "type": "array" + }, + "nets": { + "description": "The list of IP networks that belong to this set.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/packetcapture_v1.json b/crd.projectcalico.org/packetcapture_v1.json new file mode 100644 index 00000000..b9bbe121 --- /dev/null +++ b/crd.projectcalico.org/packetcapture_v1.json @@ -0,0 +1,121 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "PacketCaptureSpec contains the values of the packet capture.", + "properties": { + "endTime": { + "description": "Defines the end time at which this PacketCapture will stop capturing packets. If omitted the capture will continue indefinitely. If the value is changed to the past, capture will stop immediately.", + "format": "date-time", + "type": "string" + }, + "filters": { + "description": "The ordered set of filters applied to traffic captured from an interface. Each rule contains a set of packet match criteria.", + "items": { + "description": "A PacketCaptureRule encapsulates a set of match criteria for traffic captured from an interface.", + "properties": { + "ports": { + "description": "Ports is an optional field that defines a filter for all traffic that has a source or destination port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports.", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "protocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "Protocol is an optional field that defines a filter for all traffic for a specific IP protocol. \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "selector": { + "default": "all()", + "description": "The selector is an expression used to pick out the endpoints that the policy should be applied to. The selector will only match endpoints in the same namespace as the PacketCapture resource. \n Selector expressions follow this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not equal; also matches if label is not present \tlabel in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) -> True if that label is present \t! expr -> negation of expr \texpr && expr -> Short-circuit and \texpr || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() -> matches all endpoints. \tan empty selector will default to all \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples (with made-up labels): \n \ttype == \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != \"dev\" \t! has(label_name)", + "type": "string" + }, + "startTime": { + "description": "Defines the start time from which this PacketCapture will capture packets. If omitted or the value is in the past, the capture will start immediately. If the value is changed to a future time, capture will stop immediately and restart at that time", + "format": "date-time", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "status": { + "description": "PacketCaptureStatus describes the files that have been captured, for a given PacketCapture, on each node that generates packet capture files", + "properties": { + "files": { + "items": { + "description": "PacketCaptureFile describes files generated by a PacketCapture. It describes the location of the packet capture files that is identified via a node, its directory and the file names generated.", + "properties": { + "directory": { + "description": "Directory represents the path inside the calico-node container for the the generated files", + "type": "string" + }, + "fileNames": { + "description": "FileNames represents the name of the generated file for a PacketCapture ordered alphanumerically. The active packet capture file will be identified using the following schema: \"{workload endpoint name}_{host network interface}.pcap\" . Rotated capture files name will contain an index matching the rotation timestamp.", + "items": { + "type": "string" + }, + "type": "array" + }, + "node": { + "description": "Node identifies with a physical node from the cluster via its hostname", + "type": "string" + }, + "state": { + "description": "PacketCaptureState represents the state of the PacketCapture", + "enum": [ + "Capturing", + "Finished", + "Scheduled", + "Error", + "WaitingForTraffic" + ], + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/remoteclusterconfiguration_v1.json b/crd.projectcalico.org/remoteclusterconfiguration_v1.json new file mode 100644 index 00000000..ba25544a --- /dev/null +++ b/crd.projectcalico.org/remoteclusterconfiguration_v1.json @@ -0,0 +1,127 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "RemoteClusterConfigurationSpec contains the values of describing the cluster.", + "properties": { + "clusterAccessSecret": { + "description": "Specifies a Secret to read for the RemoteClusterconfiguration. If defined all datastore configuration in this struct will be cleared and overwritten with the appropriate fields in the Secret.", + "properties": { + "apiVersion": { + "description": "API version of the referent.", + "type": "string" + }, + "fieldPath": { + "description": "If referring to a piece of an object instead of an entire object, this string should contain a valid JSON/Go field access statement, such as desiredState.manifest.containers[2]. For example, if the object reference is to a container within a pod, this would take on a value like: \"spec.containers{name}\" (where \"name\" refers to the name of the container that triggered the event) or if no container name is specified \"spec.containers[2]\" (container with index 2 in this pod). This syntax is chosen only to have some well-defined way of referencing a part of an object. TODO: this design is not final and this field is subject to change in the future.", + "type": "string" + }, + "kind": { + "description": "Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "name": { + "description": "Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names", + "type": "string" + }, + "namespace": { + "description": "Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/", + "type": "string" + }, + "resourceVersion": { + "description": "Specific resourceVersion to which this reference is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency", + "type": "string" + }, + "uid": { + "description": "UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "datastoreType": { + "description": "Indicates the datastore to use. If unspecified, defaults to etcdv3", + "type": "string" + }, + "etcdCACert": { + "type": "string" + }, + "etcdCACertFile": { + "description": "Path to the etcd Certificate Authority file. Valid if DatastoreType is etcdv3.", + "type": "string" + }, + "etcdCert": { + "type": "string" + }, + "etcdCertFile": { + "description": "Path to the etcd client certificate. Valid if DatastoreType is etcdv3.", + "type": "string" + }, + "etcdEndpoints": { + "description": "A comma separated list of etcd endpoints. Valid if DatastoreType is etcdv3. [Default: ]", + "type": "string" + }, + "etcdKey": { + "description": "These config file parameters are to support inline certificates, keys and CA / Trusted certificate.", + "type": "string" + }, + "etcdKeyFile": { + "description": "Path to the etcd key file. Valid if DatastoreType is etcdv3.", + "type": "string" + }, + "etcdPassword": { + "description": "Password for the given user name. Valid if DatastoreType is etcdv3.", + "type": "string" + }, + "etcdUsername": { + "description": "User name for RBAC. Valid if DatastoreType is etcdv3.", + "type": "string" + }, + "k8sAPIEndpoint": { + "description": "Location of the Kubernetes API. Not required if using kubeconfig. Valid if DatastoreType is kubernetes.", + "type": "string" + }, + "k8sAPIToken": { + "description": "Token to be used for accessing the Kubernetes API. Valid if DatastoreType is kubernetes.", + "type": "string" + }, + "k8sCAFile": { + "description": "Location of a CA for accessing the Kubernetes API. Valid if DatastoreType is kubernetes.", + "type": "string" + }, + "k8sCertFile": { + "description": "Location of a client certificate for accessing the Kubernetes API. Valid if DatastoreType is kubernetes.", + "type": "string" + }, + "k8sInsecureSkipTLSVerify": { + "type": "boolean" + }, + "k8sKeyFile": { + "description": "Location of a client key for accessing the Kubernetes API. Valid if DatastoreType is kubernetes.", + "type": "string" + }, + "kubeconfig": { + "description": "When using the Kubernetes datastore, the location of a kubeconfig file. Valid if DatastoreType is kubernetes.", + "type": "string" + }, + "kubeconfigInline": { + "description": "This is an alternative to Kubeconfig and if specified overrides Kubeconfig. This contains the contents that would normally be in the file pointed at by Kubeconfig.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/stagedglobalnetworkpolicy_v1.json b/crd.projectcalico.org/stagedglobalnetworkpolicy_v1.json new file mode 100644 index 00000000..7e69145c --- /dev/null +++ b/crd.projectcalico.org/stagedglobalnetworkpolicy_v1.json @@ -0,0 +1,730 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "properties": { + "applyOnForward": { + "description": "ApplyOnForward indicates to apply the rules in this policy on forward traffic.", + "type": "boolean" + }, + "doNotTrack": { + "description": "DoNotTrack indicates whether packets matched by the rules in this policy should go through the data plane's connection tracking, such as Linux conntrack. If True, the rules in this policy are applied before any data plane connection tracking, and packets allowed by this policy are marked as not to be tracked.", + "type": "boolean" + }, + "egress": { + "description": "The ordered set of egress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.", + "items": { + "description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.", + "properties": { + "action": { + "type": "string" + }, + "destination": { + "description": "Destination contains the match criteria that apply to destination entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "http": { + "description": "HTTP contains match criteria that apply to HTTP requests.", + "properties": { + "methods": { + "description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.", + "items": { + "type": "string" + }, + "type": "array" + }, + "paths": { + "description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.", + "items": { + "description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: : which matches the path exactly or prefix: : which matches the path prefix", + "properties": { + "exact": { + "type": "string" + }, + "prefix": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "icmp": { + "description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "ipVersion": { + "description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.", + "type": "integer" + }, + "metadata": { + "description": "Metadata contains additional information for this rule", + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "description": "Annotations is a set of key value pairs that give extra information about the rule", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "notICMP": { + "description": "NotICMP is the negated version of the ICMP field.", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "notProtocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "NotProtocol is the negated version of the Protocol field.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "protocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "source": { + "description": "Source contains the match criteria that apply to source entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "action" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "ingress": { + "description": "The ordered set of ingress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.", + "items": { + "description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.", + "properties": { + "action": { + "type": "string" + }, + "destination": { + "description": "Destination contains the match criteria that apply to destination entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "http": { + "description": "HTTP contains match criteria that apply to HTTP requests.", + "properties": { + "methods": { + "description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.", + "items": { + "type": "string" + }, + "type": "array" + }, + "paths": { + "description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.", + "items": { + "description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: : which matches the path exactly or prefix: : which matches the path prefix", + "properties": { + "exact": { + "type": "string" + }, + "prefix": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "icmp": { + "description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "ipVersion": { + "description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.", + "type": "integer" + }, + "metadata": { + "description": "Metadata contains additional information for this rule", + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "description": "Annotations is a set of key value pairs that give extra information about the rule", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "notICMP": { + "description": "NotICMP is the negated version of the ICMP field.", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "notProtocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "NotProtocol is the negated version of the Protocol field.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "protocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "source": { + "description": "Source contains the match criteria that apply to source entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "action" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field for an expression used to select a pod based on namespaces.", + "type": "string" + }, + "order": { + "description": "Order is an optional field that specifies the order in which the policy is applied. Policies with higher \"order\" are applied after those with lower order within the same tier. If the order is omitted, it may be considered to be \"infinite\" - i.e. the policy will be applied last. Policies with identical order will be applied in alphanumerical order based on the Policy \"Name\" within the tier.", + "type": "number" + }, + "preDNAT": { + "description": "PreDNAT indicates to apply the rules in this policy before any DNAT.", + "type": "boolean" + }, + "selector": { + "description": "The selector is an expression used to pick pick out the endpoints that the policy should be applied to. \n Selector expressions follow this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not equal; also matches if label is not present \tlabel in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) -> True if that label is present \t! expr -> negation of expr \texpr && expr -> Short-circuit and \texpr || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples (with made-up labels): \n \ttype == \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != \"dev\" \t! has(label_name)", + "type": "string" + }, + "serviceAccountSelector": { + "description": "ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts.", + "type": "string" + }, + "stagedAction": { + "description": "The staged action. If this is omitted, the default is Set.", + "type": "string" + }, + "tier": { + "description": "The name of the tier that this policy belongs to. If this is omitted, the default tier (name is \"default\") is assumed. The specified tier must exist in order to create security policies within the tier, the \"default\" tier is created automatically if it does not exist, this means for deployments requiring only a single Tier, the tier name may be omitted on all policy management requests.", + "type": "string" + }, + "types": { + "description": "Types indicates whether this policy applies to ingress, or to egress, or to both. When not explicitly specified (and so the value on creation is empty or nil), Calico defaults Types according to what Ingress and Egress rules are present in the policy. The default is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are also no Ingress rules) \n - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. \n When the policy is read back again, Types will always be one of these values, never empty or nil.", + "items": { + "description": "PolicyType enumerates the possible values of the PolicySpec Types field.", + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/stagedkubernetesnetworkpolicy_v1.json b/crd.projectcalico.org/stagedkubernetesnetworkpolicy_v1.json new file mode 100644 index 00000000..21f0fb2c --- /dev/null +++ b/crd.projectcalico.org/stagedkubernetesnetworkpolicy_v1.json @@ -0,0 +1,404 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "properties": { + "egress": { + "description": "List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8", + "items": { + "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8", + "properties": { + "ports": { + "description": "List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", + "items": { + "description": "NetworkPolicyPort describes a port to allow traffic on", + "properties": { + "endPort": { + "description": "If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.", + "format": "int32", + "type": "integer" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.", + "x-kubernetes-int-or-string": true + }, + "protocol": { + "description": "The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "to": { + "description": "List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.", + "items": { + "description": "NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed", + "properties": { + "ipBlock": { + "description": "IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.", + "properties": { + "cidr": { + "description": "CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"", + "type": "string" + }, + "except": { + "description": "Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "cidr" + ], + "type": "object", + "additionalProperties": false + }, + "namespaceSelector": { + "description": "Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "key", + "operator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "podSelector": { + "description": "This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "key", + "operator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "ingress": { + "description": "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)", + "items": { + "description": "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.", + "properties": { + "from": { + "description": "List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.", + "items": { + "description": "NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed", + "properties": { + "ipBlock": { + "description": "IPBlock defines policy on a particular IPBlock. If this field is set then neither of the other fields can be.", + "properties": { + "cidr": { + "description": "CIDR is a string representing the IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\"", + "type": "string" + }, + "except": { + "description": "Except is a slice of CIDRs that should not be included within an IP Block Valid examples are \"192.168.1.1/24\" or \"2001:db9::/64\" Except values will be rejected if they are outside the CIDR range", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "cidr" + ], + "type": "object", + "additionalProperties": false + }, + "namespaceSelector": { + "description": "Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces. \n If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "key", + "operator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "podSelector": { + "description": "This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods. \n If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "key", + "operator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "ports": { + "description": "List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.", + "items": { + "description": "NetworkPolicyPort describes a port to allow traffic on", + "properties": { + "endPort": { + "description": "If set, indicates that the range of ports from port to endPort, inclusive, should be allowed by the policy. This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port.", + "format": "int32", + "type": "integer" + }, + "port": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched.", + "x-kubernetes-int-or-string": true + }, + "protocol": { + "description": "The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "podSelector": { + "description": "Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.", + "properties": { + "matchExpressions": { + "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", + "items": { + "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", + "properties": { + "key": { + "description": "key is the label key that the selector applies to.", + "type": "string" + }, + "operator": { + "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", + "type": "string" + }, + "values": { + "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "required": [ + "key", + "operator" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "matchLabels": { + "additionalProperties": { + "type": "string" + }, + "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "policyTypes": { + "description": "List of rule types that the NetworkPolicy relates to. Valid options are Ingress, Egress, or Ingress,Egress. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an Egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8", + "items": { + "description": "PolicyType string describes the NetworkPolicy type This type is beta-level in 1.8", + "type": "string" + }, + "type": "array" + }, + "stagedAction": { + "description": "The staged action. If this is omitted, the default is Set.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/stagednetworkpolicy_v1.json b/crd.projectcalico.org/stagednetworkpolicy_v1.json new file mode 100644 index 00000000..f285eabc --- /dev/null +++ b/crd.projectcalico.org/stagednetworkpolicy_v1.json @@ -0,0 +1,714 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "properties": { + "egress": { + "description": "The ordered set of egress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.", + "items": { + "description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.", + "properties": { + "action": { + "type": "string" + }, + "destination": { + "description": "Destination contains the match criteria that apply to destination entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "http": { + "description": "HTTP contains match criteria that apply to HTTP requests.", + "properties": { + "methods": { + "description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.", + "items": { + "type": "string" + }, + "type": "array" + }, + "paths": { + "description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.", + "items": { + "description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: : which matches the path exactly or prefix: : which matches the path prefix", + "properties": { + "exact": { + "type": "string" + }, + "prefix": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "icmp": { + "description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "ipVersion": { + "description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.", + "type": "integer" + }, + "metadata": { + "description": "Metadata contains additional information for this rule", + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "description": "Annotations is a set of key value pairs that give extra information about the rule", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "notICMP": { + "description": "NotICMP is the negated version of the ICMP field.", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "notProtocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "NotProtocol is the negated version of the Protocol field.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "protocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "source": { + "description": "Source contains the match criteria that apply to source entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "action" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "ingress": { + "description": "The ordered set of ingress rules. Each rule contains a set of packet match criteria and a corresponding action to apply.", + "items": { + "description": "A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching. \n Each positive match criteria has a negated version, prefixed with \"Not\". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.", + "properties": { + "action": { + "type": "string" + }, + "destination": { + "description": "Destination contains the match criteria that apply to destination entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + }, + "http": { + "description": "HTTP contains match criteria that apply to HTTP requests.", + "properties": { + "methods": { + "description": "Methods is an optional field that restricts the rule to apply only to HTTP requests that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods are OR'd together.", + "items": { + "type": "string" + }, + "type": "array" + }, + "paths": { + "description": "Paths is an optional field that restricts the rule to apply to HTTP requests that use one of the listed HTTP Paths. Multiple paths are OR'd together. e.g: - exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact` or a `prefix` match. The validator will check for it.", + "items": { + "description": "HTTPPath specifies an HTTP path to match. It may be either of the form: exact: : which matches the path exactly or prefix: : which matches the path prefix", + "properties": { + "exact": { + "type": "string" + }, + "prefix": { + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + }, + "icmp": { + "description": "ICMP is an optional field that restricts the rule to apply to a specific type and code of ICMP traffic. This should only be specified if the Protocol field is set to \"ICMP\" or \"ICMPv6\".", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "ipVersion": { + "description": "IPVersion is an optional field that restricts the rule to only match a specific IP version.", + "type": "integer" + }, + "metadata": { + "description": "Metadata contains additional information for this rule", + "properties": { + "annotations": { + "additionalProperties": { + "type": "string" + }, + "description": "Annotations is a set of key value pairs that give extra information about the rule", + "type": "object" + } + }, + "type": "object", + "additionalProperties": false + }, + "notICMP": { + "description": "NotICMP is the negated version of the ICMP field.", + "properties": { + "code": { + "description": "Match on a specific ICMP code. If specified, the Type value must also be specified. This is a technical limitation imposed by the kernel's iptables firewall, which Calico uses to enforce the rule.", + "type": "integer" + }, + "type": { + "description": "Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request (i.e. pings).", + "type": "integer" + } + }, + "type": "object", + "additionalProperties": false + }, + "notProtocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "NotProtocol is the negated version of the Protocol field.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "protocol": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "description": "Protocol is an optional field that restricts the rule to only apply to traffic of a specific IP protocol. Required if any of the EntityRules contain Ports (because ports only apply to certain protocols). \n Must be one of these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range 1-255.", + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "source": { + "description": "Source contains the match criteria that apply to source entity.", + "properties": { + "domains": { + "description": "Domains is an optional field, valid for egress Allow rules only, that restricts the rule to apply only to traffic to one of the specified domains. If this field is specified, Action must be Allow, and Nets and Selector must both be left empty.", + "items": { + "type": "string" + }, + "type": "array" + }, + "namespaceSelector": { + "description": "NamespaceSelector is an optional field that contains a selector expression. Only traffic that originates from (or terminates at) endpoints within the selected namespaces will be matched. When both NamespaceSelector and another selector are defined on the same rule, then only workload endpoints that are matched by both selectors will be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies that the Selector is limited to selecting only workload endpoints in the same namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint. \n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector applies to workload endpoints across all namespaces.", + "type": "string" + }, + "nets": { + "description": "Nets is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) IP addresses in any of the given subnets.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notNets": { + "description": "NotNets is the negated version of the Nets field.", + "items": { + "type": "string" + }, + "type": "array" + }, + "notPorts": { + "description": "NotPorts is the negated version of the Ports field. Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "notSelector": { + "description": "NotSelector is the negated version of the Selector field. See Selector field for subtleties with negated selectors.", + "type": "string" + }, + "ports": { + "description": "Ports is an optional field that restricts the rule to only apply to traffic that has a source (destination) port that matches one of these ranges/values. This value is a list of integers or strings that represent ranges of ports. \n Since only some protocols have ports, if any ports are specified it requires the Protocol match in the Rule to be set to \"TCP\" or \"UDP\".", + "items": { + "anyOf": [ + { + "type": "integer" + }, + { + "type": "string" + } + ], + "pattern": "^.*", + "x-kubernetes-int-or-string": true + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that contains a selector expression (see Policy for sample syntax). Only traffic that originates from (terminates at) endpoints matching the selector will be matched. \n Note that: in addition to the negated version of the Selector (see NotSelector below), the selector expression syntax itself supports negation. The two types of negation are subtly different. One negates the set of matched endpoints, the other negates the whole match: \n \tSelector = \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\" matches packets that are not from Calico-controlled \tendpoints that do have the label \"my_label\". \n The effect is that the latter will accept packets from non-Calico sources whereas the former is limited to packets from Calico-controlled endpoints.", + "type": "string" + }, + "serviceAccounts": { + "description": "ServiceAccounts is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a matching service account.", + "properties": { + "names": { + "description": "Names is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account whose name is in the list.", + "items": { + "type": "string" + }, + "type": "array" + }, + "selector": { + "description": "Selector is an optional field that restricts the rule to only apply to traffic that originates from (or terminates at) a pod running as a service account that matches the given label selector. If both Names and Selector are specified then they are AND'ed.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + }, + "services": { + "description": "Services is an optional field that contains options for matching Kubernetes Services. If specified, only traffic that originates from or terminates at endpoints within the selected service(s) will be matched, and only to/from each endpoint's port. \n Services cannot be specified on the same rule as Selector, NotSelector, NamespaceSelector, Nets, NotNets or ServiceAccounts. \n Ports and NotPorts can only be specified with Services on ingress rules.", + "properties": { + "name": { + "description": "Name specifies the name of a Kubernetes Service to match.", + "type": "string" + }, + "namespace": { + "description": "Namespace specifies the namespace of the given Service. If left empty, the rule will match within this policy's namespace.", + "type": "string" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "action" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "order": { + "description": "Order is an optional field that specifies the order in which the policy is applied. Policies with higher \"order\" are applied after those with lower order within the same tier. If the order is omitted, it may be considered to be \"infinite\" - i.e. the policy will be applied last. Policies with identical order will be applied in alphanumerical order based on the Policy \"Name\" within the tier.", + "type": "number" + }, + "selector": { + "description": "The selector is an expression used to pick pick out the endpoints that the policy should be applied to. \n Selector expressions follow this syntax: \n \tlabel == \"string_literal\" -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" -> not equal; also matches if label is not present \tlabel in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -> true if the value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) -> True if that label is present \t! expr -> negation of expr \texpr && expr -> Short-circuit and \texpr || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() or the empty selector -> matches all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive but they do not support escape characters. \n Examples (with made-up labels): \n \ttype == \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != \"dev\" \t! has(label_name)", + "type": "string" + }, + "serviceAccountSelector": { + "description": "ServiceAccountSelector is an optional field for an expression used to select a pod based on service accounts.", + "type": "string" + }, + "stagedAction": { + "description": "The staged action. If this is omitted, the default is Set.", + "type": "string" + }, + "tier": { + "description": "The name of the tier that this policy belongs to. If this is omitted, the default tier (name is \"default\") is assumed. The specified tier must exist in order to create security policies within the tier, the \"default\" tier is created automatically if it does not exist, this means for deployments requiring only a single Tier, the tier name may be omitted on all policy management requests.", + "type": "string" + }, + "types": { + "description": "Types indicates whether this policy applies to ingress, or to egress, or to both. When not explicitly specified (and so the value on creation is empty or nil), Calico defaults Types according to what Ingress and Egress are present in the policy. The default is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including the case where there are also no Ingress rules) \n - [ PolicyTypeEgress ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both Ingress and Egress rules. \n When the policy is read back again, Types will always be one of these values, never empty or nil.", + "items": { + "description": "PolicyType enumerates the possible values of the PolicySpec Types field.", + "type": "string" + }, + "type": "array" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/tier_v1.json b/crd.projectcalico.org/tier_v1.json new file mode 100644 index 00000000..533bdd68 --- /dev/null +++ b/crd.projectcalico.org/tier_v1.json @@ -0,0 +1,27 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "TierSpec contains the specification for a security policy tier resource.", + "properties": { + "order": { + "description": "Order is an optional field that specifies the order in which the tier is applied. Tiers with higher \"order\" are applied after those with lower order. If the order is omitted, it may be considered to be \"infinite\" - i.e. the tier will be applied last. Tiers with identical order will be applied in alphanumerical order based on the Tier \"Name\".", + "type": "number" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/uisettings_v1.json b/crd.projectcalico.org/uisettings_v1.json new file mode 100644 index 00000000..9e4828c9 --- /dev/null +++ b/crd.projectcalico.org/uisettings_v1.json @@ -0,0 +1,232 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "UISettingsSpec contains the specification for a UISettings resource.", + "properties": { + "dashboard": { + "description": "Dashboard data. One of View, Layer or Dashboard should be specified.", + "type": "object" + }, + "description": { + "description": "This description is displayed by the UI.", + "type": "string" + }, + "group": { + "description": "The settings group. Once configured this cannot be modified. The group must exist.", + "type": "string" + }, + "layer": { + "description": "Layer data. One of View, Layer or Dashboard should be specified.", + "properties": { + "color": { + "description": "The color used to represent the layer when an Icon has not been specified.", + "type": "string" + }, + "icon": { + "description": "A user-configurable icon. If not specified, the default layer icon is used for this layer node.", + "type": "string" + }, + "nodes": { + "description": "The nodes that are aggregated into a single layer.", + "items": { + "description": "UIGraphNode contains details about a graph node so that the UI can render it correctly.", + "properties": { + "id": { + "description": "The node ID.", + "type": "string" + }, + "name": { + "description": "The node name.", + "type": "string" + }, + "namespace": { + "description": "The node namespace.", + "type": "string" + }, + "type": { + "description": "The node type.", + "type": "string" + } + }, + "required": [ + "id", + "name", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + } + }, + "required": [ + "nodes" + ], + "type": "object", + "additionalProperties": false + }, + "user": { + "description": "The user associated with these settings. This is filled in by the APIServer on a create request if the owning group is filtered by user. Cannot be modified.", + "type": "string" + }, + "view": { + "description": "View data. One of View, Layer or Dashboard should be specified.", + "properties": { + "expandPorts": { + "description": "Whether ports are expanded. If false, port information is aggregated.", + "type": "boolean" + }, + "followConnectionDirection": { + "description": "Whether or not to automatically follow directly connected nodes.", + "type": "boolean" + }, + "hostAggregationSelectors": { + "description": "The set of selectors used to aggregate hosts (Kubernetes nodes). Nodes are aggregated based on the supplied set of selectors. In the case of overlapping selectors, the order specified in the slice is the order checked and so the first selector to match is used. The nodes will be aggregated into a graph node with the name specified in the NamedSelector.", + "items": { + "description": "A Calico format label selector with an associated name.", + "properties": { + "name": { + "type": "string" + }, + "selector": { + "type": "string" + } + }, + "required": [ + "name", + "selector" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "layers": { + "description": "The set of layer names that are active in this view. Note that layers may be defined, but it is not necessary to have each layer \"active\". Corresponds directly to the name of the UISettings resource that contains a layer definition.", + "items": { + "type": "string" + }, + "type": "array" + }, + "layoutType": { + "description": "Layout type. Semi-arbitrary value used to specify the layout-type/algorithm. For example could specify different layout algorithms, or click-to-grid. Mostly here for future use.", + "type": "string" + }, + "nodes": { + "description": "Graph node specific view data. This provides information about what is in focus, expanded, hidden, deemphasized etc. at a per-node level.", + "items": { + "description": "UIGraphNodeView contains the view configuration for a specific graph node.", + "properties": { + "deemphasize": { + "description": "Whether the UI should de-emphasize the node when visible. This is just a UI directive and does not correspond to a backend parameter.", + "type": "boolean" + }, + "expanded": { + "description": "This node is expanded to the next level. This node can, for example, be a layer that is expanded into its constituent parts.", + "type": "boolean" + }, + "followEgress": { + "type": "boolean" + }, + "followIngress": { + "description": "Whether the ingress/egress connections to/from this node are included in the graph. This effectively brings more nodes into focus.", + "type": "boolean" + }, + "hide": { + "description": "Whether the UI should hide the node. This is just a UI directive and does not correspond to a backend parameter.", + "type": "boolean" + }, + "hideUnrelated": { + "description": "Whether the UI should hide unrelated nodes. This is just a UI directive and does not correspond to a backend parameter.", + "type": "boolean" + }, + "id": { + "description": "The node ID.", + "type": "string" + }, + "inFocus": { + "description": "This node is a primary focus of the graph (i.e. the graph contains this node and connected nodes).", + "type": "boolean" + }, + "name": { + "description": "The node name.", + "type": "string" + }, + "namespace": { + "description": "The node namespace.", + "type": "string" + }, + "type": { + "description": "The node type.", + "type": "string" + } + }, + "required": [ + "id", + "name", + "type" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "positions": { + "description": "Positions of graph nodes.", + "items": { + "description": "UI screen position.", + "properties": { + "id": { + "type": "string" + }, + "xPos": { + "type": "integer" + }, + "yPos": { + "type": "integer" + }, + "zPos": { + "type": "integer" + } + }, + "required": [ + "id", + "xPos", + "yPos", + "zPos" + ], + "type": "object", + "additionalProperties": false + }, + "type": "array" + }, + "splitIngressEgress": { + "description": "Whether to split HostEndpoints, NetworkSets and Networks into separate ingress and egress nodes or to combine them. In a service-centric view, splitting these makes the graph clearer. This never splits pods which represent a true microservice which has ingress and egress connections.", + "type": "boolean" + } + }, + "type": "object", + "additionalProperties": false + } + }, + "required": [ + "description", + "group" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +} diff --git a/crd.projectcalico.org/uisettingsgroup_v1.json b/crd.projectcalico.org/uisettingsgroup_v1.json new file mode 100644 index 00000000..eca88cf9 --- /dev/null +++ b/crd.projectcalico.org/uisettingsgroup_v1.json @@ -0,0 +1,38 @@ +{ + "properties": { + "apiVersion": { + "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", + "type": "string" + }, + "kind": { + "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", + "type": "string" + }, + "metadata": { + "type": "object" + }, + "spec": { + "description": "UISettingsGroupSpec contains the specification for a UISettingsGroup resource.", + "properties": { + "description": { + "description": "This description is displayed by the UI when asking where to store any UI-specific settings such as views, layers, dashboards etc. This name should be a short description that relates the settings to the set of clusters defined below, the set of users or groups that are able to access to these settings (defined via RBAC) or the set of applications common to the set of users or groups that can access these settings. Examples might be: - \"cluster\" when these settings apply to the whole cluster - \"global\" when these settings apply to all clusters (in an Multi-Cluster environment) - \"security team\" if these settings are accessible only to the security group and therefore applicable to the applications accessible by that team - \"storefront\" if these settings are accessible to all users and groups that can access the storefront set of applications - \"user\" if these settings are accessible to only a single user", + "type": "string" + }, + "filterType": { + "description": "The type of filter to use when listing and watching the UISettings associated with this group. If set to None a List/watch of UISettings in this group will return all UISettings. If set to User a list/watch of UISettings in this group will return only UISettings created by the user making the request. For settings groups that are specific to users and where multiple users may access the settings in this group we recommend setting this to \"User\" to avoid cluttering up the UI with settings for other users. Note this is only a filter. Full lockdown of UISettings for specific users should be handled using appropriate RBAC.", + "enum": [ + "None", + "User" + ], + "type": "string" + } + }, + "required": [ + "description" + ], + "type": "object", + "additionalProperties": false + } + }, + "type": "object" +}