From 570f9c086c47a1c0c4100dff6c01a3e311641339 Mon Sep 17 00:00:00 2001 From: Yang Ding Date: Fri, 4 Mar 2022 13:25:09 -0800 Subject: [PATCH] Use events for acnp import status report Signed-off-by: Yang Ding --- docs/multicluster/architecture.md | 44 +- .../apis/multicluster/v1alpha1/acnpimport.go | 80 - .../v1alpha1/zz_generated.deepcopy.go | 109 - .../antrea-multicluster-leader-global.yml | 2459 ++++++++++++---- .../antrea-multicluster-leader-namespaced.yml | 46 +- .../yamls/antrea-multicluster-member.yml | 2485 +++++++++++++---- ...ulticluster.crd.antrea.io_acnpimports.yaml | 77 - ...cluster.crd.antrea.io_resourceexports.yaml | 86 +- ...cluster.crd.antrea.io_resourceimports.yaml | 86 +- multicluster/config/crd/kustomization.yaml | 1 - .../leader-ns/member_cluster_role.yaml | 10 + multicluster/config/rbac/role.yaml | 26 +- ...r.go => acnp_resourceimport_controller.go} | 155 +- ...=> acnp_resourceimport_controller_test.go} | 69 +- .../commonarea/resourceimport_controller.go | 3 +- .../typed/multicluster/v1alpha1/acnpimport.go | 183 -- .../v1alpha1/fake/fake_acnpimport.go | 132 - .../v1alpha1/fake/fake_multicluster_client.go | 4 - .../v1alpha1/generated_expansion.go | 2 - .../v1alpha1/multicluster_client.go | 5 - .../informers/externalversions/generic.go | 2 - .../multicluster/v1alpha1/acnpimport.go | 88 - .../multicluster/v1alpha1/interface.go | 7 - .../multicluster/v1alpha1/acnpimport.go | 67 - .../v1alpha1/expansion_generated.go | 4 - 25 files changed, 4132 insertions(+), 2098 deletions(-) delete mode 100644 multicluster/apis/multicluster/v1alpha1/acnpimport.go delete mode 100644 multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml rename multicluster/controllers/multicluster/commonarea/{acnpimport_controller.go => acnp_resourceimport_controller.go} (57%) rename multicluster/controllers/multicluster/commonarea/{acnpimport_controller_test.go => acnp_resourceimport_controller_test.go} (83%) delete mode 100644 multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go delete mode 100644 multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go delete mode 100644 multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go delete mode 100644 multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go diff --git a/docs/multicluster/architecture.md b/docs/multicluster/architecture.md index 66d09007b95..ed4726ebe75 100644 --- a/docs/multicluster/architecture.md +++ b/docs/multicluster/architecture.md @@ -98,7 +98,7 @@ ClusterSet to be applied with a consistent security posture (for example, all na clusters can only communicate with Pods in their own namespaces). For more information regarding Antrea ClusterNetworkPolicy(ACNP), refer to [this document](../antrea-network-policy.md). -To achieve such ACNP copy-span, admins can, in the acting leader cluster of a Multi-cluster deployment, +To achieve such ACNP copy-span, admins can, in the acting leader cluster of a Multi-cluster deployment, create a ResourceExport of kind `AntreaClusterNetworkPolicy` which contains the ClusterNetworkPolicy spec they wish to be replicated. The ResourceExport should be created in the Namespace which implements the Common Area of the ClusterSet. In future releases, some additional tooling may become available to @@ -132,8 +132,46 @@ spec: ``` The above sample spec will create an ACNP in each member cluster which implements strict namespace -isolation for that cluster. +isolation for that cluster. Note that because the Tier that an ACNP refers to must exist before the ACNP is applied, an importing cluster may fail to create the ACNP to be replicated, if the tier in the ResourceExport spec cannot be -found in that particular cluster. +found in that particular cluster. The ACNP creation status of each member cluster will be reported back +to the Common Area as K8s Events, and can be checked by describing the ResourceImport of the original +ResourceExport: + +```text +kubectl describe resourceimport -A +--- +Name: strict-namespace-isolation-antreaclusternetworkpolicy +Namespace: antrea-mcs-ns +API Version: multicluster.crd.antrea.io/v1alpha1 +Kind: ResourceImport +Spec: + Clusternetworkpolicy: + Applied To: + Namespace Selector: + Ingress: + Action: Pass + Enable Logging: false + From: + Namespaces: + Match: Self + Pod Selector: + Match Labels: + k8s-app: kube-dns + Action: Drop + Enable Logging: false + From: + Namespace Selector: + Priority: 1 + Tier: random + Kind: AntreaClusterNetworkPolicy + Name: strict-namespace-isolation + ... +Events: + Type Reason Age From Message + ---- ------ ---- ---- ------- + Normal ACNPImportSucceeded 2m11s resourceimport-controller ACNP successfully created in the importing cluster test-cluster-east + Warning ACNPImportFailed 2m11s resourceimport-controller ACNP Tier does not exist in the importing cluster test-cluster-west +``` diff --git a/multicluster/apis/multicluster/v1alpha1/acnpimport.go b/multicluster/apis/multicluster/v1alpha1/acnpimport.go deleted file mode 100644 index 479455326b2..00000000000 --- a/multicluster/apis/multicluster/v1alpha1/acnpimport.go +++ /dev/null @@ -1,80 +0,0 @@ -/* -Copyright 2022 Antrea Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ - -package v1alpha1 - -import ( - v1 "k8s.io/api/core/v1" - metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" -) - -// +genclient -// +genclient:nonNamespaced -// +kubebuilder:object:root=true -// +kubebuilder:resource:path=acnpimports,scope=Cluster -// +kubebuilder:subresource:status -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. -type ACNPImport struct { - metav1.TypeMeta `json:",inline"` - // +optional - metav1.ObjectMeta `json:"metadata,omitempty"` - // +optional - Status ACNPImportStatus `json:"status,omitempty"` -} - -// +kubebuilder:object:root=true -// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object - -// ACNPImportList contains a list of ACNPImport. -type ACNPImportList struct { - metav1.TypeMeta `json:",inline"` - metav1.ListMeta `json:"metadata,omitempty"` - Items []ACNPImport `json:"items"` -} - -type ACNPImportStatus struct { - // +optional - // +patchStrategy=merge - // +patchMergeKey=type - // +listType=map - // +listMapKey=type - Conditions []ACNPImportCondition `json:"conditions,omitempty" patchStrategy:"merge" patchMergeKey:"type"` -} - -type ACNPImportConditionType string - -const ( - ACNPImportRealizable ACNPImportConditionType = "Realizable" -) - -type ACNPImportCondition struct { - Type ACNPImportConditionType `json:"type"` - // Status is one of {"True", "False", "Unknown"} - // +kubebuilder:validation:Enum=True;False;Unknown - Status v1.ConditionStatus `json:"status"` - // +optional - LastTransitionTime *metav1.Time `json:"lastTransitionTime,omitempty"` - // +optional - Reason *string `json:"reason,omitempty"` - // +optional - Message *string `json:"message,omitempty"` -} - -func init() { - SchemeBuilder.Register(&ACNPImport{}, &ACNPImportList{}) -} diff --git a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go index f6b81169c62..1811af33287 100644 --- a/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go +++ b/multicluster/apis/multicluster/v1alpha1/zz_generated.deepcopy.go @@ -28,115 +28,6 @@ import ( apisv1alpha1 "sigs.k8s.io/mcs-api/pkg/apis/v1alpha1" ) -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ACNPImport) DeepCopyInto(out *ACNPImport) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ObjectMeta.DeepCopyInto(&out.ObjectMeta) - in.Status.DeepCopyInto(&out.Status) -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImport. -func (in *ACNPImport) DeepCopy() *ACNPImport { - if in == nil { - return nil - } - out := new(ACNPImport) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ACNPImport) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ACNPImportCondition) DeepCopyInto(out *ACNPImportCondition) { - *out = *in - if in.LastTransitionTime != nil { - in, out := &in.LastTransitionTime, &out.LastTransitionTime - *out = (*in).DeepCopy() - } - if in.Reason != nil { - in, out := &in.Reason, &out.Reason - *out = new(string) - **out = **in - } - if in.Message != nil { - in, out := &in.Message, &out.Message - *out = new(string) - **out = **in - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportCondition. -func (in *ACNPImportCondition) DeepCopy() *ACNPImportCondition { - if in == nil { - return nil - } - out := new(ACNPImportCondition) - in.DeepCopyInto(out) - return out -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ACNPImportList) DeepCopyInto(out *ACNPImportList) { - *out = *in - out.TypeMeta = in.TypeMeta - in.ListMeta.DeepCopyInto(&out.ListMeta) - if in.Items != nil { - in, out := &in.Items, &out.Items - *out = make([]ACNPImport, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportList. -func (in *ACNPImportList) DeepCopy() *ACNPImportList { - if in == nil { - return nil - } - out := new(ACNPImportList) - in.DeepCopyInto(out) - return out -} - -// DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object. -func (in *ACNPImportList) DeepCopyObject() runtime.Object { - if c := in.DeepCopy(); c != nil { - return c - } - return nil -} - -// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *ACNPImportStatus) DeepCopyInto(out *ACNPImportStatus) { - *out = *in - if in.Conditions != nil { - in, out := &in.Conditions, &out.Conditions - *out = make([]ACNPImportCondition, len(*in)) - for i := range *in { - (*in)[i].DeepCopyInto(&(*out)[i]) - } - } -} - -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ACNPImportStatus. -func (in *ACNPImportStatus) DeepCopy() *ACNPImportStatus { - if in == nil { - return nil - } - out := new(ACNPImportStatus) - in.DeepCopyInto(out) - return out -} - // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *ClusterClaim) DeepCopyInto(out *ClusterClaim) { *out = *in diff --git a/multicluster/build/yamls/antrea-multicluster-leader-global.yml b/multicluster/build/yamls/antrea-multicluster-leader-global.yml index 7d5e726c0ba..fc35c73efc8 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-global.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-global.yml @@ -1,78 +1,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null - labels: - app: antrea - name: acnpimports.multicluster.crd.antrea.io -spec: - group: multicluster.crd.antrea.io - names: - kind: ACNPImport - listKind: ACNPImportList - plural: acnpimports - singular: acnpimport - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: Status is one of {"True", "False", "Unknown"} - enum: - - "True" - - "False" - - Unknown - type: string - type: - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 @@ -453,26 +380,43 @@ spec: description: If exported resource is AntreaClusterNetworkPolicy. properties: appliedTo: - description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping selector + of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -484,40 +428,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -529,32 +504,59 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -566,40 +568,78 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: - description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -611,40 +651,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -656,32 +730,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -693,35 +796,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -733,40 +872,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -778,32 +951,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -815,56 +1017,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -876,40 +1124,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -921,32 +1203,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -958,24 +1269,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -983,34 +1311,58 @@ spec: type: object type: array ingress: - description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1022,40 +1374,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1067,32 +1453,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1104,35 +1519,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1144,40 +1595,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1189,32 +1674,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1226,56 +1740,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1287,40 +1847,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1332,32 +1926,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1369,24 +1992,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -1394,10 +2034,16 @@ spec: type: object type: array priority: - description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. type: number tier: - description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. type: string required: - priority @@ -2159,26 +2805,43 @@ spec: description: If imported resource is AntreaClusterNetworkPolicy. properties: appliedTo: - description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping selector + of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2190,40 +2853,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2235,32 +2929,59 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2272,40 +2993,78 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: - description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2317,40 +3076,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2362,32 +3155,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2399,35 +3221,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2439,40 +3297,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2484,32 +3376,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2521,56 +3442,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2582,40 +3549,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2627,32 +3628,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2664,24 +3694,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -2689,34 +3736,58 @@ spec: type: object type: array ingress: - description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2728,40 +3799,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2773,32 +3878,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2810,35 +3944,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2850,40 +4020,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2895,32 +4099,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2932,56 +4165,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2993,40 +4272,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -3038,32 +4351,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -3075,24 +4417,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -3100,10 +4459,16 @@ spec: type: object type: array priority: - description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. type: number tier: - description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. type: string required: - priority diff --git a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml index 3d74e21880f..b1d232b3c62 100644 --- a/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml +++ b/multicluster/build/yamls/antrea-multicluster-leader-namespaced.yml @@ -36,19 +36,17 @@ rules: - apiGroups: - "" resources: - - services + - events verbs: - create - - delete - get - list - patch - update - - watch - apiGroups: - - crd.antrea.io + - "" resources: - - clusternetworkpolicies + - services verbs: - create - delete @@ -60,15 +58,7 @@ rules: - apiGroups: - crd.antrea.io resources: - - tiers - verbs: - - get - - list - - watch -- apiGroups: - - multicluster.crd.antrea.io - resources: - - acnpimports + - clusternetworkpolicies verbs: - create - delete @@ -78,13 +68,13 @@ rules: - update - watch - apiGroups: - - multicluster.crd.antrea.io + - crd.antrea.io resources: - - acnpimports/status + - tiers verbs: - get - - patch - - update + - list + - watch - apiGroups: - multicluster.crd.antrea.io resources: @@ -356,6 +346,26 @@ metadata: name: antrea-mc-member-cluster-role namespace: changeme rules: +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - update +- apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/build/yamls/antrea-multicluster-member.yml b/multicluster/build/yamls/antrea-multicluster-member.yml index 80864adaeff..e73e304b7ad 100644 --- a/multicluster/build/yamls/antrea-multicluster-member.yml +++ b/multicluster/build/yamls/antrea-multicluster-member.yml @@ -1,78 +1,5 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null - labels: - app: antrea - name: acnpimports.multicluster.crd.antrea.io -spec: - group: multicluster.crd.antrea.io - names: - kind: ACNPImport - listKind: ACNPImportList - plural: acnpimports - singular: acnpimport - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ACNPImport describes an ACNP imported from the leader cluster in a ClusterSet. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: Status is one of {"True", "False", "Unknown"} - enum: - - "True" - - "False" - - Unknown - type: string - type: - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.4.1 @@ -453,26 +380,43 @@ spec: description: If exported resource is AntreaClusterNetworkPolicy. properties: appliedTo: - description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping selector + of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -484,40 +428,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -529,32 +504,59 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -566,40 +568,78 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: - description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -611,40 +651,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -656,32 +730,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -693,35 +796,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -733,40 +872,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -778,32 +951,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -815,56 +1017,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -876,40 +1124,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -921,32 +1203,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -958,24 +1269,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -983,34 +1311,58 @@ spec: type: object type: array ingress: - description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1022,40 +1374,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1067,32 +1453,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1104,35 +1519,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1144,40 +1595,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1189,32 +1674,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1226,56 +1740,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1287,40 +1847,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1332,32 +1926,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -1369,24 +1992,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -1394,10 +2034,16 @@ spec: type: object type: array priority: - description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. type: number tier: - description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. type: string required: - priority @@ -2159,26 +2805,43 @@ spec: description: If imported resource is AntreaClusterNetworkPolicy. properties: appliedTo: - description: Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule. + description: Select workloads on which the rules will be applied + to. Cannot be set in conjunction with AppliedTo in each rule. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping selector + of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. If + set with NamespaceSelector, ExternalEntities are matched + from Namespaces matched by the NamespaceSelector. Cannot + be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2190,40 +2853,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully Qualified + Domain Names prescribed by name or by wildcard match patterns. + This field can only be set for NetworkPolicyPeer of egress + rules. Supported formats are: Exact FQDNs, i.e. "google.com", + "db-svc.default.svc.cluster.local" Wildcard expressions, + i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup which + can be set as an AppliedTo or within an Ingress or Egress + rule in place of a stand-alone selector. A Group cannot + be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set as part + of the AppliedTo field. Cannot be set with any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the IP Block + Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched by + this selector, as workloads in To/From fields. If set + with PodSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2235,32 +2929,59 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any other + selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer is created + for ClusterNetworkPolicy ingress/egress rules. Cannot + be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set with + NamespaceSelector, Pods are matched from Namespaces matched + by the NamespaceSelector. Cannot be set with any other + selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the selector + applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. items: type: string type: array @@ -2272,40 +2993,78 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: - description: Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the `To` field but not the `From` field within a Rule. + description: Set of egress rules evaluated based on the order + in which they are set. Currently Egress rule supports setting + the `To` field but not the `From` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2317,40 +3076,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2362,32 +3155,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2399,35 +3221,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2439,40 +3297,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2484,32 +3376,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2521,56 +3442,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2582,40 +3549,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2627,32 +3628,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2664,24 +3694,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -2689,34 +3736,58 @@ spec: type: object type: array ingress: - description: Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the `From` field but not the `To` field within a Rule. + description: Set of ingress rules evaluated based on the order + in which they are set. Currently Ingress rule supports setting + the `From` field but not the `To` field within a Rule. items: - description: Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol. + description: Rule describes the traffic allowed to/from the + workloads selected by Spec.AppliedTo. Based on the action + specified in the rule, traffic is either allowed or denied + which exactly match the specified ports and protocol. properties: action: - description: Action specifies the action to be applied on the rule. + description: Action specifies the action to be applied on + the rule. type: string appliedTo: - description: Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. + description: Select workloads on which this rule will be + applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2728,40 +3799,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2773,32 +3878,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2810,35 +3944,71 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: - description: EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false. + description: EnableLogging is used to indicate if agent + should generate logs when rules are matched. Should be + default to false. type: boolean from: - description: Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources. + description: Rule is matched if traffic originates from + workloads selected by this field. If this field is empty, + this rule matches all sources. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2850,40 +4020,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2895,32 +4099,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2932,56 +4165,102 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: - description: Name describes the intention of this rule. Name should be unique within the policy. + description: Name describes the intention of this rule. + Name should be unique within the policy. type: string ports: - description: Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports. + description: Set of port and protocol allowed/denied by + the rule. If this field is unset or empty, this rule matches + all ports. items: - description: NetworkPolicyPort describes the port and protocol to match in a rule. + description: NetworkPolicyPort describes the port and + protocol to match in a rule. properties: endPort: - description: EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical `port` is specified. + description: EndPort defines the end of the port range, + being the end included within the range. It can + only be specified when a numerical `port` is specified. format: int32 type: integer port: anyOf: - type: integer - type: string - description: The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers. + description: The port on the given protocol. This + can be either a numerical or named port on a Pod. + If this field is not provided, this matches all + port names and numbers. x-kubernetes-int-or-string: true protocol: default: TCP - description: The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. + description: The protocol (TCP, UDP, or SCTP) which + traffic must match. If not specified, this field + defaults to TCP. type: string type: object type: array to: - description: Rule is matched if traffic is intended for workloads selected by this field. This field can't be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations. + description: Rule is matched if traffic is intended for + workloads selected by this field. This field can't be + used with ToServices. If this field and ToServices are + both empty or missing this rule matches all destinations. items: - description: NetworkPolicyPeer describes the grouping selector of workloads. + description: NetworkPolicyPeer describes the grouping + selector of workloads. properties: externalEntitySelector: - description: Select ExternalEntities from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select ExternalEntities from NetworkPolicy's + Namespace as workloads in AppliedTo/To/From fields. + If set with NamespaceSelector, ExternalEntities + are matched from Namespaces matched by the NamespaceSelector. + Cannot be set with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -2993,40 +4272,74 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object fqdn: - description: 'Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard expressions, i.e. "*wayfair.com".' + description: 'Restrict egress access to the Fully + Qualified Domain Names prescribed by name or by + wildcard match patterns. This field can only be + set for NetworkPolicyPeer of egress rules. Supported + formats are: Exact FQDNs, i.e. "google.com", "db-svc.default.svc.cluster.local" Wildcard + expressions, i.e. "*wayfair.com".' type: string group: - description: Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector. + description: Group is the name of the ClusterGroup + which can be set as an AppliedTo or within an Ingress + or Egress rule in place of a stand-alone selector. + A Group cannot be set with any other selector. type: string ipBlock: - description: IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector. + description: IPBlock describes the IPAddresses/IPBlocks + that is matched in to/from. IPBlock cannot be set + as part of the AppliedTo field. Cannot be set with + any other selector. properties: cidr: - description: CIDR is a string representing the IP Block Valid examples are "192.168.1.1/24". + description: CIDR is a string representing the + IP Block Valid examples are "192.168.1.1/24". type: string required: - cidr type: object namespaceSelector: - description: Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces. + description: Select all Pods from Namespaces matched + by this selector, as workloads in To/From fields. + If set with PodSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except PodSelector or ExternalEntitySelector. + Cannot be set with Namespaces. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -3038,32 +4351,61 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object namespaces: - description: 'Select Pod/ExternalEntity from Namespaces matched by specifc criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.' + description: 'Select Pod/ExternalEntity from Namespaces + matched by specifc criteria. Current supported criteria + is match: Self, which selects from the same Namespace + of the appliedTo workloads. Cannot be set with any + other selector except PodSelector or ExternalEntitySelector. + This field can only be set when NetworkPolicyPeer + is created for ClusterNetworkPolicy ingress/egress + rules. Cannot be set with NamespaceSelector.' properties: match: - description: NamespaceMatchType describes Namespace matching strategy. + description: NamespaceMatchType describes Namespace + matching strategy. type: string type: object podSelector: - description: Select Pods from NetworkPolicy's Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector. + description: Select Pods from NetworkPolicy's Namespace + as workloads in AppliedTo/To/From fields. If set + with NamespaceSelector, Pods are matched from Namespaces + matched by the NamespaceSelector. Cannot be set + with any other selector except NamespaceSelector. properties: matchExpressions: - description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. items: - description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + description: A label selector requirement is + a selector that contains values, a key, and + an operator that relates the key and values. properties: key: - description: key is the label key that the selector applies to. + description: key is the label key that the + selector applies to. type: string operator: - description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + description: operator represents a key's + relationship to a set of values. Valid + operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + description: values is an array of string + values. If the operator is In or NotIn, + the values array must be non-empty. If + the operator is Exists or DoesNotExist, + the values array must be empty. This array + is replaced during a strategic merge patch. items: type: string type: array @@ -3075,24 +4417,41 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator is "In", + and the values array contains only "value". + The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: - description: Rule is matched if traffic is intended for a Service listed in this field. Currently only ClusterIP types Services are supported in this field. This field can only be used when AntreaProxy is enabled. This field can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. + description: Rule is matched if traffic is intended for + a Service listed in this field. Currently only ClusterIP + types Services are supported in this field. This field + can only be used when AntreaProxy is enabled. This field + can't be used with To or Ports. If this field and To are + both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -3100,10 +4459,16 @@ spec: type: object type: array priority: - description: Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies. + description: Priority specfies the order of the ClusterNetworkPolicy + relative to other AntreaClusterNetworkPolicies. type: number tier: - description: Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier's Priority and the ClusterNetworkPolicy's own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom. + description: Tier specifies the tier to which this ClusterNetworkPolicy + belongs to. The ClusterNetworkPolicy order will be determined + based on the combination of the Tier's Priority and the ClusterNetworkPolicy's + own Priority. If not specified, this policy will be created + in the Application Tier right above the K8s NetworkPolicy which + resides at the bottom. type: string required: - priority @@ -3914,19 +5279,17 @@ rules: - apiGroups: - "" resources: - - services + - events verbs: - create - - delete - get - list - patch - update - - watch - apiGroups: - - crd.antrea.io + - "" resources: - - clusternetworkpolicies + - services verbs: - create - delete @@ -3938,15 +5301,7 @@ rules: - apiGroups: - crd.antrea.io resources: - - tiers - verbs: - - get - - list - - watch -- apiGroups: - - multicluster.crd.antrea.io - resources: - - acnpimports + - clusternetworkpolicies verbs: - create - delete @@ -3956,13 +5311,13 @@ rules: - update - watch - apiGroups: - - multicluster.crd.antrea.io + - crd.antrea.io resources: - - acnpimports/status + - tiers verbs: - get - - patch - - update + - list + - watch - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml deleted file mode 100644 index 7821d2e745a..00000000000 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_acnpimports.yaml +++ /dev/null @@ -1,77 +0,0 @@ - ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.4.1 - creationTimestamp: null - name: acnpimports.multicluster.crd.antrea.io -spec: - group: multicluster.crd.antrea.io - names: - kind: ACNPImport - listKind: ACNPImportList - plural: acnpimports - singular: acnpimport - scope: Cluster - versions: - - name: v1alpha1 - schema: - openAPIV3Schema: - description: ACNPImport describes an ACNP imported from the leader cluster - in a ClusterSet. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - status: - properties: - conditions: - items: - properties: - lastTransitionTime: - format: date-time - type: string - message: - type: string - reason: - type: string - status: - description: Status is one of {"True", "False", "Unknown"} - enum: - - "True" - - "False" - - Unknown - type: string - type: - type: string - required: - - status - - type - type: object - type: array - x-kubernetes-list-map-keys: - - type - x-kubernetes-list-type: map - type: object - type: object - served: true - storage: true - subresources: - status: {} -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml index 7539481a70a..32993f38ba1 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceexports.yaml @@ -239,6 +239,16 @@ spec: contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: @@ -458,6 +468,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: @@ -669,6 +689,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: @@ -911,6 +941,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: @@ -921,17 +961,13 @@ spec: can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to - a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -1155,6 +1191,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: @@ -1366,6 +1412,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: @@ -1608,6 +1664,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: @@ -1618,17 +1684,13 @@ spec: can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to - a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: diff --git a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml index ef9b9827319..8790288ea66 100644 --- a/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml +++ b/multicluster/config/crd/bases/multicluster.crd.antrea.io_resourceimports.yaml @@ -241,6 +241,16 @@ spec: contains only "value". The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount matched + by this field, as workloads in AppliedTo/To/From fields. + Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array egress: @@ -460,6 +470,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: @@ -671,6 +691,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: @@ -913,6 +943,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: @@ -923,17 +963,13 @@ spec: can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to - a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: @@ -1157,6 +1193,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array enableLogging: @@ -1368,6 +1414,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array name: @@ -1610,6 +1666,16 @@ spec: The requirements are ANDed. type: object type: object + serviceAccount: + description: Select all Pods with the ServiceAccount + matched by this field, as workloads in AppliedTo/To/From + fields. Cannot be set with any other selector. + properties: + name: + type: string + namespace: + type: string + type: object type: object type: array toServices: @@ -1620,17 +1686,13 @@ spec: can't be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations. items: - description: ServiceReference represents a reference to - a v1.Service. + description: NamespacedName refers to a Namespace scoped + resource. All fields must be used together. properties: name: - description: Name of the Service type: string namespace: - description: Namespace of the Service type: string - required: - - name type: object type: array required: diff --git a/multicluster/config/crd/kustomization.yaml b/multicluster/config/crd/kustomization.yaml index 87c307449eb..7f77de35ec8 100644 --- a/multicluster/config/crd/kustomization.yaml +++ b/multicluster/config/crd/kustomization.yaml @@ -9,7 +9,6 @@ resources: - bases/multicluster.crd.antrea.io_resourceimportfilters.yaml - bases/multicluster.crd.antrea.io_resourceexports.yaml - bases/multicluster.crd.antrea.io_resourceimports.yaml -- bases/multicluster.crd.antrea.io_acnpimports.yaml - k8smcs/multicluster.x-k8s.io_serviceexports.yaml - k8smcs/multicluster.x-k8s.io_serviceimports.yaml #+kubebuilder:scaffold:crdkustomizeresource diff --git a/multicluster/config/overlays/leader-ns/member_cluster_role.yaml b/multicluster/config/overlays/leader-ns/member_cluster_role.yaml index 66201435698..0357f3f2131 100644 --- a/multicluster/config/overlays/leader-ns/member_cluster_role.yaml +++ b/multicluster/config/overlays/leader-ns/member_cluster_role.yaml @@ -6,6 +6,16 @@ metadata: name: member-cluster-role namespace: changeme rules: + - apiGroups: + - "" + resources: + - events + verbs: + - create + - get + - list + - patch + - update - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/config/rbac/role.yaml b/multicluster/config/rbac/role.yaml index 2f69305e473..d471b756f65 100644 --- a/multicluster/config/rbac/role.yaml +++ b/multicluster/config/rbac/role.yaml @@ -21,19 +21,17 @@ rules: - apiGroups: - "" resources: - - services + - events verbs: - create - - delete - get - list - patch - update - - watch - apiGroups: - - crd.antrea.io + - "" resources: - - clusternetworkpolicies + - services verbs: - create - delete @@ -45,15 +43,7 @@ rules: - apiGroups: - crd.antrea.io resources: - - tiers - verbs: - - get - - list - - watch -- apiGroups: - - multicluster.crd.antrea.io - resources: - - acnpimports + - clusternetworkpolicies verbs: - create - delete @@ -63,13 +53,13 @@ rules: - update - watch - apiGroups: - - multicluster.crd.antrea.io + - crd.antrea.io resources: - - acnpimports/status + - tiers verbs: - get - - patch - - update + - list + - watch - apiGroups: - multicluster.crd.antrea.io resources: diff --git a/multicluster/controllers/multicluster/commonarea/acnpimport_controller.go b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go similarity index 57% rename from multicluster/controllers/multicluster/commonarea/acnpimport_controller.go rename to multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go index 8134cead088..d8d09c7693a 100644 --- a/multicluster/controllers/multicluster/commonarea/acnpimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller.go @@ -1,12 +1,9 @@ /* Copyright 2022 Antrea Authors. - Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at - http://www.apache.org/licenses/LICENSE-2.0 - Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -19,6 +16,7 @@ package commonarea import ( "context" "errors" + "math/rand" corev1 "k8s.io/api/core/v1" apiequality "k8s.io/apimachinery/pkg/api/equality" @@ -34,16 +32,28 @@ import ( "antrea.io/antrea/pkg/apis/crd/v1alpha1" ) +const ( + nameSuffixLength int = 5 + acnpImportStatusPrefix string = "acnp-import-status-" + acnpImportSucceeded string = "ACNPImportSucceeded" + acnpImportFailed string = "ACNPImportFailed" +) + +var ( + resourceImportAPIVersion = "multicluster.crd.antrea.io/v1alpha1" + resourceImportKind = "ResourceImport" + acnpEventReportingController = "resourceimport-controller" + // TODO(yang): add run-time pod suffix + acnpEventReportingInstance = "antrea-mc-controller" + lettersAndDigits = []rune("abcdefghijklmnopqrstuvwxyz0123456789") +) + func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { - acnpImpName := types.NamespacedName{ - Namespace: "", - Name: resImp.Spec.Name, - } acnpName := types.NamespacedName{ Namespace: "", Name: common.AntreaMCSPrefix + resImp.Spec.Name, } - klog.InfoS("Updating ACNP and ACNPImport corresponding to ResourceImport", + klog.InfoS("Updating ACNP corresponding to ResourceImport", "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) acnp := &v1alpha1.ClusterNetworkPolicy{} @@ -86,85 +96,63 @@ func (r *ResourceImportReconciler) handleResImpUpdateForClusterNetworkPolicy(ctx return ctrl.Result{}, err } } - acnpImp := &multiclusterv1alpha1.ACNPImport{} - err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) - acnpImpNotFound := apierrors.IsNotFound(err) - if err != nil && !acnpImpNotFound { - klog.ErrorS(err, "failed to get existing ACNPImports") - return ctrl.Result{}, err - } - // acnpImport status will be realizable=False if Tier is not found on this member cluster, and realizable=True otherwise. - acnpImpObj, isRealizable := getACNPImport(resImp, tierNotFound) - if acnpImpNotFound { - err := r.localClusterClient.Create(ctx, acnpImpObj, &client.CreateOptions{}) - if err != nil { - klog.ErrorS(err, "failed to create ACNPImport", "acnpimport", klog.KObj(acnpImpObj)) - return ctrl.Result{}, err - } - r.installedResImports.Add(*resImp) + + statusEvent := &corev1.Event{ + ObjectMeta: metav1.ObjectMeta{ + Name: randName(acnpImportStatusPrefix + r.localClusterID + "-"), + Namespace: resImp.Namespace, + }, + InvolvedObject: corev1.ObjectReference{ + APIVersion: resourceImportAPIVersion, + Kind: resourceImportKind, + Name: resImp.Name, + Namespace: resImp.Namespace, + UID: resImp.GetUID(), + }, + FirstTimestamp: metav1.Now(), + LastTimestamp: metav1.Now(), + ReportingController: acnpEventReportingController, + ReportingInstance: acnpEventReportingInstance, + Action: "reconciled", } - patchACNPImportStatus := false - if len(acnpImp.Status.Conditions) == 0 { - acnpImp.Status = acnpImpObj.Status - patchACNPImportStatus = true + if tierNotFound { + statusEvent.Type = corev1.EventTypeWarning + statusEvent.Reason = acnpImportFailed + statusEvent.Message = "ACNP Tier does not exist in the importing cluster " + r.localClusterID } else { - for _, c := range acnpImp.Status.Conditions { - if c.Type == multiclusterv1alpha1.ACNPImportRealizable && c.Status != isRealizable { - acnpImp.Status = acnpImpObj.Status - patchACNPImportStatus = true - } - } + statusEvent.Type = corev1.EventTypeNormal + statusEvent.Reason = acnpImportSucceeded + statusEvent.Message = "ACNP successfully created in the importing cluster " + r.localClusterID } - // Patch ACNPImport status if realizable state has changed. - if patchACNPImportStatus { - if err := r.localClusterClient.Status().Update(ctx, acnpImp); err != nil { - klog.ErrorS(err, "failed to update acnpImport status", "acnpImport", klog.KObj(acnpImp)) - } + if err = r.remoteCommonArea.Create(ctx, statusEvent, &client.CreateOptions{}); err != nil { + klog.ErrorS(err, "failed to create acnp import event for resourceimport", "resImp", klog.KObj(resImp)) + return ctrl.Result{}, err } return ctrl.Result{}, nil } func (r *ResourceImportReconciler) handleResImpDeleteForClusterNetworkPolicy(ctx context.Context, resImp *multiclusterv1alpha1.ResourceImport) (ctrl.Result, error) { - acnpImpName := types.NamespacedName{ - Namespace: "", - Name: resImp.Spec.Name, - } acnpName := types.NamespacedName{ Namespace: "", Name: common.AntreaMCSPrefix + resImp.Spec.Name, } - klog.InfoS("Deleting ACNP and ACNPImport corresponding to ResourceImport", + klog.InfoS("Deleting ACNP corresponding to ResourceImport", "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) - var err error - cleanupACNPImport := func() (ctrl.Result, error) { - acnpImp := &multiclusterv1alpha1.ACNPImport{} - err = r.localClusterClient.Get(ctx, acnpImpName, acnpImp) - if err != nil { - return ctrl.Result{}, client.IgnoreNotFound(err) - } - err = r.localClusterClient.Delete(ctx, acnpImp, &client.DeleteOptions{}) - if err != nil { - return ctrl.Result{}, client.IgnoreNotFound(err) - } - return ctrl.Result{}, nil - } - acnp := &v1alpha1.ClusterNetworkPolicy{} - err = r.localClusterClient.Get(ctx, acnpName, acnp) + err := r.localClusterClient.Get(ctx, acnpName, acnp) if err != nil { if apierrors.IsNotFound(err) { klog.V(2).InfoS("ACNP corresponding to ResourceImport has already been deleted", "acnp", acnpName.String(), "resourceimport", klog.KObj(resImp)) - return cleanupACNPImport() + return ctrl.Result{}, nil } return ctrl.Result{}, err } - err = r.localClusterClient.Delete(ctx, acnp, &client.DeleteOptions{}) - if err != nil { + if err = r.localClusterClient.Delete(ctx, acnp, &client.DeleteOptions{}); err != nil { return ctrl.Result{}, err } - return cleanupACNPImport() + return ctrl.Result{}, nil } func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1alpha1.ClusterNetworkPolicy { @@ -182,37 +170,16 @@ func getMCAntreaClusterPolicy(resImp *multiclusterv1alpha1.ResourceImport) *v1al } } -func getACNPImport(resImp *multiclusterv1alpha1.ResourceImport, tierNotFound bool) (*multiclusterv1alpha1.ACNPImport, corev1.ConditionStatus) { - if resImp.Spec.ClusterNetworkPolicy == nil { - return nil, corev1.ConditionFalse - } - status, isRealizable := getACNPImportStatus(tierNotFound) - return &multiclusterv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: resImp.Spec.Name, - }, - Status: multiclusterv1alpha1.ACNPImportStatus{ - Conditions: []multiclusterv1alpha1.ACNPImportCondition{status}, - }, - }, isRealizable +func randSeq(n int) string { + b := make([]rune, n) + for i := range b { + // #nosec G404: random number generator not used for security purposes + randIdx := rand.Intn(len(lettersAndDigits)) + b[i] = lettersAndDigits[randIdx] + } + return string(b) } -func getACNPImportStatus(tierNotFound bool) (multiclusterv1alpha1.ACNPImportCondition, corev1.ConditionStatus) { - tierNotFoundReason := "TierNotFound" - tierNotFoundMessage := "ACNP Tier does not exist in the importing cluster" - time := metav1.Now() - if tierNotFound { - return multiclusterv1alpha1.ACNPImportCondition{ - Type: multiclusterv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionFalse, - LastTransitionTime: &time, - Reason: &tierNotFoundReason, - Message: &tierNotFoundMessage, - }, corev1.ConditionFalse - } - return multiclusterv1alpha1.ACNPImportCondition{ - Type: multiclusterv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionTrue, - LastTransitionTime: &time, - }, corev1.ConditionTrue +func randName(prefix string) string { + return prefix + randSeq(nameSuffixLength) } diff --git a/multicluster/controllers/multicluster/commonarea/acnpimport_controller_test.go b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go similarity index 83% rename from multicluster/controllers/multicluster/commonarea/acnpimport_controller_test.go rename to multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go index 8a9b7ed5eef..9304c2cfa95 100644 --- a/multicluster/controllers/multicluster/commonarea/acnpimport_controller_test.go +++ b/multicluster/controllers/multicluster/commonarea/acnp_resourceimport_controller_test.go @@ -21,7 +21,6 @@ import ( "testing" "github.com/stretchr/testify/assert" - corev1 "k8s.io/api/core/v1" apierrors "k8s.io/apimachinery/pkg/api/errors" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/types" @@ -148,20 +147,7 @@ func TestResourceImportReconciler_handleCopySpanACNPCreateEvent(t *testing.T) { } else if !tt.expectedSuccess && (err == nil || !apierrors.IsNotFound(err)) { t.Errorf("ResourceImport Reconciler should not import an ACNP whose Tier does not exist in current cluster. Expected NotFound error. Actual err = %v", err) } - acnpImport := &mcsv1alpha1.ACNPImport{} - if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: tt.acnpImportName}, acnpImport); err != nil { - t.Errorf("ResourceImport Reconciler should create ACNPImport for ACNP type resouc") - } - status := acnpImport.Status.Conditions - if len(status) > 0 && status[0].Type == mcsv1alpha1.ACNPImportRealizable { - if tt.expectedSuccess && status[0].Status != corev1.ConditionTrue { - t.Errorf("ACNPImport %v realizable status should be True but is %v instead", acnpImportName, status[0].Status) - } else if !tt.expectedSuccess && status[0].Status != corev1.ConditionFalse { - t.Errorf("ACNPImport %v realizable status should be False but is %v instead", acnpImportName, status[0].Status) - } - } else { - t.Errorf("No realizable status provided for ACNPImport %v", acnpImportName) - } + //TODO(yang): add Event creation tests } }) } @@ -177,13 +163,8 @@ func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { Name: common.AntreaMCSPrefix + acnpImportName, }, } - existingACNPImport := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: acnpImportName, - }, - } - fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP, existingACNPImport).Build() + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP).Build() fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).Build() remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") @@ -197,10 +178,6 @@ func TestResourceImportReconciler_handleCopySpanACNPDeleteEvent(t *testing.T) { if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: common.AntreaMCSPrefix + acnpImportName}, acnp); !apierrors.IsNotFound(err) { t.Errorf("ResourceImport Reconciler should delete ACNP successfully but got error = %v", err) } - acnpImport := &mcsv1alpha1.ACNPImport{} - if err := fakeClient.Get(ctx, types.NamespacedName{Namespace: "", Name: acnpImportName}, acnpImport); !apierrors.IsNotFound(err) { - t.Errorf("ResourceImport Reconciler should delete ACNPImport successfully but got error = %v", err) - } } func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { @@ -233,32 +210,6 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { }, }, } - existingACNPImport1 := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: acnpImportName, - }, - Status: mcsv1alpha1.ACNPImportStatus{ - Conditions: []mcsv1alpha1.ACNPImportCondition{ - { - Type: mcsv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionTrue, - }, - }, - }, - } - existingACNPImport2 := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: "acnp-no-matching-tier", - }, - Status: mcsv1alpha1.ACNPImportStatus{ - Conditions: []mcsv1alpha1.ACNPImportCondition{ - { - Type: mcsv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionFalse, - }, - }, - }, - } updatedResImport2 := &mcsv1alpha1.ResourceImport{ ObjectMeta: metav1.ObjectMeta{ Namespace: leaderNamespace, @@ -289,19 +240,6 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { }, }, } - existingACNPImport3 := &mcsv1alpha1.ACNPImport{ - ObjectMeta: metav1.ObjectMeta{ - Name: "valid-updated-to-no-valid", - }, - Status: mcsv1alpha1.ACNPImportStatus{ - Conditions: []mcsv1alpha1.ACNPImportCondition{ - { - Type: mcsv1alpha1.ACNPImportRealizable, - Status: corev1.ConditionTrue, - }, - }, - }, - } updatedResImport3 := &mcsv1alpha1.ResourceImport{ ObjectMeta: metav1.ObjectMeta{ Namespace: leaderNamespace, @@ -340,8 +278,7 @@ func TestResourceImportReconciler_handleCopySpanACNPUpdateEvent(t *testing.T) { }, } - fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP1, existingACNPImport1, existingACNPImport2, - existingACNP3, existingACNPImport3, existingACNP4, securityOpsTier).Build() + fakeClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(existingACNP1, existingACNP3, existingACNP4, securityOpsTier).Build() fakeRemoteClient := fake.NewClientBuilder().WithScheme(scheme).WithObjects(acnpResImport, updatedResImport2, updatedResImport3).Build() remoteCluster := NewFakeRemoteCommonArea(scheme, &remoteMgr, fakeRemoteClient, "leader-cluster", "default") diff --git a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go index 5bd849be1da..9d6b0c08abc 100644 --- a/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go +++ b/multicluster/controllers/multicluster/commonarea/resourceimport_controller.go @@ -81,13 +81,12 @@ func NewResourceImportReconciler(client client.Client, scheme *runtime.Scheme, l //+kubebuilder:rbac:groups=crd.antrea.io,resources=tiers,verbs=get;list;watch //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports/status,verbs=get;update;patch -//+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=acnpimports,verbs=get;list;watch;create;update;patch;delete -//+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=acnpimports/status,verbs=get;update;patch //+kubebuilder:rbac:groups=multicluster.crd.antrea.io,resources=resourceimports/finalizers,verbs=update //+kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports,verbs=get;list;watch;create;update;patch;delete //+kubebuilder:rbac:groups=multicluster.x-k8s.io,resources=serviceimports/status,verbs=get;update;patch //+kubebuilder:rbac:groups="",resources=endpoints,verbs=get;list;watch;update;create;patch;delete //+kubebuilder:rbac:groups="",resources=services,verbs=get;list;watch;update;create;patch;delete +//+kubebuilder:rbac:groups="",resources=events,verbs=get;list;update;create;patch // Reconcile will attempt to ensure that the imported Resource is installed in local cluster as per the // ResourceImport object. diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go deleted file mode 100644 index c5359933c4b..00000000000 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/acnpimport.go +++ /dev/null @@ -1,183 +0,0 @@ -/* -Copyright 2021 Antrea Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -// Code generated by client-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "context" - "time" - - v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" - scheme "antrea.io/antrea/multicluster/pkg/client/clientset/versioned/scheme" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - rest "k8s.io/client-go/rest" -) - -// ACNPImportsGetter has a method to return a ACNPImportInterface. -// A group's client should implement this interface. -type ACNPImportsGetter interface { - ACNPImports() ACNPImportInterface -} - -// ACNPImportInterface has methods to work with ACNPImport resources. -type ACNPImportInterface interface { - Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (*v1alpha1.ACNPImport, error) - Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) - UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) - Delete(ctx context.Context, name string, opts v1.DeleteOptions) error - DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error - Get(ctx context.Context, name string, opts v1.GetOptions) (*v1alpha1.ACNPImport, error) - List(ctx context.Context, opts v1.ListOptions) (*v1alpha1.ACNPImportList, error) - Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) - Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) - ACNPImportExpansion -} - -// aCNPImports implements ACNPImportInterface -type aCNPImports struct { - client rest.Interface -} - -// newACNPImports returns a ACNPImports -func newACNPImports(c *MulticlusterV1alpha1Client) *aCNPImports { - return &aCNPImports{ - client: c.RESTClient(), - } -} - -// Get takes name of the aCNPImport, and returns the corresponding aCNPImport object, and an error if there is any. -func (c *aCNPImports) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ACNPImport, err error) { - result = &v1alpha1.ACNPImport{} - err = c.client.Get(). - Resource("acnpimports"). - Name(name). - VersionedParams(&options, scheme.ParameterCodec). - Do(ctx). - Into(result) - return -} - -// List takes label and field selectors, and returns the list of ACNPImports that match those selectors. -func (c *aCNPImports) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ACNPImportList, err error) { - var timeout time.Duration - if opts.TimeoutSeconds != nil { - timeout = time.Duration(*opts.TimeoutSeconds) * time.Second - } - result = &v1alpha1.ACNPImportList{} - err = c.client.Get(). - Resource("acnpimports"). - VersionedParams(&opts, scheme.ParameterCodec). - Timeout(timeout). - Do(ctx). - Into(result) - return -} - -// Watch returns a watch.Interface that watches the requested aCNPImports. -func (c *aCNPImports) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { - var timeout time.Duration - if opts.TimeoutSeconds != nil { - timeout = time.Duration(*opts.TimeoutSeconds) * time.Second - } - opts.Watch = true - return c.client.Get(). - Resource("acnpimports"). - VersionedParams(&opts, scheme.ParameterCodec). - Timeout(timeout). - Watch(ctx) -} - -// Create takes the representation of a aCNPImport and creates it. Returns the server's representation of the aCNPImport, and an error, if there is any. -func (c *aCNPImports) Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (result *v1alpha1.ACNPImport, err error) { - result = &v1alpha1.ACNPImport{} - err = c.client.Post(). - Resource("acnpimports"). - VersionedParams(&opts, scheme.ParameterCodec). - Body(aCNPImport). - Do(ctx). - Into(result) - return -} - -// Update takes the representation of a aCNPImport and updates it. Returns the server's representation of the aCNPImport, and an error, if there is any. -func (c *aCNPImports) Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { - result = &v1alpha1.ACNPImport{} - err = c.client.Put(). - Resource("acnpimports"). - Name(aCNPImport.Name). - VersionedParams(&opts, scheme.ParameterCodec). - Body(aCNPImport). - Do(ctx). - Into(result) - return -} - -// UpdateStatus was generated because the type contains a Status member. -// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). -func (c *aCNPImports) UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { - result = &v1alpha1.ACNPImport{} - err = c.client.Put(). - Resource("acnpimports"). - Name(aCNPImport.Name). - SubResource("status"). - VersionedParams(&opts, scheme.ParameterCodec). - Body(aCNPImport). - Do(ctx). - Into(result) - return -} - -// Delete takes name of the aCNPImport and deletes it. Returns an error if one occurs. -func (c *aCNPImports) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { - return c.client.Delete(). - Resource("acnpimports"). - Name(name). - Body(&opts). - Do(ctx). - Error() -} - -// DeleteCollection deletes a collection of objects. -func (c *aCNPImports) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { - var timeout time.Duration - if listOpts.TimeoutSeconds != nil { - timeout = time.Duration(*listOpts.TimeoutSeconds) * time.Second - } - return c.client.Delete(). - Resource("acnpimports"). - VersionedParams(&listOpts, scheme.ParameterCodec). - Timeout(timeout). - Body(&opts). - Do(ctx). - Error() -} - -// Patch applies the patch and returns the patched aCNPImport. -func (c *aCNPImports) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) { - result = &v1alpha1.ACNPImport{} - err = c.client.Patch(pt). - Resource("acnpimports"). - Name(name). - SubResource(subresources...). - VersionedParams(&opts, scheme.ParameterCodec). - Body(data). - Do(ctx). - Into(result) - return -} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go deleted file mode 100644 index 5af9bd4660f..00000000000 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_acnpimport.go +++ /dev/null @@ -1,132 +0,0 @@ -/* -Copyright 2021 Antrea Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -// Code generated by client-gen. DO NOT EDIT. - -package fake - -import ( - "context" - - v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - labels "k8s.io/apimachinery/pkg/labels" - schema "k8s.io/apimachinery/pkg/runtime/schema" - types "k8s.io/apimachinery/pkg/types" - watch "k8s.io/apimachinery/pkg/watch" - testing "k8s.io/client-go/testing" -) - -// FakeACNPImports implements ACNPImportInterface -type FakeACNPImports struct { - Fake *FakeMulticlusterV1alpha1 -} - -var acnpimportsResource = schema.GroupVersionResource{Group: "multicluster.crd.antrea.io", Version: "v1alpha1", Resource: "acnpimports"} - -var acnpimportsKind = schema.GroupVersionKind{Group: "multicluster.crd.antrea.io", Version: "v1alpha1", Kind: "ACNPImport"} - -// Get takes name of the aCNPImport, and returns the corresponding aCNPImport object, and an error if there is any. -func (c *FakeACNPImports) Get(ctx context.Context, name string, options v1.GetOptions) (result *v1alpha1.ACNPImport, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootGetAction(acnpimportsResource, name), &v1alpha1.ACNPImport{}) - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.ACNPImport), err -} - -// List takes label and field selectors, and returns the list of ACNPImports that match those selectors. -func (c *FakeACNPImports) List(ctx context.Context, opts v1.ListOptions) (result *v1alpha1.ACNPImportList, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootListAction(acnpimportsResource, acnpimportsKind, opts), &v1alpha1.ACNPImportList{}) - if obj == nil { - return nil, err - } - - label, _, _ := testing.ExtractFromListOptions(opts) - if label == nil { - label = labels.Everything() - } - list := &v1alpha1.ACNPImportList{ListMeta: obj.(*v1alpha1.ACNPImportList).ListMeta} - for _, item := range obj.(*v1alpha1.ACNPImportList).Items { - if label.Matches(labels.Set(item.Labels)) { - list.Items = append(list.Items, item) - } - } - return list, err -} - -// Watch returns a watch.Interface that watches the requested aCNPImports. -func (c *FakeACNPImports) Watch(ctx context.Context, opts v1.ListOptions) (watch.Interface, error) { - return c.Fake. - InvokesWatch(testing.NewRootWatchAction(acnpimportsResource, opts)) -} - -// Create takes the representation of a aCNPImport and creates it. Returns the server's representation of the aCNPImport, and an error, if there is any. -func (c *FakeACNPImports) Create(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.CreateOptions) (result *v1alpha1.ACNPImport, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootCreateAction(acnpimportsResource, aCNPImport), &v1alpha1.ACNPImport{}) - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.ACNPImport), err -} - -// Update takes the representation of a aCNPImport and updates it. Returns the server's representation of the aCNPImport, and an error, if there is any. -func (c *FakeACNPImports) Update(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (result *v1alpha1.ACNPImport, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootUpdateAction(acnpimportsResource, aCNPImport), &v1alpha1.ACNPImport{}) - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.ACNPImport), err -} - -// UpdateStatus was generated because the type contains a Status member. -// Add a +genclient:noStatus comment above the type to avoid generating UpdateStatus(). -func (c *FakeACNPImports) UpdateStatus(ctx context.Context, aCNPImport *v1alpha1.ACNPImport, opts v1.UpdateOptions) (*v1alpha1.ACNPImport, error) { - obj, err := c.Fake. - Invokes(testing.NewRootUpdateSubresourceAction(acnpimportsResource, "status", aCNPImport), &v1alpha1.ACNPImport{}) - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.ACNPImport), err -} - -// Delete takes name of the aCNPImport and deletes it. Returns an error if one occurs. -func (c *FakeACNPImports) Delete(ctx context.Context, name string, opts v1.DeleteOptions) error { - _, err := c.Fake. - Invokes(testing.NewRootDeleteAction(acnpimportsResource, name), &v1alpha1.ACNPImport{}) - return err -} - -// DeleteCollection deletes a collection of objects. -func (c *FakeACNPImports) DeleteCollection(ctx context.Context, opts v1.DeleteOptions, listOpts v1.ListOptions) error { - action := testing.NewRootDeleteCollectionAction(acnpimportsResource, listOpts) - - _, err := c.Fake.Invokes(action, &v1alpha1.ACNPImportList{}) - return err -} - -// Patch applies the patch and returns the patched aCNPImport. -func (c *FakeACNPImports) Patch(ctx context.Context, name string, pt types.PatchType, data []byte, opts v1.PatchOptions, subresources ...string) (result *v1alpha1.ACNPImport, err error) { - obj, err := c.Fake. - Invokes(testing.NewRootPatchSubresourceAction(acnpimportsResource, name, pt, data, subresources...), &v1alpha1.ACNPImport{}) - if obj == nil { - return nil, err - } - return obj.(*v1alpha1.ACNPImport), err -} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go index 12b08f2e009..30ac2ac7dae 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/fake/fake_multicluster_client.go @@ -27,10 +27,6 @@ type FakeMulticlusterV1alpha1 struct { *testing.Fake } -func (c *FakeMulticlusterV1alpha1) ACNPImports() v1alpha1.ACNPImportInterface { - return &FakeACNPImports{c} -} - func (c *FakeMulticlusterV1alpha1) ClusterClaims(namespace string) v1alpha1.ClusterClaimInterface { return &FakeClusterClaims{c, namespace} } diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go index 415b34aa575..f666a0a8999 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/generated_expansion.go @@ -17,8 +17,6 @@ limitations under the License. package v1alpha1 -type ACNPImportExpansion interface{} - type ClusterClaimExpansion interface{} type ClusterSetExpansion interface{} diff --git a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go index 5985172b310..e3b1c38e45f 100644 --- a/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go +++ b/multicluster/pkg/client/clientset/versioned/typed/multicluster/v1alpha1/multicluster_client.go @@ -25,7 +25,6 @@ import ( type MulticlusterV1alpha1Interface interface { RESTClient() rest.Interface - ACNPImportsGetter ClusterClaimsGetter ClusterSetsGetter MemberClusterAnnouncesGetter @@ -40,10 +39,6 @@ type MulticlusterV1alpha1Client struct { restClient rest.Interface } -func (c *MulticlusterV1alpha1Client) ACNPImports() ACNPImportInterface { - return newACNPImports(c) -} - func (c *MulticlusterV1alpha1Client) ClusterClaims(namespace string) ClusterClaimInterface { return newClusterClaims(c, namespace) } diff --git a/multicluster/pkg/client/informers/externalversions/generic.go b/multicluster/pkg/client/informers/externalversions/generic.go index f294fc5d9f9..838bedf070a 100644 --- a/multicluster/pkg/client/informers/externalversions/generic.go +++ b/multicluster/pkg/client/informers/externalversions/generic.go @@ -52,8 +52,6 @@ func (f *genericInformer) Lister() cache.GenericLister { func (f *sharedInformerFactory) ForResource(resource schema.GroupVersionResource) (GenericInformer, error) { switch resource { // Group=multicluster.crd.antrea.io, Version=v1alpha1 - case v1alpha1.SchemeGroupVersion.WithResource("acnpimports"): - return &genericInformer{resource: resource.GroupResource(), informer: f.Multicluster().V1alpha1().ACNPImports().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("clusterclaims"): return &genericInformer{resource: resource.GroupResource(), informer: f.Multicluster().V1alpha1().ClusterClaims().Informer()}, nil case v1alpha1.SchemeGroupVersion.WithResource("clustersets"): diff --git a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go deleted file mode 100644 index 7d04a5f024f..00000000000 --- a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/acnpimport.go +++ /dev/null @@ -1,88 +0,0 @@ -/* -Copyright 2021 Antrea Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -// Code generated by informer-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - "context" - time "time" - - multiclusterv1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" - versioned "antrea.io/antrea/multicluster/pkg/client/clientset/versioned" - internalinterfaces "antrea.io/antrea/multicluster/pkg/client/informers/externalversions/internalinterfaces" - v1alpha1 "antrea.io/antrea/multicluster/pkg/client/listers/multicluster/v1alpha1" - v1 "k8s.io/apimachinery/pkg/apis/meta/v1" - runtime "k8s.io/apimachinery/pkg/runtime" - watch "k8s.io/apimachinery/pkg/watch" - cache "k8s.io/client-go/tools/cache" -) - -// ACNPImportInformer provides access to a shared informer and lister for -// ACNPImports. -type ACNPImportInformer interface { - Informer() cache.SharedIndexInformer - Lister() v1alpha1.ACNPImportLister -} - -type aCNPImportInformer struct { - factory internalinterfaces.SharedInformerFactory - tweakListOptions internalinterfaces.TweakListOptionsFunc -} - -// NewACNPImportInformer constructs a new informer for ACNPImport type. -// Always prefer using an informer factory to get a shared informer instead of getting an independent -// one. This reduces memory footprint and number of connections to the server. -func NewACNPImportInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers) cache.SharedIndexInformer { - return NewFilteredACNPImportInformer(client, resyncPeriod, indexers, nil) -} - -// NewFilteredACNPImportInformer constructs a new informer for ACNPImport type. -// Always prefer using an informer factory to get a shared informer instead of getting an independent -// one. This reduces memory footprint and number of connections to the server. -func NewFilteredACNPImportInformer(client versioned.Interface, resyncPeriod time.Duration, indexers cache.Indexers, tweakListOptions internalinterfaces.TweakListOptionsFunc) cache.SharedIndexInformer { - return cache.NewSharedIndexInformer( - &cache.ListWatch{ - ListFunc: func(options v1.ListOptions) (runtime.Object, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.MulticlusterV1alpha1().ACNPImports().List(context.TODO(), options) - }, - WatchFunc: func(options v1.ListOptions) (watch.Interface, error) { - if tweakListOptions != nil { - tweakListOptions(&options) - } - return client.MulticlusterV1alpha1().ACNPImports().Watch(context.TODO(), options) - }, - }, - &multiclusterv1alpha1.ACNPImport{}, - resyncPeriod, - indexers, - ) -} - -func (f *aCNPImportInformer) defaultInformer(client versioned.Interface, resyncPeriod time.Duration) cache.SharedIndexInformer { - return NewFilteredACNPImportInformer(client, resyncPeriod, cache.Indexers{cache.NamespaceIndex: cache.MetaNamespaceIndexFunc}, f.tweakListOptions) -} - -func (f *aCNPImportInformer) Informer() cache.SharedIndexInformer { - return f.factory.InformerFor(&multiclusterv1alpha1.ACNPImport{}, f.defaultInformer) -} - -func (f *aCNPImportInformer) Lister() v1alpha1.ACNPImportLister { - return v1alpha1.NewACNPImportLister(f.Informer().GetIndexer()) -} diff --git a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go index 3752d69c273..ff4c3100c97 100644 --- a/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go +++ b/multicluster/pkg/client/informers/externalversions/multicluster/v1alpha1/interface.go @@ -23,8 +23,6 @@ import ( // Interface provides access to all the informers in this group version. type Interface interface { - // ACNPImports returns a ACNPImportInformer. - ACNPImports() ACNPImportInformer // ClusterClaims returns a ClusterClaimInformer. ClusterClaims() ClusterClaimInformer // ClusterSets returns a ClusterSetInformer. @@ -52,11 +50,6 @@ func New(f internalinterfaces.SharedInformerFactory, namespace string, tweakList return &version{factory: f, namespace: namespace, tweakListOptions: tweakListOptions} } -// ACNPImports returns a ACNPImportInformer. -func (v *version) ACNPImports() ACNPImportInformer { - return &aCNPImportInformer{factory: v.factory, tweakListOptions: v.tweakListOptions} -} - // ClusterClaims returns a ClusterClaimInformer. func (v *version) ClusterClaims() ClusterClaimInformer { return &clusterClaimInformer{factory: v.factory, namespace: v.namespace, tweakListOptions: v.tweakListOptions} diff --git a/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go b/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go deleted file mode 100644 index 0c8602e79de..00000000000 --- a/multicluster/pkg/client/listers/multicluster/v1alpha1/acnpimport.go +++ /dev/null @@ -1,67 +0,0 @@ -/* -Copyright 2021 Antrea Authors. - -Licensed under the Apache License, Version 2.0 (the "License"); -you may not use this file except in compliance with the License. -You may obtain a copy of the License at - - http://www.apache.org/licenses/LICENSE-2.0 - -Unless required by applicable law or agreed to in writing, software -distributed under the License is distributed on an "AS IS" BASIS, -WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -See the License for the specific language governing permissions and -limitations under the License. -*/ -// Code generated by lister-gen. DO NOT EDIT. - -package v1alpha1 - -import ( - v1alpha1 "antrea.io/antrea/multicluster/apis/multicluster/v1alpha1" - "k8s.io/apimachinery/pkg/api/errors" - "k8s.io/apimachinery/pkg/labels" - "k8s.io/client-go/tools/cache" -) - -// ACNPImportLister helps list ACNPImports. -// All objects returned here must be treated as read-only. -type ACNPImportLister interface { - // List lists all ACNPImports in the indexer. - // Objects returned here must be treated as read-only. - List(selector labels.Selector) (ret []*v1alpha1.ACNPImport, err error) - // Get retrieves the ACNPImport from the index for a given name. - // Objects returned here must be treated as read-only. - Get(name string) (*v1alpha1.ACNPImport, error) - ACNPImportListerExpansion -} - -// aCNPImportLister implements the ACNPImportLister interface. -type aCNPImportLister struct { - indexer cache.Indexer -} - -// NewACNPImportLister returns a new ACNPImportLister. -func NewACNPImportLister(indexer cache.Indexer) ACNPImportLister { - return &aCNPImportLister{indexer: indexer} -} - -// List lists all ACNPImports in the indexer. -func (s *aCNPImportLister) List(selector labels.Selector) (ret []*v1alpha1.ACNPImport, err error) { - err = cache.ListAll(s.indexer, selector, func(m interface{}) { - ret = append(ret, m.(*v1alpha1.ACNPImport)) - }) - return ret, err -} - -// Get retrieves the ACNPImport from the index for a given name. -func (s *aCNPImportLister) Get(name string) (*v1alpha1.ACNPImport, error) { - obj, exists, err := s.indexer.GetByKey(name) - if err != nil { - return nil, err - } - if !exists { - return nil, errors.NewNotFound(v1alpha1.Resource("acnpimport"), name) - } - return obj.(*v1alpha1.ACNPImport), nil -} diff --git a/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go b/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go index 1bad923a226..80cd468ef4e 100644 --- a/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go +++ b/multicluster/pkg/client/listers/multicluster/v1alpha1/expansion_generated.go @@ -17,10 +17,6 @@ limitations under the License. package v1alpha1 -// ACNPImportListerExpansion allows custom methods to be added to -// ACNPImportLister. -type ACNPImportListerExpansion interface{} - // ClusterClaimListerExpansion allows custom methods to be added to // ClusterClaimLister. type ClusterClaimListerExpansion interface{}