diff --git a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml index 322c55d4..c1900148 100644 --- a/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml +++ b/config/crd/experimental/policy.networking.k8s.io_adminnetworkpolicies.yaml @@ -28,18 +28,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: AdminNetworkPolicy is a cluster level resource that is part - of the AdminNetworkPolicy API. + description: |- + AdminNetworkPolicy is a cluster level resource that is part of the + AdminNetworkPolicy API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,97 +53,138 @@ spec: description: Specification of the desired behavior of AdminNetworkPolicy. properties: egress: - description: "Egress is the list of Egress rules to be applied to - the selected pods. A total of 100 rules will be allowed in each - ANP instance. The relative precedence of egress rules within a single - ANP object (all of which share the priority) will be determined - by the order in which the rule is written. Thus, a rule that appears - at the top of the egress rules would take the highest precedence. - ANPs with no egress rules do not affect egress traffic. \n Support: - Core" + description: |- + Egress is the list of Egress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each ANP instance. + The relative precedence of egress rules within a single ANP object (all of + which share the priority) will be determined by the order in which the rule + is written. Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + ANPs with no egress rules do not affect egress traffic. + + + Support: Core items: - description: AdminNetworkPolicyEgressRule describes an action to - take on a particular set of traffic originating from pods selected - by a AdminNetworkPolicy's Subject field. + description: |- + AdminNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a AdminNetworkPolicy's + Subject field. properties: action: - description: "Action specifies the effect this rule will have - on matching traffic. Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise - have been denied by NetworkPolicy) Deny: denies the selected - traffic Pass: instructs the selected traffic to skip any remaining - ANP rules, and then pass execution to any NetworkPolicies - that select the pod. If the pod is not selected by any NetworkPolicies - then execution is passed to any BaselineAdminNetworkPolicies - that select the pod. \n Support: Core" + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) + Deny: denies the selected traffic + Pass: instructs the selected traffic to skip any remaining ANP rules, and + then pass execution to any NetworkPolicies that select the pod. + If the pod is not selected by any NetworkPolicies then execution + is passed to any BaselineAdminNetworkPolicies that select the pod. + + + Support: Core type: string name: - description: "Name is an identifier for this rule, that may - be no more than 100 characters in length. This field should - be used by the implementation to help improve observability, - readability and error-reporting for any applied AdminNetworkPolicies. - \n Support: Core" + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + AdminNetworkPolicies. + + + Support: Core maxLength: 100 type: string ports: - description: "Ports allows for matching traffic based on port - and protocols. This field is a list of destination ports for - the outgoing egress traffic. If Ports is not set then the - rule does not filter traffic via port. \n Support: Core" + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of destination ports for the outgoing egress traffic. + If Ports is not set then the rule does not filter traffic via port. + + + Support: Core items: - description: AdminNetworkPolicyPort describes how to select - network ports on pod(s). Exactly one field must be set. + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: namedPort: - description: "NamedPort selects a port on a pod(s) based - on name. \n Support: Extended \n " + description: |- + NamedPort selects a port on a pod(s) based on name. + + + Support: Extended + + + type: string portNumber: - description: "Port selects a port on a pod(s) based on - number. \n Support: Core" + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core properties: port: - description: "Number defines a network port value. - \n Support: Core" + description: |- + Number defines a network port value. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string required: - port - protocol type: object portRange: - description: "PortRange selects a port range on a pod(s) - based on provided start and end values. \n Support: - Core" + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core properties: end: - description: "End defines a network port that is the - end of a port range, the End value must be greater - than Start. \n Support: Core" + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string start: - description: "Start defines a network port that is - the start of a port range, the Start value must - be less than End. \n Support: Core" + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core format: int32 maximum: 65535 minimum: 1 @@ -150,59 +197,66 @@ spec: maxItems: 100 type: array to: - description: "To is the List of destinations whose traffic this - rule applies to. If any AdminNetworkPolicyEgressPeer matches - the destination of outgoing traffic then the specified action - is applied. This field must be defined and contain at least - one item. \n Support: Core" + description: |- + To is the List of destinations whose traffic this rule applies to. + If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core items: - description: AdminNetworkPolicyEgressPeer defines a peer to - allow traffic to. Exactly one of the selector pointers must - be set for a given peer. If a consumer observes none of - its fields are set, they must assume an unknown option has - been specified and fail closed. + description: |- + AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. maxProperties: 1 minProperties: 1 properties: namespaces: - description: "Namespaces defines a way to select all pods - within a set of Namespaces. Note that host-networked - pods are not included in this type of peer. \n Support: - Core" + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows standard - label selector semantics; if present but empty, - it selects all Namespaces. \n Support: Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -214,53 +268,66 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic notSameLabels: - description: "NotSameLabels is used to select a set - of Namespaces that do not have certain values for - a set of label(s). To be selected a Namespace must - have all of the labels defined in NotSameLabels, - AND at least one of them must have different values - than the subject of this policy. If NotSameLabels - is empty then nothing is selected. \n Support: Extended - \n " + description: |- + NotSameLabels is used to select a set of Namespaces that do not have certain + values for a set of label(s). + To be selected a Namespace must have all of the labels defined in NotSameLabels, + AND at least one of them must have different values than the subject of this policy. + If NotSameLabels is empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array sameLabels: - description: "SameLabels is used to select a set of - Namespaces that share the same values for a set - of labels. To be selected a Namespace must have - all of the labels defined in SameLabels, AND they - must all have the same value as the subject of this - policy. If Samelabels is Empty then nothing is selected. - \n Support: Extended \n " + description: |- + SameLabels is used to select a set of Namespaces that share the same values + for a set of labels. + To be selected a Namespace must have all of the labels defined in SameLabels, + AND they must all have the same value as the subject of this policy. + If Samelabels is Empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array type: object nodes: - description: "Nodes defines a way to select a set of nodes - in the cluster. This field follows standard label selector + description: |- + Nodes defines a way to select a set of nodes in + the cluster. This field follows standard label selector semantics; if present but empty, it selects all Nodes. - \n Support: Extended \n " + + + Support: Extended + + + properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -268,17 +335,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values - array must be non-empty. If the operator is - Exists or DoesNotExist, the values array must - be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -290,59 +356,63 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic pods: - description: "Pods defines a way to select a set of pods - in a set of namespaces. Note that host-networked pods - are not included in this type of peer. \n Support: Core" + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core properties: namespaces: - description: "Namespaces is used to select a set of - Namespaces. \n Support: Core" + description: |- + Namespaces is used to select a set of Namespaces. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows - standard label selector semantics; if present - but empty, it selects all Namespaces. \n Support: - Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -355,73 +425,81 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic notSameLabels: - description: "NotSameLabels is used to select - a set of Namespaces that do not have certain - values for a set of label(s). To be selected - a Namespace must have all of the labels defined - in NotSameLabels, AND at least one of them must - have different values than the subject of this - policy. If NotSameLabels is empty then nothing - is selected. \n Support: Extended \n " + description: |- + NotSameLabels is used to select a set of Namespaces that do not have certain + values for a set of label(s). + To be selected a Namespace must have all of the labels defined in NotSameLabels, + AND at least one of them must have different values than the subject of this policy. + If NotSameLabels is empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array sameLabels: - description: "SameLabels is used to select a set - of Namespaces that share the same values for - a set of labels. To be selected a Namespace - must have all of the labels defined in SameLabels, - AND they must all have the same value as the - subject of this policy. If Samelabels is Empty - then nothing is selected. \n Support: Extended - \n " + description: |- + SameLabels is used to select a set of Namespaces that share the same values + for a set of labels. + To be selected a Namespace must have all of the labels defined in SameLabels, + AND they must all have the same value as the subject of this policy. + If Samelabels is Empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array type: object podSelector: - description: "PodSelector is a labelSelector used - to select Pods, This field is NOT optional, follows - standard label selector semantics and if present - but empty, it selects all Pods. \n Support: Core" + description: |- + PodSelector is a labelSelector used to select Pods, This field is NOT optional, + follows standard label selector semantics and if present but empty, it selects + all Pods. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -433,12 +511,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -457,84 +533,98 @@ spec: maxItems: 100 type: array ingress: - description: "Ingress is the list of Ingress rules to be applied to - the selected pods. A total of 100 rules will be allowed in each - ANP instance. The relative precedence of ingress rules within a - single ANP object (all of which share the priority) will be determined - by the order in which the rule is written. Thus, a rule that appears - at the top of the ingress rules would take the highest precedence. - ANPs with no ingress rules do not affect ingress traffic. \n Support: - Core" + description: |- + Ingress is the list of Ingress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each ANP instance. + The relative precedence of ingress rules within a single ANP object (all of + which share the priority) will be determined by the order in which the rule + is written. Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + ANPs with no ingress rules do not affect ingress traffic. + + + Support: Core items: - description: AdminNetworkPolicyIngressRule describes an action to - take on a particular set of traffic destined for pods selected - by an AdminNetworkPolicy's Subject field. + description: |- + AdminNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by an AdminNetworkPolicy's + Subject field. properties: action: - description: "Action specifies the effect this rule will have - on matching traffic. Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise - have been denied by NetworkPolicy) Deny: denies the selected - traffic Pass: instructs the selected traffic to skip any remaining - ANP rules, and then pass execution to any NetworkPolicies - that select the pod. If the pod is not selected by any NetworkPolicies - then execution is passed to any BaselineAdminNetworkPolicies - that select the pod. \n Support: Core" + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) + Deny: denies the selected traffic + Pass: instructs the selected traffic to skip any remaining ANP rules, and + then pass execution to any NetworkPolicies that select the pod. + If the pod is not selected by any NetworkPolicies then execution + is passed to any BaselineAdminNetworkPolicies that select the pod. + + + Support: Core type: string from: - description: "From is the list of sources whose traffic this - rule applies to. If any AdminNetworkPolicyIngressPeer matches - the source of incoming traffic then the specified action is - applied. This field must be defined and contain at least one - item. \n Support: Core" + description: |- + From is the list of sources whose traffic this rule applies to. + If any AdminNetworkPolicyIngressPeer matches the source of incoming + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core items: - description: AdminNetworkPolicyIngressPeer defines an in-cluster - peer to allow traffic from. Exactly one of the selector - pointers must be set for a given peer. If a consumer observes - none of its fields are set, they must assume an unknown + description: |- + AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown option has been specified and fail closed. maxProperties: 1 minProperties: 1 properties: namespaces: - description: "Namespaces defines a way to select all pods - within a set of Namespaces. Note that host-networked - pods are not included in this type of peer. \n Support: - Core" + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows standard - label selector semantics; if present but empty, - it selects all Namespaces. \n Support: Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -546,86 +636,98 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic notSameLabels: - description: "NotSameLabels is used to select a set - of Namespaces that do not have certain values for - a set of label(s). To be selected a Namespace must - have all of the labels defined in NotSameLabels, - AND at least one of them must have different values - than the subject of this policy. If NotSameLabels - is empty then nothing is selected. \n Support: Extended - \n " + description: |- + NotSameLabels is used to select a set of Namespaces that do not have certain + values for a set of label(s). + To be selected a Namespace must have all of the labels defined in NotSameLabels, + AND at least one of them must have different values than the subject of this policy. + If NotSameLabels is empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array sameLabels: - description: "SameLabels is used to select a set of - Namespaces that share the same values for a set - of labels. To be selected a Namespace must have - all of the labels defined in SameLabels, AND they - must all have the same value as the subject of this - policy. If Samelabels is Empty then nothing is selected. - \n Support: Extended \n " + description: |- + SameLabels is used to select a set of Namespaces that share the same values + for a set of labels. + To be selected a Namespace must have all of the labels defined in SameLabels, + AND they must all have the same value as the subject of this policy. + If Samelabels is Empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array type: object pods: - description: "Pods defines a way to select a set of pods - in a set of namespaces. Note that host-networked pods - are not included in this type of peer. \n Support: Core" + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core properties: namespaces: - description: "Namespaces is used to select a set of - Namespaces. \n Support: Core" + description: |- + Namespaces is used to select a set of Namespaces. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows - standard label selector semantics; if present - but empty, it selects all Namespaces. \n Support: - Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -638,73 +740,81 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic notSameLabels: - description: "NotSameLabels is used to select - a set of Namespaces that do not have certain - values for a set of label(s). To be selected - a Namespace must have all of the labels defined - in NotSameLabels, AND at least one of them must - have different values than the subject of this - policy. If NotSameLabels is empty then nothing - is selected. \n Support: Extended \n " + description: |- + NotSameLabels is used to select a set of Namespaces that do not have certain + values for a set of label(s). + To be selected a Namespace must have all of the labels defined in NotSameLabels, + AND at least one of them must have different values than the subject of this policy. + If NotSameLabels is empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array sameLabels: - description: "SameLabels is used to select a set - of Namespaces that share the same values for - a set of labels. To be selected a Namespace - must have all of the labels defined in SameLabels, - AND they must all have the same value as the - subject of this policy. If Samelabels is Empty - then nothing is selected. \n Support: Extended - \n " + description: |- + SameLabels is used to select a set of Namespaces that share the same values + for a set of labels. + To be selected a Namespace must have all of the labels defined in SameLabels, + AND they must all have the same value as the subject of this policy. + If Samelabels is Empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array type: object podSelector: - description: "PodSelector is a labelSelector used - to select Pods, This field is NOT optional, follows - standard label selector semantics and if present - but empty, it selects all Pods. \n Support: Core" + description: |- + PodSelector is a labelSelector used to select Pods, This field is NOT optional, + follows standard label selector semantics and if present but empty, it selects + all Pods. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -716,12 +826,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -734,74 +842,108 @@ spec: minItems: 1 type: array name: - description: "Name is an identifier for this rule, that may - be no more than 100 characters in length. This field should - be used by the implementation to help improve observability, - readability and error-reporting for any applied AdminNetworkPolicies. - \n Support: Core" + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + AdminNetworkPolicies. + + + Support: Core maxLength: 100 type: string ports: - description: "Ports allows for matching traffic based on port - and protocols. This field is a list of ports which should - be matched on the pods selected for this policy i.e the subject - of the policy. So it matches on the destination port for the - ingress traffic. If Ports is not set then the rule does not - filter traffic via port. \n Support: Core" + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of ports which should be matched on + the pods selected for this policy i.e the subject of the policy. + So it matches on the destination port for the ingress traffic. + If Ports is not set then the rule does not filter traffic via port. + + + Support: Core items: - description: AdminNetworkPolicyPort describes how to select - network ports on pod(s). Exactly one field must be set. + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: namedPort: - description: "NamedPort selects a port on a pod(s) based - on name. \n Support: Extended \n " + description: |- + NamedPort selects a port on a pod(s) based on name. + + + Support: Extended + + + type: string portNumber: - description: "Port selects a port on a pod(s) based on - number. \n Support: Core" + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core properties: port: - description: "Number defines a network port value. - \n Support: Core" + description: |- + Number defines a network port value. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string required: - port - protocol type: object portRange: - description: "PortRange selects a port range on a pod(s) - based on provided start and end values. \n Support: - Core" + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core properties: end: - description: "End defines a network port that is the - end of a port range, the End value must be greater - than Start. \n Support: Core" + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string start: - description: "Start defines a network port that is - the start of a port range, the Start value must - be less than End. \n Support: Core" + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core format: int32 maximum: 65535 minimum: 1 @@ -820,19 +962,25 @@ spec: maxItems: 100 type: array priority: - description: "Priority is a value from 0 to 1000. Rules with lower - priority values have higher precedence, and are checked before rules - with higher priority values. All AdminNetworkPolicy rules have higher - precedence than NetworkPolicy or BaselineAdminNetworkPolicy rules + description: |- + Priority is a value from 0 to 1000. Rules with lower priority values have + higher precedence, and are checked before rules with higher priority values. + All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or + BaselineAdminNetworkPolicy rules The behavior is undefined if two ANP objects have same priority. - \n Support: Core" + + + Support: Core format: int32 maximum: 1000 minimum: 0 type: integer subject: - description: "Subject defines the pods to which this AdminNetworkPolicy - applies. \n Support: Core" + description: |- + Subject defines the pods to which this AdminNetworkPolicy applies. + + + Support: Core maxProperties: 1 minProperties: 1 properties: @@ -843,25 +991,25 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -873,11 +1021,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -886,15 +1033,16 @@ spec: selectors. properties: namespaceSelector: - description: NamespaceSelector follows standard label selector - semantics; if empty, it selects all Namespaces. + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -902,17 +1050,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -924,24 +1071,24 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic podSelector: - description: PodSelector is used to explicitly select pods - within a namespace; if empty, it selects all Pods. + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -949,17 +1096,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -971,11 +1117,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -994,42 +1139,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1043,11 +1188,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml index 0ee636ad..6ebb436e 100644 --- a/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +++ b/config/crd/experimental/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml @@ -25,18 +25,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: BaselineAdminNetworkPolicy is a cluster level resource that is - part of the AdminNetworkPolicy API. + description: |- + BaselineAdminNetworkPolicy is a cluster level resource that is part of the + AdminNetworkPolicy API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -44,92 +50,132 @@ spec: description: Specification of the desired behavior of BaselineAdminNetworkPolicy. properties: egress: - description: "Egress is the list of Egress rules to be applied to - the selected pods if they are not matched by any AdminNetworkPolicy - or NetworkPolicy rules. A total of 100 Egress rules will be allowed - in each BANP instance. The relative precedence of egress rules within - a single BANP object will be determined by the order in which the - rule is written. Thus, a rule that appears at the top of the egress - rules would take the highest precedence. BANPs with no egress rules - do not affect egress traffic. \n Support: Core" + description: |- + Egress is the list of Egress rules to be applied to the selected pods if + they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. + A total of 100 Egress rules will be allowed in each BANP instance. + The relative precedence of egress rules within a single BANP object + will be determined by the order in which the rule is written. + Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + BANPs with no egress rules do not affect egress traffic. + + + Support: Core items: - description: BaselineAdminNetworkPolicyEgressRule describes an action - to take on a particular set of traffic originating from pods selected - by a BaselineAdminNetworkPolicy's Subject field. + description: |- + BaselineAdminNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a BaselineAdminNetworkPolicy's + Subject field. properties: action: - description: "Action specifies the effect this rule will have - on matching traffic. Currently the following actions are supported: - Allow: allows the selected traffic Deny: denies the selected - traffic \n Support: Core" + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic + Deny: denies the selected traffic + + + Support: Core type: string name: - description: "Name is an identifier for this rule, that may - be no more than 100 characters in length. This field should - be used by the implementation to help improve observability, - readability and error-reporting for any applied BaselineAdminNetworkPolicies. - \n Support: Core" + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + BaselineAdminNetworkPolicies. + + + Support: Core maxLength: 100 type: string ports: - description: Ports allows for matching traffic based on port - and protocols. This field is a list of destination ports for - the outging egress traffic. If Ports is not set then the rule - does not filter traffic via port. + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of destination ports for the outging egress traffic. + If Ports is not set then the rule does not filter traffic via port. items: - description: AdminNetworkPolicyPort describes how to select - network ports on pod(s). Exactly one field must be set. + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: namedPort: - description: "NamedPort selects a port on a pod(s) based - on name. \n Support: Extended \n " + description: |- + NamedPort selects a port on a pod(s) based on name. + + + Support: Extended + + + type: string portNumber: - description: "Port selects a port on a pod(s) based on - number. \n Support: Core" + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core properties: port: - description: "Number defines a network port value. - \n Support: Core" + description: |- + Number defines a network port value. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string required: - port - protocol type: object portRange: - description: "PortRange selects a port range on a pod(s) - based on provided start and end values. \n Support: - Core" + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core properties: end: - description: "End defines a network port that is the - end of a port range, the End value must be greater - than Start. \n Support: Core" + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string start: - description: "Start defines a network port that is - the start of a port range, the Start value must - be less than End. \n Support: Core" + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core format: int32 maximum: 65535 minimum: 1 @@ -142,59 +188,66 @@ spec: maxItems: 100 type: array to: - description: "To is the list of destinations whose traffic this - rule applies to. If any AdminNetworkPolicyEgressPeer matches - the destination of outgoing traffic then the specified action - is applied. This field must be defined and contain at least - one item. \n Support: Core" + description: |- + To is the list of destinations whose traffic this rule applies to. + If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core items: - description: AdminNetworkPolicyEgressPeer defines a peer to - allow traffic to. Exactly one of the selector pointers must - be set for a given peer. If a consumer observes none of - its fields are set, they must assume an unknown option has - been specified and fail closed. + description: |- + AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. maxProperties: 1 minProperties: 1 properties: namespaces: - description: "Namespaces defines a way to select all pods - within a set of Namespaces. Note that host-networked - pods are not included in this type of peer. \n Support: - Core" + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows standard - label selector semantics; if present but empty, - it selects all Namespaces. \n Support: Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -206,53 +259,66 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic notSameLabels: - description: "NotSameLabels is used to select a set - of Namespaces that do not have certain values for - a set of label(s). To be selected a Namespace must - have all of the labels defined in NotSameLabels, - AND at least one of them must have different values - than the subject of this policy. If NotSameLabels - is empty then nothing is selected. \n Support: Extended - \n " + description: |- + NotSameLabels is used to select a set of Namespaces that do not have certain + values for a set of label(s). + To be selected a Namespace must have all of the labels defined in NotSameLabels, + AND at least one of them must have different values than the subject of this policy. + If NotSameLabels is empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array sameLabels: - description: "SameLabels is used to select a set of - Namespaces that share the same values for a set - of labels. To be selected a Namespace must have - all of the labels defined in SameLabels, AND they - must all have the same value as the subject of this - policy. If Samelabels is Empty then nothing is selected. - \n Support: Extended \n " + description: |- + SameLabels is used to select a set of Namespaces that share the same values + for a set of labels. + To be selected a Namespace must have all of the labels defined in SameLabels, + AND they must all have the same value as the subject of this policy. + If Samelabels is Empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array type: object nodes: - description: "Nodes defines a way to select a set of nodes - in the cluster. This field follows standard label selector + description: |- + Nodes defines a way to select a set of nodes in + the cluster. This field follows standard label selector semantics; if present but empty, it selects all Nodes. - \n Support: Extended \n " + + + Support: Extended + + + properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -260,17 +326,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values - array must be non-empty. If the operator is - Exists or DoesNotExist, the values array must - be empty. This array is replaced during a - strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -282,59 +347,63 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic pods: - description: "Pods defines a way to select a set of pods - in a set of namespaces. Note that host-networked pods - are not included in this type of peer. \n Support: Core" + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core properties: namespaces: - description: "Namespaces is used to select a set of - Namespaces. \n Support: Core" + description: |- + Namespaces is used to select a set of Namespaces. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows - standard label selector semantics; if present - but empty, it selects all Namespaces. \n Support: - Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -347,73 +416,81 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic notSameLabels: - description: "NotSameLabels is used to select - a set of Namespaces that do not have certain - values for a set of label(s). To be selected - a Namespace must have all of the labels defined - in NotSameLabels, AND at least one of them must - have different values than the subject of this - policy. If NotSameLabels is empty then nothing - is selected. \n Support: Extended \n " + description: |- + NotSameLabels is used to select a set of Namespaces that do not have certain + values for a set of label(s). + To be selected a Namespace must have all of the labels defined in NotSameLabels, + AND at least one of them must have different values than the subject of this policy. + If NotSameLabels is empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array sameLabels: - description: "SameLabels is used to select a set - of Namespaces that share the same values for - a set of labels. To be selected a Namespace - must have all of the labels defined in SameLabels, - AND they must all have the same value as the - subject of this policy. If Samelabels is Empty - then nothing is selected. \n Support: Extended - \n " + description: |- + SameLabels is used to select a set of Namespaces that share the same values + for a set of labels. + To be selected a Namespace must have all of the labels defined in SameLabels, + AND they must all have the same value as the subject of this policy. + If Samelabels is Empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array type: object podSelector: - description: "PodSelector is a labelSelector used - to select Pods, This field is NOT optional, follows - standard label selector semantics and if present - but empty, it selects all Pods. \n Support: Core" + description: |- + PodSelector is a labelSelector used to select Pods, This field is NOT optional, + follows standard label selector semantics and if present but empty, it selects + all Pods. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -425,12 +502,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -449,79 +524,95 @@ spec: maxItems: 100 type: array ingress: - description: "Ingress is the list of Ingress rules to be applied to - the selected pods if they are not matched by any AdminNetworkPolicy - or NetworkPolicy rules. A total of 100 Ingress rules will be allowed - in each BANP instance. The relative precedence of ingress rules - within a single BANP object will be determined by the order in which - the rule is written. Thus, a rule that appears at the top of the - ingress rules would take the highest precedence. BANPs with no ingress - rules do not affect ingress traffic. \n Support: Core" + description: |- + Ingress is the list of Ingress rules to be applied to the selected pods + if they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. + A total of 100 Ingress rules will be allowed in each BANP instance. + The relative precedence of ingress rules within a single BANP object + will be determined by the order in which the rule is written. + Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + BANPs with no ingress rules do not affect ingress traffic. + + + Support: Core items: - description: BaselineAdminNetworkPolicyIngressRule describes an - action to take on a particular set of traffic destined for pods - selected by a BaselineAdminNetworkPolicy's Subject field. + description: |- + BaselineAdminNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by a BaselineAdminNetworkPolicy's + Subject field. properties: action: - description: "Action specifies the effect this rule will have - on matching traffic. Currently the following actions are supported: - Allow: allows the selected traffic Deny: denies the selected - traffic \n Support: Core" + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic + Deny: denies the selected traffic + + + Support: Core type: string from: - description: "From is the list of sources whose traffic this - rule applies to. If any AdminNetworkPolicyIngressPeer matches - the source of incoming traffic then the specified action is - applied. This field must be defined and contain at least one - item. \n Support: Core" + description: |- + From is the list of sources whose traffic this rule applies to. + If any AdminNetworkPolicyIngressPeer matches the source of incoming + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core items: - description: AdminNetworkPolicyIngressPeer defines an in-cluster - peer to allow traffic from. Exactly one of the selector - pointers must be set for a given peer. If a consumer observes - none of its fields are set, they must assume an unknown + description: |- + AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown option has been specified and fail closed. maxProperties: 1 minProperties: 1 properties: namespaces: - description: "Namespaces defines a way to select all pods - within a set of Namespaces. Note that host-networked - pods are not included in this type of peer. \n Support: - Core" + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows standard - label selector semantics; if present but empty, - it selects all Namespaces. \n Support: Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -533,86 +624,98 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic notSameLabels: - description: "NotSameLabels is used to select a set - of Namespaces that do not have certain values for - a set of label(s). To be selected a Namespace must - have all of the labels defined in NotSameLabels, - AND at least one of them must have different values - than the subject of this policy. If NotSameLabels - is empty then nothing is selected. \n Support: Extended - \n " + description: |- + NotSameLabels is used to select a set of Namespaces that do not have certain + values for a set of label(s). + To be selected a Namespace must have all of the labels defined in NotSameLabels, + AND at least one of them must have different values than the subject of this policy. + If NotSameLabels is empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array sameLabels: - description: "SameLabels is used to select a set of - Namespaces that share the same values for a set - of labels. To be selected a Namespace must have - all of the labels defined in SameLabels, AND they - must all have the same value as the subject of this - policy. If Samelabels is Empty then nothing is selected. - \n Support: Extended \n " + description: |- + SameLabels is used to select a set of Namespaces that share the same values + for a set of labels. + To be selected a Namespace must have all of the labels defined in SameLabels, + AND they must all have the same value as the subject of this policy. + If Samelabels is Empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array type: object pods: - description: "Pods defines a way to select a set of pods - in a set of namespaces. Note that host-networked pods - are not included in this type of peer. \n Support: Core" + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core properties: namespaces: - description: "Namespaces is used to select a set of - Namespaces. \n Support: Core" + description: |- + Namespaces is used to select a set of Namespaces. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows - standard label selector semantics; if present - but empty, it selects all Namespaces. \n Support: - Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -625,73 +728,81 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic notSameLabels: - description: "NotSameLabels is used to select - a set of Namespaces that do not have certain - values for a set of label(s). To be selected - a Namespace must have all of the labels defined - in NotSameLabels, AND at least one of them must - have different values than the subject of this - policy. If NotSameLabels is empty then nothing - is selected. \n Support: Extended \n " + description: |- + NotSameLabels is used to select a set of Namespaces that do not have certain + values for a set of label(s). + To be selected a Namespace must have all of the labels defined in NotSameLabels, + AND at least one of them must have different values than the subject of this policy. + If NotSameLabels is empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array sameLabels: - description: "SameLabels is used to select a set - of Namespaces that share the same values for - a set of labels. To be selected a Namespace - must have all of the labels defined in SameLabels, - AND they must all have the same value as the - subject of this policy. If Samelabels is Empty - then nothing is selected. \n Support: Extended - \n " + description: |- + SameLabels is used to select a set of Namespaces that share the same values + for a set of labels. + To be selected a Namespace must have all of the labels defined in SameLabels, + AND they must all have the same value as the subject of this policy. + If Samelabels is Empty then nothing is selected. + + + Support: Extended + + + items: type: string maxItems: 100 type: array type: object podSelector: - description: "PodSelector is a labelSelector used - to select Pods, This field is NOT optional, follows - standard label selector semantics and if present - but empty, it selects all Pods. \n Support: Core" + description: |- + PodSelector is a labelSelector used to select Pods, This field is NOT optional, + follows standard label selector semantics and if present but empty, it selects + all Pods. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -703,12 +814,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -721,74 +830,108 @@ spec: minItems: 1 type: array name: - description: "Name is an identifier for this rule, that may - be no more than 100 characters in length. This field should - be used by the implementation to help improve observability, - readability and error-reporting for any applied BaselineAdminNetworkPolicies. - \n Support: Core" + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + BaselineAdminNetworkPolicies. + + + Support: Core maxLength: 100 type: string ports: - description: "Ports allows for matching traffic based on port - and protocols. This field is a list of ports which should - be matched on the pods selected for this policy i.e the subject - of the policy. So it matches on the destination port for the - ingress traffic. If Ports is not set then the rule does not - filter traffic via port. \n Support: Core" + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of ports which should be matched on + the pods selected for this policy i.e the subject of the policy. + So it matches on the destination port for the ingress traffic. + If Ports is not set then the rule does not filter traffic via port. + + + Support: Core items: - description: AdminNetworkPolicyPort describes how to select - network ports on pod(s). Exactly one field must be set. + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: namedPort: - description: "NamedPort selects a port on a pod(s) based - on name. \n Support: Extended \n " + description: |- + NamedPort selects a port on a pod(s) based on name. + + + Support: Extended + + + type: string portNumber: - description: "Port selects a port on a pod(s) based on - number. \n Support: Core" + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core properties: port: - description: "Number defines a network port value. - \n Support: Core" + description: |- + Number defines a network port value. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string required: - port - protocol type: object portRange: - description: "PortRange selects a port range on a pod(s) - based on provided start and end values. \n Support: - Core" + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core properties: end: - description: "End defines a network port that is the - end of a port range, the End value must be greater - than Start. \n Support: Core" + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string start: - description: "Start defines a network port that is - the start of a port range, the Start value must - be less than End. \n Support: Core" + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core format: int32 maximum: 65535 minimum: 1 @@ -807,8 +950,11 @@ spec: maxItems: 100 type: array subject: - description: "Subject defines the pods to which this BaselineAdminNetworkPolicy - applies. \n Support: Core" + description: |- + Subject defines the pods to which this BaselineAdminNetworkPolicy applies. + + + Support: Core maxProperties: 1 minProperties: 1 properties: @@ -819,25 +965,25 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -849,11 +995,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -862,15 +1007,16 @@ spec: selectors. properties: namespaceSelector: - description: NamespaceSelector follows standard label selector - semantics; if empty, it selects all Namespaces. + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -878,17 +1024,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -900,24 +1045,24 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic podSelector: - description: PodSelector is used to explicitly select pods - within a namespace; if empty, it selects all Pods. + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -925,17 +1070,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -947,11 +1091,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -969,42 +1112,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -1018,11 +1161,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml b/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml index 52ff35b9..4b5f0c5a 100644 --- a/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml +++ b/config/crd/standard/policy.networking.k8s.io_adminnetworkpolicies.yaml @@ -28,18 +28,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: AdminNetworkPolicy is a cluster level resource that is part - of the AdminNetworkPolicy API. + description: |- + AdminNetworkPolicy is a cluster level resource that is part of the + AdminNetworkPolicy API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -47,93 +53,128 @@ spec: description: Specification of the desired behavior of AdminNetworkPolicy. properties: egress: - description: "Egress is the list of Egress rules to be applied to - the selected pods. A total of 100 rules will be allowed in each - ANP instance. The relative precedence of egress rules within a single - ANP object (all of which share the priority) will be determined - by the order in which the rule is written. Thus, a rule that appears - at the top of the egress rules would take the highest precedence. - ANPs with no egress rules do not affect egress traffic. \n Support: - Core" + description: |- + Egress is the list of Egress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each ANP instance. + The relative precedence of egress rules within a single ANP object (all of + which share the priority) will be determined by the order in which the rule + is written. Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + ANPs with no egress rules do not affect egress traffic. + + + Support: Core items: - description: AdminNetworkPolicyEgressRule describes an action to - take on a particular set of traffic originating from pods selected - by a AdminNetworkPolicy's Subject field. + description: |- + AdminNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a AdminNetworkPolicy's + Subject field. properties: action: - description: "Action specifies the effect this rule will have - on matching traffic. Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise - have been denied by NetworkPolicy) Deny: denies the selected - traffic Pass: instructs the selected traffic to skip any remaining - ANP rules, and then pass execution to any NetworkPolicies - that select the pod. If the pod is not selected by any NetworkPolicies - then execution is passed to any BaselineAdminNetworkPolicies - that select the pod. \n Support: Core" + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) + Deny: denies the selected traffic + Pass: instructs the selected traffic to skip any remaining ANP rules, and + then pass execution to any NetworkPolicies that select the pod. + If the pod is not selected by any NetworkPolicies then execution + is passed to any BaselineAdminNetworkPolicies that select the pod. + + + Support: Core type: string name: - description: "Name is an identifier for this rule, that may - be no more than 100 characters in length. This field should - be used by the implementation to help improve observability, - readability and error-reporting for any applied AdminNetworkPolicies. - \n Support: Core" + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + AdminNetworkPolicies. + + + Support: Core maxLength: 100 type: string ports: - description: "Ports allows for matching traffic based on port - and protocols. This field is a list of destination ports for - the outgoing egress traffic. If Ports is not set then the - rule does not filter traffic via port. \n Support: Core" + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of destination ports for the outgoing egress traffic. + If Ports is not set then the rule does not filter traffic via port. + + + Support: Core items: - description: AdminNetworkPolicyPort describes how to select - network ports on pod(s). Exactly one field must be set. + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: portNumber: - description: "Port selects a port on a pod(s) based on - number. \n Support: Core" + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core properties: port: - description: "Number defines a network port value. - \n Support: Core" + description: |- + Number defines a network port value. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string required: - port - protocol type: object portRange: - description: "PortRange selects a port range on a pod(s) - based on provided start and end values. \n Support: - Core" + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core properties: end: - description: "End defines a network port that is the - end of a port range, the End value must be greater - than Start. \n Support: Core" + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string start: - description: "Start defines a network port that is - the start of a port range, the Start value must - be less than End. \n Support: Core" + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core format: int32 maximum: 65535 minimum: 1 @@ -146,59 +187,66 @@ spec: maxItems: 100 type: array to: - description: "To is the List of destinations whose traffic this - rule applies to. If any AdminNetworkPolicyEgressPeer matches - the destination of outgoing traffic then the specified action - is applied. This field must be defined and contain at least - one item. \n Support: Core" + description: |- + To is the List of destinations whose traffic this rule applies to. + If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core items: - description: AdminNetworkPolicyEgressPeer defines a peer to - allow traffic to. Exactly one of the selector pointers must - be set for a given peer. If a consumer observes none of - its fields are set, they must assume an unknown option has - been specified and fail closed. + description: |- + AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. maxProperties: 1 minProperties: 1 properties: namespaces: - description: "Namespaces defines a way to select all pods - within a set of Namespaces. Note that host-networked - pods are not included in this type of peer. \n Support: - Core" + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows standard - label selector semantics; if present but empty, - it selects all Namespaces. \n Support: Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -210,61 +258,64 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object pods: - description: "Pods defines a way to select a set of pods - in a set of namespaces. Note that host-networked pods - are not included in this type of peer. \n Support: Core" + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core properties: namespaces: - description: "Namespaces is used to select a set of - Namespaces. \n Support: Core" + description: |- + Namespaces is used to select a set of Namespaces. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows - standard label selector semantics; if present - but empty, it selects all Namespaces. \n Support: - Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -277,47 +328,47 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object podSelector: - description: "PodSelector is a labelSelector used - to select Pods, This field is NOT optional, follows - standard label selector semantics and if present - but empty, it selects all Pods. \n Support: Core" + description: |- + PodSelector is a labelSelector used to select Pods, This field is NOT optional, + follows standard label selector semantics and if present but empty, it selects + all Pods. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -329,12 +380,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -353,84 +402,98 @@ spec: maxItems: 100 type: array ingress: - description: "Ingress is the list of Ingress rules to be applied to - the selected pods. A total of 100 rules will be allowed in each - ANP instance. The relative precedence of ingress rules within a - single ANP object (all of which share the priority) will be determined - by the order in which the rule is written. Thus, a rule that appears - at the top of the ingress rules would take the highest precedence. - ANPs with no ingress rules do not affect ingress traffic. \n Support: - Core" + description: |- + Ingress is the list of Ingress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each ANP instance. + The relative precedence of ingress rules within a single ANP object (all of + which share the priority) will be determined by the order in which the rule + is written. Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + ANPs with no ingress rules do not affect ingress traffic. + + + Support: Core items: - description: AdminNetworkPolicyIngressRule describes an action to - take on a particular set of traffic destined for pods selected - by an AdminNetworkPolicy's Subject field. + description: |- + AdminNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by an AdminNetworkPolicy's + Subject field. properties: action: - description: "Action specifies the effect this rule will have - on matching traffic. Currently the following actions are supported: - Allow: allows the selected traffic (even if it would otherwise - have been denied by NetworkPolicy) Deny: denies the selected - traffic Pass: instructs the selected traffic to skip any remaining - ANP rules, and then pass execution to any NetworkPolicies - that select the pod. If the pod is not selected by any NetworkPolicies - then execution is passed to any BaselineAdminNetworkPolicies - that select the pod. \n Support: Core" + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) + Deny: denies the selected traffic + Pass: instructs the selected traffic to skip any remaining ANP rules, and + then pass execution to any NetworkPolicies that select the pod. + If the pod is not selected by any NetworkPolicies then execution + is passed to any BaselineAdminNetworkPolicies that select the pod. + + + Support: Core type: string from: - description: "From is the list of sources whose traffic this - rule applies to. If any AdminNetworkPolicyIngressPeer matches - the source of incoming traffic then the specified action is - applied. This field must be defined and contain at least one - item. \n Support: Core" + description: |- + From is the list of sources whose traffic this rule applies to. + If any AdminNetworkPolicyIngressPeer matches the source of incoming + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core items: - description: AdminNetworkPolicyIngressPeer defines an in-cluster - peer to allow traffic from. Exactly one of the selector - pointers must be set for a given peer. If a consumer observes - none of its fields are set, they must assume an unknown + description: |- + AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown option has been specified and fail closed. maxProperties: 1 minProperties: 1 properties: namespaces: - description: "Namespaces defines a way to select all pods - within a set of Namespaces. Note that host-networked - pods are not included in this type of peer. \n Support: - Core" + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows standard - label selector semantics; if present but empty, - it selects all Namespaces. \n Support: Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -442,61 +505,64 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object pods: - description: "Pods defines a way to select a set of pods - in a set of namespaces. Note that host-networked pods - are not included in this type of peer. \n Support: Core" + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core properties: namespaces: - description: "Namespaces is used to select a set of - Namespaces. \n Support: Core" + description: |- + Namespaces is used to select a set of Namespaces. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows - standard label selector semantics; if present - but empty, it selects all Namespaces. \n Support: - Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -509,47 +575,47 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object podSelector: - description: "PodSelector is a labelSelector used - to select Pods, This field is NOT optional, follows - standard label selector semantics and if present - but empty, it selects all Pods. \n Support: Core" + description: |- + PodSelector is a labelSelector used to select Pods, This field is NOT optional, + follows standard label selector semantics and if present but empty, it selects + all Pods. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -561,12 +627,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -579,70 +643,98 @@ spec: minItems: 1 type: array name: - description: "Name is an identifier for this rule, that may - be no more than 100 characters in length. This field should - be used by the implementation to help improve observability, - readability and error-reporting for any applied AdminNetworkPolicies. - \n Support: Core" + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + AdminNetworkPolicies. + + + Support: Core maxLength: 100 type: string ports: - description: "Ports allows for matching traffic based on port - and protocols. This field is a list of ports which should - be matched on the pods selected for this policy i.e the subject - of the policy. So it matches on the destination port for the - ingress traffic. If Ports is not set then the rule does not - filter traffic via port. \n Support: Core" + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of ports which should be matched on + the pods selected for this policy i.e the subject of the policy. + So it matches on the destination port for the ingress traffic. + If Ports is not set then the rule does not filter traffic via port. + + + Support: Core items: - description: AdminNetworkPolicyPort describes how to select - network ports on pod(s). Exactly one field must be set. + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: portNumber: - description: "Port selects a port on a pod(s) based on - number. \n Support: Core" + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core properties: port: - description: "Number defines a network port value. - \n Support: Core" + description: |- + Number defines a network port value. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string required: - port - protocol type: object portRange: - description: "PortRange selects a port range on a pod(s) - based on provided start and end values. \n Support: - Core" + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core properties: end: - description: "End defines a network port that is the - end of a port range, the End value must be greater - than Start. \n Support: Core" + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string start: - description: "Start defines a network port that is - the start of a port range, the Start value must - be less than End. \n Support: Core" + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core format: int32 maximum: 65535 minimum: 1 @@ -661,19 +753,25 @@ spec: maxItems: 100 type: array priority: - description: "Priority is a value from 0 to 1000. Rules with lower - priority values have higher precedence, and are checked before rules - with higher priority values. All AdminNetworkPolicy rules have higher - precedence than NetworkPolicy or BaselineAdminNetworkPolicy rules + description: |- + Priority is a value from 0 to 1000. Rules with lower priority values have + higher precedence, and are checked before rules with higher priority values. + All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or + BaselineAdminNetworkPolicy rules The behavior is undefined if two ANP objects have same priority. - \n Support: Core" + + + Support: Core format: int32 maximum: 1000 minimum: 0 type: integer subject: - description: "Subject defines the pods to which this AdminNetworkPolicy - applies. \n Support: Core" + description: |- + Subject defines the pods to which this AdminNetworkPolicy applies. + + + Support: Core maxProperties: 1 minProperties: 1 properties: @@ -684,25 +782,25 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -714,11 +812,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -727,15 +824,16 @@ spec: selectors. properties: namespaceSelector: - description: NamespaceSelector follows standard label selector - semantics; if empty, it selects all Namespaces. + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -743,17 +841,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -765,24 +862,24 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic podSelector: - description: PodSelector is used to explicitly select pods - within a namespace; if empty, it selects all Pods. + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -790,17 +887,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -812,11 +908,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -835,42 +930,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -884,11 +979,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml index e922809b..9b23189a 100644 --- a/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml +++ b/config/crd/standard/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml @@ -25,18 +25,24 @@ spec: name: v1alpha1 schema: openAPIV3Schema: - description: BaselineAdminNetworkPolicy is a cluster level resource that is - part of the AdminNetworkPolicy API. + description: |- + BaselineAdminNetworkPolicy is a cluster level resource that is part of the + AdminNetworkPolicy API. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -44,88 +50,122 @@ spec: description: Specification of the desired behavior of BaselineAdminNetworkPolicy. properties: egress: - description: "Egress is the list of Egress rules to be applied to - the selected pods if they are not matched by any AdminNetworkPolicy - or NetworkPolicy rules. A total of 100 Egress rules will be allowed - in each BANP instance. The relative precedence of egress rules within - a single BANP object will be determined by the order in which the - rule is written. Thus, a rule that appears at the top of the egress - rules would take the highest precedence. BANPs with no egress rules - do not affect egress traffic. \n Support: Core" + description: |- + Egress is the list of Egress rules to be applied to the selected pods if + they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. + A total of 100 Egress rules will be allowed in each BANP instance. + The relative precedence of egress rules within a single BANP object + will be determined by the order in which the rule is written. + Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + BANPs with no egress rules do not affect egress traffic. + + + Support: Core items: - description: BaselineAdminNetworkPolicyEgressRule describes an action - to take on a particular set of traffic originating from pods selected - by a BaselineAdminNetworkPolicy's Subject field. + description: |- + BaselineAdminNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a BaselineAdminNetworkPolicy's + Subject field. properties: action: - description: "Action specifies the effect this rule will have - on matching traffic. Currently the following actions are supported: - Allow: allows the selected traffic Deny: denies the selected - traffic \n Support: Core" + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic + Deny: denies the selected traffic + + + Support: Core type: string name: - description: "Name is an identifier for this rule, that may - be no more than 100 characters in length. This field should - be used by the implementation to help improve observability, - readability and error-reporting for any applied BaselineAdminNetworkPolicies. - \n Support: Core" + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + BaselineAdminNetworkPolicies. + + + Support: Core maxLength: 100 type: string ports: - description: Ports allows for matching traffic based on port - and protocols. This field is a list of destination ports for - the outging egress traffic. If Ports is not set then the rule - does not filter traffic via port. + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of destination ports for the outging egress traffic. + If Ports is not set then the rule does not filter traffic via port. items: - description: AdminNetworkPolicyPort describes how to select - network ports on pod(s). Exactly one field must be set. + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: portNumber: - description: "Port selects a port on a pod(s) based on - number. \n Support: Core" + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core properties: port: - description: "Number defines a network port value. - \n Support: Core" + description: |- + Number defines a network port value. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string required: - port - protocol type: object portRange: - description: "PortRange selects a port range on a pod(s) - based on provided start and end values. \n Support: - Core" + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core properties: end: - description: "End defines a network port that is the - end of a port range, the End value must be greater - than Start. \n Support: Core" + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string start: - description: "Start defines a network port that is - the start of a port range, the Start value must - be less than End. \n Support: Core" + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core format: int32 maximum: 65535 minimum: 1 @@ -138,59 +178,66 @@ spec: maxItems: 100 type: array to: - description: "To is the list of destinations whose traffic this - rule applies to. If any AdminNetworkPolicyEgressPeer matches - the destination of outgoing traffic then the specified action - is applied. This field must be defined and contain at least - one item. \n Support: Core" + description: |- + To is the list of destinations whose traffic this rule applies to. + If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core items: - description: AdminNetworkPolicyEgressPeer defines a peer to - allow traffic to. Exactly one of the selector pointers must - be set for a given peer. If a consumer observes none of - its fields are set, they must assume an unknown option has - been specified and fail closed. + description: |- + AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. maxProperties: 1 minProperties: 1 properties: namespaces: - description: "Namespaces defines a way to select all pods - within a set of Namespaces. Note that host-networked - pods are not included in this type of peer. \n Support: - Core" + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows standard - label selector semantics; if present but empty, - it selects all Namespaces. \n Support: Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -202,61 +249,64 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object pods: - description: "Pods defines a way to select a set of pods - in a set of namespaces. Note that host-networked pods - are not included in this type of peer. \n Support: Core" + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core properties: namespaces: - description: "Namespaces is used to select a set of - Namespaces. \n Support: Core" + description: |- + Namespaces is used to select a set of Namespaces. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows - standard label selector semantics; if present - but empty, it selects all Namespaces. \n Support: - Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -269,47 +319,47 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object podSelector: - description: "PodSelector is a labelSelector used - to select Pods, This field is NOT optional, follows - standard label selector semantics and if present - but empty, it selects all Pods. \n Support: Core" + description: |- + PodSelector is a labelSelector used to select Pods, This field is NOT optional, + follows standard label selector semantics and if present but empty, it selects + all Pods. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -321,12 +371,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -345,79 +393,95 @@ spec: maxItems: 100 type: array ingress: - description: "Ingress is the list of Ingress rules to be applied to - the selected pods if they are not matched by any AdminNetworkPolicy - or NetworkPolicy rules. A total of 100 Ingress rules will be allowed - in each BANP instance. The relative precedence of ingress rules - within a single BANP object will be determined by the order in which - the rule is written. Thus, a rule that appears at the top of the - ingress rules would take the highest precedence. BANPs with no ingress - rules do not affect ingress traffic. \n Support: Core" + description: |- + Ingress is the list of Ingress rules to be applied to the selected pods + if they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. + A total of 100 Ingress rules will be allowed in each BANP instance. + The relative precedence of ingress rules within a single BANP object + will be determined by the order in which the rule is written. + Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + BANPs with no ingress rules do not affect ingress traffic. + + + Support: Core items: - description: BaselineAdminNetworkPolicyIngressRule describes an - action to take on a particular set of traffic destined for pods - selected by a BaselineAdminNetworkPolicy's Subject field. + description: |- + BaselineAdminNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by a BaselineAdminNetworkPolicy's + Subject field. properties: action: - description: "Action specifies the effect this rule will have - on matching traffic. Currently the following actions are supported: - Allow: allows the selected traffic Deny: denies the selected - traffic \n Support: Core" + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic + Deny: denies the selected traffic + + + Support: Core type: string from: - description: "From is the list of sources whose traffic this - rule applies to. If any AdminNetworkPolicyIngressPeer matches - the source of incoming traffic then the specified action is - applied. This field must be defined and contain at least one - item. \n Support: Core" + description: |- + From is the list of sources whose traffic this rule applies to. + If any AdminNetworkPolicyIngressPeer matches the source of incoming + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core items: - description: AdminNetworkPolicyIngressPeer defines an in-cluster - peer to allow traffic from. Exactly one of the selector - pointers must be set for a given peer. If a consumer observes - none of its fields are set, they must assume an unknown + description: |- + AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown option has been specified and fail closed. maxProperties: 1 minProperties: 1 properties: namespaces: - description: "Namespaces defines a way to select all pods - within a set of Namespaces. Note that host-networked - pods are not included in this type of peer. \n Support: - Core" + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows standard - label selector semantics; if present but empty, - it selects all Namespaces. \n Support: Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -429,61 +493,64 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object pods: - description: "Pods defines a way to select a set of pods - in a set of namespaces. Note that host-networked pods - are not included in this type of peer. \n Support: Core" + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core properties: namespaces: - description: "Namespaces is used to select a set of - Namespaces. \n Support: Core" + description: |- + Namespaces is used to select a set of Namespaces. + + + Support: Core maxProperties: 1 minProperties: 1 properties: namespaceSelector: - description: "NamespaceSelector is a labelSelector - used to select Namespaces, This field follows - standard label selector semantics; if present - but empty, it selects all Namespaces. \n Support: - Core" + description: |- + NamespaceSelector is a labelSelector used to select Namespaces, This field + follows standard label selector semantics; if present but empty, it selects + all Namespaces. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement - is a selector that contains values, a - key, and an operator that relates the - key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and - DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. - If the operator is Exists or DoesNotExist, - the values array must be empty. This - array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -496,47 +563,47 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is - "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic type: object podSelector: - description: "PodSelector is a labelSelector used - to select Pods, This field is NOT optional, follows - standard label selector semantics and if present - but empty, it selects all Pods. \n Support: Core" + description: |- + PodSelector is a labelSelector used to select Pods, This field is NOT optional, + follows standard label selector semantics and if present but empty, it selects + all Pods. + + + Support: Core properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is - a selector that contains values, a key, and - an operator that relates the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's - relationship to a set of values. Valid - operators are In, NotIn, Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string - values. If the operator is In or NotIn, - the values array must be non-empty. If - the operator is Exists or DoesNotExist, - the values array must be empty. This array - is replaced during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -548,12 +615,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator is "In", - and the values array contains only "value". - The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -566,70 +631,98 @@ spec: minItems: 1 type: array name: - description: "Name is an identifier for this rule, that may - be no more than 100 characters in length. This field should - be used by the implementation to help improve observability, - readability and error-reporting for any applied BaselineAdminNetworkPolicies. - \n Support: Core" + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + BaselineAdminNetworkPolicies. + + + Support: Core maxLength: 100 type: string ports: - description: "Ports allows for matching traffic based on port - and protocols. This field is a list of ports which should - be matched on the pods selected for this policy i.e the subject - of the policy. So it matches on the destination port for the - ingress traffic. If Ports is not set then the rule does not - filter traffic via port. \n Support: Core" + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of ports which should be matched on + the pods selected for this policy i.e the subject of the policy. + So it matches on the destination port for the ingress traffic. + If Ports is not set then the rule does not filter traffic via port. + + + Support: Core items: - description: AdminNetworkPolicyPort describes how to select - network ports on pod(s). Exactly one field must be set. + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: portNumber: - description: "Port selects a port on a pod(s) based on - number. \n Support: Core" + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core properties: port: - description: "Number defines a network port value. - \n Support: Core" + description: |- + Number defines a network port value. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string required: - port - protocol type: object portRange: - description: "PortRange selects a port range on a pod(s) - based on provided start and end values. \n Support: - Core" + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core properties: end: - description: "End defines a network port that is the - end of a port range, the End value must be greater - than Start. \n Support: Core" + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core format: int32 maximum: 65535 minimum: 1 type: integer protocol: default: TCP - description: "Protocol is the network protocol (TCP, - UDP, or SCTP) which traffic must match. If not specified, - this field defaults to TCP. \n Support: Core" + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core type: string start: - description: "Start defines a network port that is - the start of a port range, the Start value must - be less than End. \n Support: Core" + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core format: int32 maximum: 65535 minimum: 1 @@ -648,8 +741,11 @@ spec: maxItems: 100 type: array subject: - description: "Subject defines the pods to which this BaselineAdminNetworkPolicy - applies. \n Support: Core" + description: |- + Subject defines the pods to which this BaselineAdminNetworkPolicy applies. + + + Support: Core maxProperties: 1 minProperties: 1 properties: @@ -660,25 +756,25 @@ spec: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -690,11 +786,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -703,15 +798,16 @@ spec: selectors. properties: namespaceSelector: - description: NamespaceSelector follows standard label selector - semantics; if empty, it selects all Namespaces. + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -719,17 +815,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -741,24 +836,24 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic podSelector: - description: PodSelector is used to explicitly select pods - within a namespace; if empty, it selects all Pods. + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. properties: key: @@ -766,17 +861,16 @@ spec: applies to. type: string operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists or - DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array @@ -788,11 +882,10 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is - "key", the operator is "In", and the values array contains - only "value". The requirements are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic @@ -810,42 +903,42 @@ spec: conditions: items: description: "Condition contains details for one aspect of the current - state of this API Resource. --- This struct is intended for direct - use as an array at the field path .status.conditions. For example, - \n type FooStatus struct{ // Represents the observations of a - foo's current state. // Known .status.conditions.type are: \"Available\", - \"Progressing\", and \"Degraded\" // +patchMergeKey=type // +patchStrategy=merge - // +listType=map // +listMapKey=type Conditions []metav1.Condition - `json:\"conditions,omitempty\" patchStrategy:\"merge\" patchMergeKey:\"type\" - protobuf:\"bytes,1,rep,name=conditions\"` \n // other fields }" + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: - description: lastTransitionTime is the last time the condition - transitioned from one status to another. This should be when - the underlying condition changed. If that is not known, then - using the time when the API field changed is acceptable. + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. format: date-time type: string message: - description: message is a human readable message indicating - details about the transition. This may be an empty string. + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. maxLength: 32768 type: string observedGeneration: - description: observedGeneration represents the .metadata.generation - that the condition was set based upon. For instance, if .metadata.generation - is currently 12, but the .status.conditions[x].observedGeneration - is 9, the condition is out of date with respect to the current - state of the instance. + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. format: int64 minimum: 0 type: integer reason: - description: reason contains a programmatic identifier indicating - the reason for the condition's last transition. Producers - of specific condition types may define expected values and - meanings for this field, and whether the values are considered - a guaranteed API. The value should be a CamelCase string. + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. This field may not be empty. maxLength: 1024 minLength: 1 @@ -859,11 +952,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. - --- Many .condition.type values are consistent across resources - like Available, but because arbitrary conditions can be useful - (see .node.status.conditions), the ability to deconflict is - important. The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/go.mod b/go.mod index 906124e7..32edc52a 100644 --- a/go.mod +++ b/go.mod @@ -1,27 +1,27 @@ module sigs.k8s.io/network-policy-api -go 1.20 +go 1.21 require ( github.com/ahmetb/gen-crd-api-reference-docs v0.3.0 - github.com/stretchr/testify v1.8.2 - k8s.io/api v0.28.1 - k8s.io/apiextensions-apiserver v0.28.0 - k8s.io/apimachinery v0.28.2 - k8s.io/client-go v0.28.1 - k8s.io/code-generator v0.28.0 - sigs.k8s.io/controller-runtime v0.14.6 - sigs.k8s.io/controller-tools v0.13.0 - sigs.k8s.io/yaml v1.3.0 + github.com/stretchr/testify v1.8.4 + k8s.io/api v0.29.2 + k8s.io/apiextensions-apiserver v0.29.2 + k8s.io/apimachinery v0.29.2 + k8s.io/client-go v0.29.2 + k8s.io/code-generator v0.29.2 + sigs.k8s.io/controller-runtime v0.17.0 + sigs.k8s.io/controller-tools v0.14.0 + sigs.k8s.io/yaml v1.4.0 ) require ( github.com/davecgh/go-spew v1.1.1 // indirect - github.com/emicklei/go-restful/v3 v3.9.0 // indirect + github.com/emicklei/go-restful/v3 v3.11.0 // indirect github.com/evanphx/json-patch v5.6.0+incompatible // indirect - github.com/evanphx/json-patch/v5 v5.6.0 // indirect - github.com/fatih/color v1.15.0 // indirect - github.com/go-logr/logr v1.2.4 // indirect + github.com/evanphx/json-patch/v5 v5.8.0 // indirect + github.com/fatih/color v1.16.0 // indirect + github.com/go-logr/logr v1.4.1 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/swag v0.22.3 // indirect @@ -29,43 +29,45 @@ require ( github.com/gogo/protobuf v1.3.2 // indirect github.com/golang/protobuf v1.5.3 // indirect github.com/google/gnostic-models v0.6.8 // indirect - github.com/google/go-cmp v0.5.9 // indirect + github.com/google/go-cmp v0.6.0 // indirect github.com/google/gofuzz v1.2.0 // indirect github.com/google/uuid v1.3.0 // indirect + github.com/gorilla/websocket v1.5.0 // indirect github.com/imdario/mergo v0.3.6 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/json-iterator/go v1.1.12 // indirect github.com/mailru/easyjson v0.7.7 // indirect github.com/mattn/go-colorable v0.1.13 // indirect - github.com/mattn/go-isatty v0.0.17 // indirect + github.com/mattn/go-isatty v0.0.20 // indirect github.com/moby/spdystream v0.2.0 // indirect github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect github.com/modern-go/reflect2 v1.0.2 // indirect github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect + github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f // indirect github.com/pkg/errors v0.9.1 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/russross/blackfriday/v2 v2.1.0 // indirect - github.com/spf13/cobra v1.7.0 // indirect + github.com/spf13/cobra v1.8.0 // indirect github.com/spf13/pflag v1.0.5 // indirect golang.org/x/mod v0.14.0 // indirect golang.org/x/net v0.20.0 // indirect - golang.org/x/oauth2 v0.8.0 // indirect + golang.org/x/oauth2 v0.12.0 // indirect golang.org/x/sys v0.16.0 // indirect golang.org/x/term v0.16.0 // indirect golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/tools v0.17.0 // indirect google.golang.org/appengine v1.6.7 // indirect - google.golang.org/protobuf v1.30.0 // indirect + google.golang.org/protobuf v1.31.0 // indirect gopkg.in/inf.v0 v0.9.1 // indirect gopkg.in/yaml.v2 v2.4.0 // indirect gopkg.in/yaml.v3 v3.0.1 // indirect - k8s.io/gengo v0.0.0-20220902162205-c0856e24416d // indirect + k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 // indirect k8s.io/klog v0.2.0 // indirect - k8s.io/klog/v2 v2.100.1 // indirect - k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 // indirect - k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 // indirect + k8s.io/klog/v2 v2.110.1 // indirect + k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 // indirect + k8s.io/utils v0.0.0-20230726121419-3b25d923346b // indirect sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect - sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect + sigs.k8s.io/structured-merge-diff/v4 v4.4.1 // indirect ) diff --git a/go.sum b/go.sum index 4ea2a3a6..c0458192 100644 --- a/go.sum +++ b/go.sum @@ -1,27 +1,28 @@ github.com/ahmetb/gen-crd-api-reference-docs v0.3.0 h1:+XfOU14S4bGuwyvCijJwhhBIjYN+YXS18jrCY2EzJaY= github.com/ahmetb/gen-crd-api-reference-docs v0.3.0/go.mod h1:TdjdkYhlOifCQWPs1UdTma97kQQMozf5h26hTuG70u8= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= -github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM= -github.com/cespare/xxhash/v2 v2.2.0 h1:DC2CZ1Ep5Y4k3ZQ899DldepgrayRUGE6BBZ/cd9Cj44= -github.com/cpuguy83/go-md2man/v2 v2.0.2/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= +github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46tRHOmNcaadrF8o= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/emicklei/go-restful/v3 v3.9.0 h1:XwGDlfxEnQZzuopoqxwSEllNcCOM9DhhFyhFIIGKwxE= -github.com/emicklei/go-restful/v3 v3.9.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= +github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= +github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/evanphx/json-patch v5.6.0+incompatible h1:jBYDEEiFBPxA0v50tFdvOzQQTCvpL6mnFh5mB2/l16U= github.com/evanphx/json-patch v5.6.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= -github.com/evanphx/json-patch/v5 v5.6.0 h1:b91NhWfaz02IuVxO9faSllyAtNXHMPkC5J8sJCLunww= -github.com/evanphx/json-patch/v5 v5.6.0/go.mod h1:G79N1coSVB93tBe7j6PhzjmR3/2VvlbKOFpnXhI9Bw4= -github.com/fatih/color v1.15.0 h1:kOqh6YHBtK8aywxGerMG2Eq3H6Qgoqeo13Bk2Mv/nBs= -github.com/fatih/color v1.15.0/go.mod h1:0h5ZqXfHYED7Bhv2ZJamyIOUej9KtShiJESRwBDUSsw= -github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= +github.com/evanphx/json-patch/v5 v5.8.0 h1:lRj6N9Nci7MvzrXuX6HFzU8XjmhPiXPlsKEy1u0KQro= +github.com/evanphx/json-patch/v5 v5.8.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ= +github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM= +github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE= +github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= +github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyTJwOpGvigM= github.com/go-logr/logr v0.2.0/go.mod h1:z6/tIYblkpsD+a4lm/fGIIU9mZ+XfAiaFtq7xTgseGU= -github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ= -github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A= -github.com/go-logr/zapr v1.2.3 h1:a9vnzlIBPQBBkeaR9IuMUfmVOrQlkoC4YfPoFkX3T7A= +github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ= +github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY= +github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ= +github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg= github.com/go-openapi/jsonpointer v0.19.6 h1:eCs3fxoIi3Wh6vtgmLTOjdhSpiqphQ+DaPn38N2ZdrE= github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs= github.com/go-openapi/jsonreference v0.20.2 h1:3sVjiK66+uXK/6oQ8xgcRKcFgQ5KXa2KvnJRumpMGbE= @@ -29,6 +30,7 @@ github.com/go-openapi/jsonreference v0.20.2/go.mod h1:Bl1zwGIM8/wsvqjsOQLJ/SH+En github.com/go-openapi/swag v0.22.3 h1:yMBqmnQ0gyZvEb/+KzuWZOXgllrXT4SADYbvDaXHv/g= github.com/go-openapi/swag v0.22.3/go.mod h1:UzaqsxGiab7freDnrUUra0MwWfN/q7tE4j+VcZ0yl14= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gobuffalo/flect v1.0.2 h1:eqjPGSo2WmjgY2XlpGwo2NXgL3RucAKo4k4qQMNA5sA= github.com/gobuffalo/flect v1.0.2/go.mod h1:A5msMlrHtLqh9umBSnvabjsMrCcCpAyzglnDvkbYKHs= github.com/gogo/protobuf v1.3.2 h1:Ov1cvc58UF3b5XjBnZv7+opcTcQFZebYjWzi34vdm4Q= @@ -41,21 +43,24 @@ github.com/google/gnostic-models v0.6.8 h1:yo/ABAfM5IMRsS1VnXjTBvUb61tFIHozhlYvR github.com/google/gnostic-models v0.6.8/go.mod h1:5n7qKqH0f5wFt+aWF8CW6pZLLNOfYuF5OpfBSENuI8U= github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= -github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38= github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= +github.com/google/go-cmp v0.6.0 h1:ofyhxvXcZhMsU5ulbFiLKl/XBFqE1GSq7atu8tAmTRI= +github.com/google/go-cmp v0.6.0/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY= github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/gofuzz v1.2.0 h1:xRy4A+RhZaiKjJ1bPfwQ8sedCA+YS2YcCHW6ec7JMi0= github.com/google/gofuzz v1.2.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/uuid v1.3.0 h1:t6JiXgmwXMjEs8VusXIJk2BXHsn+wx8BZdTaoZ5fu7I= github.com/google/uuid v1.3.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/gorilla/websocket v1.4.2/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= +github.com/gorilla/websocket v1.5.0 h1:PPwGk2jz7EePpoHN/+ClbZu8SPxiqlu12wZP/3sWmnc= +github.com/gorilla/websocket v1.5.0/go.mod h1:YR8l580nyteQvAITg2hZ9XVh4b55+EU/adAjf1fMHhE= github.com/imdario/mergo v0.3.6 h1:xTNEAn+kxVO7dTZGu0CegyqKZmoWFI0rF8UxjlB2d28= github.com/imdario/mergo v0.3.6/go.mod h1:2EnlNZ0deacrJVfApfmtdGgDfMuh/nq6Ok1EcJh5FfA= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= -github.com/jessevdk/go-flags v1.4.0/go.mod h1:4FA24M0QyGHXBuZZK/XkWh8h0e1EYbRYJSGM75WSRxI= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= github.com/josharian/intern v1.0.0/go.mod h1:5DoeVV0s6jJacbCEi61lwdGj/aVlrQvzHFFd8Hwg//Y= github.com/json-iterator/go v1.1.12 h1:PV8peI4a0ysnczrg+LtxykD8LfKY9ML6u2jnxaEnrnM= @@ -65,6 +70,7 @@ github.com/kisielk/gotool v1.0.0/go.mod h1:XhKaO+MFFWcvkIS/tQcRk01m1F5IRFswLeQ+o github.com/kr/pretty v0.2.0/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= @@ -74,9 +80,8 @@ github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJ github.com/mattn/go-colorable v0.1.13 h1:fFA4WZxdEF4tXPZVKMLwD8oUnCTTo08duU7wxecdEvA= github.com/mattn/go-colorable v0.1.13/go.mod h1:7S9/ev0klgBDR4GtXTXX8a3vIGJpMovkB8vQcUbaXHg= github.com/mattn/go-isatty v0.0.16/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/mattn/go-isatty v0.0.17 h1:BTarxUcIeDqL27Mc+vyvdWYSL28zpIhv3RoTdsLMPng= -github.com/mattn/go-isatty v0.0.17/go.mod h1:kYGgaQfpe5nmfYZH+SKPsOc2e4SrIfOl2e/yFXSvRLM= -github.com/matttproud/golang_protobuf_extensions v1.0.4 h1:mmDVorXM7PCGKw94cs5zkfA9PSy5pEvNWRP0ET0TIVo= +github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= +github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -86,26 +91,29 @@ github.com/modern-go/reflect2 v1.0.2 h1:xBagoLtFs94CBntxluKeaWgTMpvLxC4ur3nMaC9G github.com/modern-go/reflect2 v1.0.2/go.mod h1:yWuevngMOJpCy52FWWMvUC8ws7m/LJsjYzDa0/r8luk= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA= github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f h1:y5//uYreIhSUg3J1GEMiLbxo1LJaP8RfCpH6pymGZus= +github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw= github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= +github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= -github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= -github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= +github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= +github.com/onsi/ginkgo/v2 v2.14.0 h1:vSmGj2Z5YPb9JwCWT6z6ihcUvDhuXLc3sJiqd3jMKAY= +github.com/onsi/ginkgo/v2 v2.14.0/go.mod h1:JkUdW7JkN0V6rFvsHcJ478egV3XH9NxpD27Hal/PhZw= +github.com/onsi/gomega v1.30.0 h1:hvMK7xYz4D3HapigLTeGdId/NcfQx1VHMJc60ew99+8= +github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/prometheus/client_golang v1.16.0 h1:yk/hx9hDbrGHovbci4BY+pRMfSuuat626eFsHb7tmT8= -github.com/prometheus/client_model v0.4.0 h1:5lQXD3cAg1OXBf4Wq03gTrXHeaV0TQvGfUooCfx1yqY= -github.com/prometheus/common v0.44.0 h1:+5BrQJwiBB9xsMygAB3TNvpQKOwlkc25LbISbrdOOfY= -github.com/prometheus/procfs v0.10.1 h1:kYK1Va/YMlutzCGazswoHKo//tZVlFpKYh+PymziUAg= github.com/rogpeppe/go-internal v1.10.0 h1:TMyTOH3F/DB16zRVcYyreMH6GnZZrwQVAoYjRBZyWFQ= +github.com/rogpeppe/go-internal v1.10.0/go.mod h1:UQnix2H7Ngw/k4C5ijL5+65zddjncjaFoBhdsK/akog= github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/russross/blackfriday/v2 v2.1.0 h1:JIOH55/0cWyOuilr9/qlrm0BSXldqnqwMsf35Ld67mk= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= -github.com/spf13/cobra v1.7.0 h1:hyqWnYt1ZQShIddO5kBpj3vu05/++x6tJ6dg8EC572I= -github.com/spf13/cobra v1.7.0/go.mod h1:uLxZILRyS/50WlhOIKD7W6V5bgeIt+4sICxh6uRMrb0= +github.com/spf13/cobra v1.8.0 h1:7aJaZx1B85qltLMc546zn58BxxfZdR/W22ej9CFoEf0= +github.com/spf13/cobra v1.8.0/go.mod h1:WXLWApfZ71AjXPya3WOlMsY9yMs7YeiHhFVlvLyhcho= github.com/spf13/pflag v1.0.5 h1:iy+VFUOCP1a+8yFto/drg2CJ5u0yRoB7fZw3DKv/JXA= github.com/spf13/pflag v1.0.5/go.mod h1:McXfInJRrz4CZXVZOBLb0bTZqETkiAhM9Iw0y3An2Bg= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= @@ -115,16 +123,19 @@ github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UV github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU= github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= -github.com/stretchr/testify v1.8.2 h1:+h33VjcLVPDHtOdpUCuF+7gSuG3yGIftsP1YvFihtJ8= -github.com/stretchr/testify v1.8.2/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4= +github.com/stretchr/testify v1.8.4 h1:CcVxjf3Q8PM0mHUKJCdn+eZZtm5yQwehR5yeSVQQcUk= +github.com/stretchr/testify v1.8.4/go.mod h1:sz/lmYIOXD/1dqDmKjjqLyZ2RngseejIcXlSw2iwfAo= github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= -go.uber.org/atomic v1.10.0 h1:9qC72Qh0+3MqyJbAn8YU5xVq1frD8bn3JtD2oXtafVQ= go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0= -go.uber.org/zap v1.24.0 h1:FiJd5l1UOLj0wCgbSE0rwwXHzEdAZS6hiiSnxJN/D60= +go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y= +go.uber.org/zap v1.26.0 h1:sI7k6L95XOKS281NhVKOFCUNIvv9e0w4BF8N3u+tCRo= +go.uber.org/zap v1.26.0/go.mod h1:dtElttAiwGvoJ/vj4IwHBS/gXsEu/pZ50mUIRWuG0so= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI= golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= +golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e h1:+WEEuIdZHnUeJJmEUjyYC2gfUMj69yZXw17EnHg/otA= +golang.org/x/exp v0.0.0-20220722155223-a9213eeb770e/go.mod h1:Kr81I6Kryrl9sr8s2FK3vxD90NdsKWRuOIl2O4CvYbA= golang.org/x/mod v0.2.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= @@ -136,16 +147,18 @@ golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLL golang.org/x/net v0.0.0-20201021035429-f5854403a974/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU= golang.org/x/net v0.20.0 h1:aCL9BSgETF1k+blQaYUBx9hJ9LOGP3gAVemcZlf1Kpo= golang.org/x/net v0.20.0/go.mod h1:z8BVo6PvndSri0LbOE3hAn0apkU+1YvI6E70E9jsnvY= -golang.org/x/oauth2 v0.8.0 h1:6dkIjl3j3LtZ/O3sTgZTMsLKSftL/B8Zgq4huOIIUu8= -golang.org/x/oauth2 v0.8.0/go.mod h1:yr7u4HXZRm1R1kBWqr/xKNqewf0plRYoB7sla+BCIXE= +golang.org/x/oauth2 v0.12.0 h1:smVPGxink+n1ZI5pkQa8y6fZT0RW0MgCO5bFpepy4B4= +golang.org/x/oauth2 v0.12.0/go.mod h1:A74bZ3aGXgCY0qaIC9Ahg6Lglin4AMAco8cIv9baba4= golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20190911185100-cd5d95a43a6e/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.6.0 h1:5BMeUDZ7vkXGfEr1x9B4bRcTH4lpkTkpdh0T/J+qjbQ= +golang.org/x/sync v0.6.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= golang.org/x/sys v0.16.0 h1:xWw16ngr6ZMtmxDyKyIgsE93KNKz5HKmMa3b8ALHidU= golang.org/x/sys v0.16.0/go.mod h1:/VUhepiaJMQUp4+oa/7Zr1D23ma6VTLIYjOOTFZPUcA= golang.org/x/term v0.16.0 h1:m+B6fahuftsE9qjo0VWp2FW0mB3MTJvR0BaMQrq0pmE= @@ -168,13 +181,12 @@ golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8T golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= -gomodules.xyz/jsonpatch/v2 v2.2.0 h1:4pT439QV83L+G9FkcCriY6EkpcK6r6bK+A5FBUMI7qY= google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c= google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCIDZVag1xfc= google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw= google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc= -google.golang.org/protobuf v1.30.0 h1:kPPoIgf3TsEvrm0PFe15JQ+570QVxYzEvvHqChK+cng= -google.golang.org/protobuf v1.30.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= +google.golang.org/protobuf v1.31.0 h1:g0LDEJHgrBl9N9r17Ru3sqWhkIx2NB67okBHPwC7hs8= +google.golang.org/protobuf v1.31.0/go.mod h1:HV8QOd/L58Z+nl8r43ehVNZIU/HEI6OcFqwMG9pJV4I= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20190902080502-41f04d3bba15/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntNwaWcugrBjAiHlqqRiVk= @@ -182,42 +194,43 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EV gopkg.in/inf.v0 v0.9.1 h1:73M5CoZyi3ZLMOyDlQh031Cx6N9NDJ2Vvfl76EDAgDc= gopkg.in/inf.v0 v0.9.1/go.mod h1:cWUDdTG/fYaXco+Dcufb5Vnc6Gp2YChqWtbxRZE0mXw= gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7 h1:uRGJdciOHaEIrze2W8Q3AKkepLTh2hOroT7a+7czfdQ= +gopkg.in/tomb.v1 v1.0.0-20141024135613-dd632973f1e7/go.mod h1:dt/ZhP58zS4L8KSrWDmTeBkI65Dw0HsyUHuEVlX15mw= gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= -k8s.io/api v0.28.1 h1:i+0O8k2NPBCPYaMB+uCkseEbawEt/eFaiRqUx8aB108= -k8s.io/api v0.28.1/go.mod h1:uBYwID+66wiL28Kn2tBjBYQdEU0Xk0z5qF8bIBqk/Dg= -k8s.io/apiextensions-apiserver v0.28.0 h1:CszgmBL8CizEnj4sj7/PtLGey6Na3YgWyGCPONv7E9E= -k8s.io/apiextensions-apiserver v0.28.0/go.mod h1:uRdYiwIuu0SyqJKriKmqEN2jThIJPhVmOWETm8ud1VE= -k8s.io/apimachinery v0.28.2 h1:KCOJLrc6gu+wV1BYgwik4AF4vXOlVJPdiqn0yAWWwXQ= -k8s.io/apimachinery v0.28.2/go.mod h1:RdzF87y/ngqk9H4z3EL2Rppv5jj95vGS/HaFXrLDApU= -k8s.io/client-go v0.28.1 h1:pRhMzB8HyLfVwpngWKE8hDcXRqifh1ga2Z/PU9SXVK8= -k8s.io/client-go v0.28.1/go.mod h1:pEZA3FqOsVkCc07pFVzK076R+P/eXqsgx5zuuRWukNE= -k8s.io/code-generator v0.28.0 h1:msdkRVJNVFgdiIJ8REl/d3cZsMB9HByFcWMmn13NyuE= -k8s.io/code-generator v0.28.0/go.mod h1:ueeSJZJ61NHBa0ccWLey6mwawum25vX61nRZ6WOzN9A= +k8s.io/api v0.29.2 h1:hBC7B9+MU+ptchxEqTNW2DkUosJpp1P+Wn6YncZ474A= +k8s.io/api v0.29.2/go.mod h1:sdIaaKuU7P44aoyyLlikSLayT6Vb7bvJNCX105xZXY0= +k8s.io/apiextensions-apiserver v0.29.2 h1:UK3xB5lOWSnhaCk0RFZ0LUacPZz9RY4wi/yt2Iu+btg= +k8s.io/apiextensions-apiserver v0.29.2/go.mod h1:aLfYjpA5p3OwtqNXQFkhJ56TB+spV8Gc4wfMhUA3/b8= +k8s.io/apimachinery v0.29.2 h1:EWGpfJ856oj11C52NRCHuU7rFDwxev48z+6DSlGNsV8= +k8s.io/apimachinery v0.29.2/go.mod h1:6HVkd1FwxIagpYrHSwJlQqZI3G9LfYWRPAkUvLnXTKU= +k8s.io/client-go v0.29.2 h1:FEg85el1TeZp+/vYJM7hkDlSTFZ+c5nnK44DJ4FyoRg= +k8s.io/client-go v0.29.2/go.mod h1:knlvFZE58VpqbQpJNbCbctTVXcd35mMyAAwBdpt4jrA= +k8s.io/code-generator v0.29.2 h1:c9/iw2KnNpw2IRV+wwuG/Wns2TjPSgjWzbbjTevyiHI= +k8s.io/code-generator v0.29.2/go.mod h1:FwFi3C9jCrmbPjekhaCYcYG1n07CYiW1+PAPCockaos= k8s.io/gengo v0.0.0-20201203183100-97869a43a9d9/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= -k8s.io/gengo v0.0.0-20220902162205-c0856e24416d h1:U9tB195lKdzwqicbJvyJeOXV7Klv+wNAWENRnXEGi08= -k8s.io/gengo v0.0.0-20220902162205-c0856e24416d/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= +k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01 h1:pWEwq4Asjm4vjW7vcsmijwBhOr1/shsbSYiWXmNGlks= +k8s.io/gengo v0.0.0-20230829151522-9cce18d56c01/go.mod h1:FiNAH4ZV3gBg2Kwh89tzAEV2be7d5xI0vBa/VySYy3E= k8s.io/klog v0.2.0 h1:0ElL0OHzF3N+OhoJTL0uca20SxtYt4X4+bzHeqrB83c= k8s.io/klog v0.2.0/go.mod h1:Gq+BEi5rUBO/HRz0bTSXDUcqjScdoY3a9IHpCEIOOfk= k8s.io/klog/v2 v2.2.0/go.mod h1:Od+F08eJP+W3HUb4pSrPpgp9DGU4GzlpG/TmITuYh/Y= -k8s.io/klog/v2 v2.100.1 h1:7WCHKK6K8fNhTqfBhISHQ97KrnJNFZMcQvKp7gP/tmg= -k8s.io/klog/v2 v2.100.1/go.mod h1:y1WjHnz7Dj687irZUWR/WLkLc5N1YHtjLdmgWjndZn0= -k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9 h1:LyMgNKD2P8Wn1iAwQU5OhxCKlKJy0sHc+PcDwFB24dQ= -k8s.io/kube-openapi v0.0.0-20230717233707-2695361300d9/go.mod h1:wZK2AVp1uHCp4VamDVgBP2COHZjqD1T68Rf0CM3YjSM= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2 h1:qY1Ad8PODbnymg2pRbkyMT/ylpTrCM8P2RJ0yroCyIk= -k8s.io/utils v0.0.0-20230406110748-d93618cff8a2/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= -sigs.k8s.io/controller-runtime v0.14.6 h1:oxstGVvXGNnMvY7TAESYk+lzr6S3V5VFxQ6d92KcwQA= -sigs.k8s.io/controller-runtime v0.14.6/go.mod h1:WqIdsAY6JBsjfc/CqO0CORmNtoCtE4S6qbPc9s68h+0= -sigs.k8s.io/controller-tools v0.13.0 h1:NfrvuZ4bxyolhDBt/rCZhDnx3M2hzlhgo5n3Iv2RykI= -sigs.k8s.io/controller-tools v0.13.0/go.mod h1:5vw3En2NazbejQGCeWKRrE7q4P+CW8/klfVqP8QZkgA= +k8s.io/klog/v2 v2.110.1 h1:U/Af64HJf7FcwMcXyKm2RPM22WZzyR7OSpYj5tg3cL0= +k8s.io/klog/v2 v2.110.1/go.mod h1:YGtd1984u+GgbuZ7e08/yBuAfKLSO0+uR1Fhi6ExXjo= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00 h1:aVUu9fTY98ivBPKR9Y5w/AuzbMm96cd3YHRTU83I780= +k8s.io/kube-openapi v0.0.0-20231010175941-2dd684a91f00/go.mod h1:AsvuZPBlUDVuCdzJ87iajxtXuR9oktsTctW/R9wwouA= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b h1:sgn3ZU783SCgtaSJjpcVVlRqd6GSnlTLKgpAAttJvpI= +k8s.io/utils v0.0.0-20230726121419-3b25d923346b/go.mod h1:OLgZIPagt7ERELqWJFomSt595RzquPNLL48iOWgYOg0= +sigs.k8s.io/controller-runtime v0.17.0 h1:fjJQf8Ukya+VjogLO6/bNX9HE6Y2xpsO5+fyS26ur/s= +sigs.k8s.io/controller-runtime v0.17.0/go.mod h1:+MngTvIQQQhfXtwfdGw/UOQ/aIaqsYywfCINOtwMO/s= +sigs.k8s.io/controller-tools v0.14.0 h1:rnNoCC5wSXlrNoBKKzL70LNJKIQKEzT6lloG6/LF73A= +sigs.k8s.io/controller-tools v0.14.0/go.mod h1:TV7uOtNNnnR72SpzhStvPkoS/U5ir0nMudrkrC4M9Sc= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd h1:EDPBXCAspyGV4jQlpZSudPeMmr1bNJefnuqLsRAsHZo= sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd/go.mod h1:B8JuhiUyNFVKdsE8h686QcCxMaH6HrOAZj4vswFpcB0= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3 h1:PRbqxJClWWYMNV1dhaG4NsibJbArud9kFxnAMREiWFE= -sigs.k8s.io/structured-merge-diff/v4 v4.2.3/go.mod h1:qjx8mGObPmV2aSZepjQjbmb2ihdVs8cGKBraizNC69E= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1 h1:150L+0vs/8DA78h1u02ooW1/fFq/Lwr+sGiqlzvrtq4= +sigs.k8s.io/structured-merge-diff/v4 v4.4.1/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08= sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc= -sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo= -sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8= +sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E= +sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY= diff --git a/hack/crd-e2e.sh b/hack/crd-e2e.sh index 2d9c2e97..e49bbd0a 100755 --- a/hack/crd-e2e.sh +++ b/hack/crd-e2e.sh @@ -46,7 +46,7 @@ trap cleanup INT TERM res=0 # Install kind -(go install sigs.k8s.io/kind@v0.17.0) || res=$? +(go install sigs.k8s.io/kind@v0.22.0) || res=$? # Create cluster KIND_CREATE_ATTEMPTED=true diff --git a/mkdocs.yml b/mkdocs.yml index 406a5239..6008b385 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -35,8 +35,8 @@ markdown_extensions: - admonition - meta - pymdownx.emoji: - emoji_index: !!python/name:materialx.emoji.twemoji - emoji_generator: !!python/name:materialx.emoji.to_svg + emoji_index: !!python/name:material.extensions.emoji.twemoji + emoji_generator: !!python/name:material.extensions.emoji.to_svg - pymdownx.details - pymdownx.highlight - pymdownx.inlinehilite diff --git a/netlify.toml b/netlify.toml index a88152b1..a03452fc 100644 --- a/netlify.toml +++ b/netlify.toml @@ -2,7 +2,9 @@ [build] command = "make docs" publish = "site" - environment = { PYTHON_VERSION = "3.8" } +[build.environment] + PYTHON_VERSION = "3.8" + GO_VERSION = "1.21.4" # Standard Netlify redirects [[redirects]] diff --git a/pkg/client/informers/externalversions/factory.go b/pkg/client/informers/externalversions/factory.go index b8f9ea05..6d5d0289 100644 --- a/pkg/client/informers/externalversions/factory.go +++ b/pkg/client/informers/externalversions/factory.go @@ -42,6 +42,7 @@ type sharedInformerFactory struct { lock sync.Mutex defaultResync time.Duration customResync map[reflect.Type]time.Duration + transform cache.TransformFunc informers map[reflect.Type]cache.SharedIndexInformer // startedInformers is used for tracking which informers have been started. @@ -80,6 +81,14 @@ func WithNamespace(namespace string) SharedInformerOption { } } +// WithTransform sets a transform on all informers. +func WithTransform(transform cache.TransformFunc) SharedInformerOption { + return func(factory *sharedInformerFactory) *sharedInformerFactory { + factory.transform = transform + return factory + } +} + // NewSharedInformerFactory constructs a new instance of sharedInformerFactory for all namespaces. func NewSharedInformerFactory(client versioned.Interface, defaultResync time.Duration) SharedInformerFactory { return NewSharedInformerFactoryWithOptions(client, defaultResync) @@ -184,6 +193,7 @@ func (f *sharedInformerFactory) InformerFor(obj runtime.Object, newFunc internal } informer = newFunc(f.client, resyncPeriod) + informer.SetTransform(f.transform) f.informers[informerType] = informer return informer diff --git a/requirements.txt b/requirements.txt index e1fbf71d..f248ed43 100644 --- a/requirements.txt +++ b/requirements.txt @@ -6,14 +6,14 @@ livereload==2.6.1 Markdown==3.3.4 MarkupSafe==2.1.3 mkdocs==1.5.2 -mkdocs-awesome-pages-plugin==2.7.0 -mkdocs-macros-plugin==0.6.0 -mkdocs-material==9.2.0b3 -mkdocs-material-extensions==1.1.1 +mkdocs-awesome-pages-plugin==2.9.2 +mkdocs-macros-plugin==1.0.5 +mkdocs-material==9.5.9 +mkdocs-material-extensions==1.3.1 mike==1.1.2 -pep562==1.0 -Pygments==2.14.0 -pymdown-extensions==9.9.1 -PyYAML==5.3 -six==1.14.0 -tornado==6.0.3 +pep562==1.1 +Pygments==2.17.2 +pymdown-extensions==10.7 +PyYAML==6.0.1 +six==1.16.0 +tornado==6.4 diff --git a/site-src/blog/.authors.yml b/site-src/blog/.authors.yml index 9d53e810..25fa40ee 100644 --- a/site-src/blog/.authors.yml +++ b/site-src/blog/.authors.yml @@ -1,8 +1,9 @@ -astoycos: - name: Andrew Stoycos - description: Senior Software Engineer at Red Hat. network-policy-api co-lead. - avatar: https://github.com/astoycos.png -Dyanngg: - name: Yang Ding - description: Senior Member of Technical Staff at VMware. network-policy-api co-lead. - avatar: https://github.com/dyanngg.png +authors: + astoycos: + name: Andrew Stoycos + description: Senior Software Engineer at Red Hat. network-policy-api co-lead. + avatar: https://github.com/astoycos.png + Dyanngg: + name: Yang Ding + description: Senior Member of Technical Staff at VMware. network-policy-api co-lead. + avatar: https://github.com/dyanngg.png diff --git a/site-src/npeps/npep-122.md b/site-src/npeps/npep-122.md new file mode 100644 index 00000000..ab67829a --- /dev/null +++ b/site-src/npeps/npep-122.md @@ -0,0 +1,191 @@ +# NPEP-122: Tenancy API + +* Issue: [#122](https://github.com/kubernetes-sigs/network-policy-api/issues/122) +* Status: Provisional + +## TLDR + +Tenancy definition and the API (SameLabels/NotSameLabels) is confusing and ambiguous as of now. +We want to rethink the tenancy use cases and the API to keep it simple and easy to understand, but +flexible enough to cover all defined use cases. + +## Goals + +- Clarify tenancy use cases. +- Provide a complete definition of a tenant in respect to ANP. +- Avoid unneeded tenancy configs that only exist because of ANP use cases. + +## Non-Goals + +- Define new use cases for tenancy (as opposed to clarify the ones we considered initially, but didn't explain well enough) +- Define user stories for multiple tenancy policies in the same cluster. + +## Introduction + +The KEP doesn’t say a whole lot about tenants… + +From the Goals: + + As a cluster administrator, I want to have the option to enforce in-cluster network level access controls that + facilitate network multi-tenancy and strict network level isolation between multiple teams and tenants sharing + a cluster via use of namespaces or groupings of namespaces per tenant. + + Example: I would like to define two tenants in my cluster, one composed of the pods in foo-ns-1 and foo-ns-2 + and the other with pods in bar-ns-1, where inter-tenant traffic is denied. + +From the User Stories: + + Story 4: Create and Isolate multiple tenants in a cluster + + As a cluster admin, I want to build tenants in my cluster that are isolated from each other by default. + Tenancy may be modeled as 1:1, where 1 tenant is mapped to a single Namespace, or 1:n, where a single tenant + may own more than 1 Namespace. + +Elsewhere: + + AdminNetworkPolicy Pass rules allows an admin to delegate security posture for certain traffic to the Namespace + owners by overriding any lower precedence Allow or Deny rules. For example, intra-tenant traffic management can be + delegated to tenant admins explicitly with the use of Pass rules. + +So really, the only solidly-agreed-upon use case is that you should be able to create enforced isolation +between particular sets of namespaces. + +### Clarifying user stories + +#### Story 4.1: Create and Isolate multiple tenants in a cluster by default, overridable isolation + +Here is the existing tenancy related user story from our website: + + As a cluster admin, I want to build tenants in my cluster that are isolated from each other by default. + Tenancy may be modeled as 1:1, where 1 tenant is mapped to a single Namespace, or 1:n, where a single tenant + may own more than 1 Namespace. + +The wording used here has led to much confusion. Specifically, the "by default" part actually means this policy should +be at the BANP priority, and solves the "Engineering org vs Marketing org" use case where you want to keep orgs +from accidentally interfering with each other. By default, cross-tenant traffic should be dropped. +However, namespace owners can override this behavior by applying their own policies as needed. + +In reality, the CR attached to this story defines strict tenancy, which should be a separate use case (see next section). + +To make the use case more obvious we can add some details to it like the following + + As a cluster admin, I want to build tenants for different departments (e.g. Engineering vs Marketing) + in my cluster that are isolated from each other by default. + By default, cross-tenant traffic is dropped. However, namespace owners can override this behavior by applying + their own policies as needed. + Tenancy may be modeled as 1:1, where 1 tenant is mapped to a single Namespace, or 1:n, where a single tenant + may own more than 1 Namespace. + +#### Story 4.2: Create and Isolate multiple tenants in a cluster, strict isolation + +Strict tenancy is the "Coke vs Pepsi" sort of thing where you want each tenant to feel like it has its own cluster, +and be totally independent of the other tenants. We can write it down like this + + As a cluster admin, I want to build tenants for different organizations (e.g. Coke vs Pepsi) + in my cluster that are isolated from each other, where this isolation + can't be overridden by namespace owners. This policy should make every tenant completely independent and isolated + from other tenants. Tenancy may be modeled as 1:1, where 1 tenant is mapped to a single Namespace, or 1:n, where a single tenant + may own more than 1 Namespace. + +#### Story 4.3: Allow internal connections for tenants + + As a cluster admin, I want to build tenants in my cluster and always allow connections inside one tenant. + At the same time I want to setup an overridable deny-all policy to protect namespaces by default. + This policy should make sure internal connectivity for a tenant is always allowed, in case there are + lower-priority deny rules. + +#### Story 4.4: Tenants interaction with (B)ANP + + As a cluster admin, I want to be able to setup policies with higher and lower priority than tenancy policy. + I want to deny inter-tenant connections, but I want to allow ingress traffic from the monitoring namespace + to all namespaces. Therefore, I need "allow from monitoring" rule to have higher priority than "deny from + other tenants". + I want to setup "deny all" BANP to protect cluster workloads, but I want to allow internal connections + within tenant. Therefore, I need "allow from same tenant" rule to have higher priority than "deny all" BANP. + +#### What I couldn't figure out user stories for + +- Skip action +- Ports *[]AdminNetworkPolicyPort + +### Existing API + +AdminNetworkPolicy has the “SameLabels” and “NotSameLabels” fields to support the use cases involving tenancy. For example: + +**Use case** + +Traffic should be disallowed by default between namespaces owned by different users (defined by labels i.e `user=foo` or `user=bar`). + +**Policy** +``` +kind: BaselineAdminNetworkPolicy +apiVersion: policy.networking.k8s.io/v1alpha1 +metadata: + name: user-based-tenancy +spec: + subject: + namespaces: + matchExpressions: + - key: user + operator: Exists + ingress: + - action: Deny + from: + - namespaces: + notSameLabels: + - user +``` + +**Meaning** + +In namespaces that have a “user” label, by default, deny ingress from namespaces that have a different “user” label. + +There are several major problems with this implementation of tenancy as it pertains to the user stories. + +First, There is no explicit definition of "tenancy" anywhere. The administrator has an idea of +"tenants are defined by the user label", but that's only true because this particular ANP happens to include that +particular rule, and there's no way to find the ANP(s) that defines tenancy if you don't already know what they are. + +Second, the SameLabels/NotSameLabels selectors behave really differently from other peers, causing multiple underlying +rules to be created, and the syntax doesn't make that obvious. + +Third, the syntax is very general purpose / powerful. ANP has subjects and peers, which are different, +and currently Tenancy is defined on the peers side. Tenancy by itself has the same subject and peer, +at least for the existing use cases, and having separate selectors for subject and peer allows for more +configurations than needed. + +Fourth, the ANP subject allows using pod selectors, while tenancy use cases only need namespace selectors. + +## API + +TBD + +## Conformance Details + +TBD + + +## Alternatives + +Other alternatives were mentioned https://docs.google.com/document/d/113xBe7VMK7hMYdIdB9gobp7JwVkWQLnqdMPNkamfaK8/edit, +but none of them cover all the Goals defined in this NPEP. + +There are 2 main problems with leaving Tenancy as a (B)ANP peer: +1. tenancy is only based on namespace labels, but (B)ANP subject allows using pod selector too +2. tenancy definition is less obvious, since it is a part of the peers list. Usually peer rules are the same for +all (B)ANP subject pods, but for tenancy that is not true. +3. There are actually more that 2 problems, mainly about allowing much more configurations for tenancy than we have +user stories for, but it is covered in the previous sections :) + +Therefore, creating a new object seems like a more clear way to implement Tenancy. + +## References + +- https://docs.google.com/document/d/113xBe7VMK7hMYdIdB9gobp7JwVkWQLnqdMPNkamfaK8 diff --git a/site-src/npeps/npep-126-egress-traffic-control.md b/site-src/npeps/npep-126-egress-traffic-control.md index 530df79b..199f5358 100644 --- a/site-src/npeps/npep-126-egress-traffic-control.md +++ b/site-src/npeps/npep-126-egress-traffic-control.md @@ -1,7 +1,7 @@ # NPEP-126: Add northbound traffic support in (B)ANP API * Issue: [#126](https://github.com/kubernetes-sigs/network-policy-api/issues/126) -* Status: Provisional +* Status: Implementable ## TLDR @@ -76,13 +76,196 @@ selected cluster workloads to k8s-apiservers for securing the server. ## API -(... details, can point to PR with changes) +Proof of Concept for the API design details can be found here: +* https://github.com/kubernetes-sigs/network-policy-api/pull/143 +* https://github.com/kubernetes-sigs/network-policy-api/pull/185 + +### Implementing egress traffic control towards cluster nodes + +This NPEP proposes to add a new type of `AdminNetworkPolicyEgressPeer` called `Nodes` +to be able to explicitly select nodes (based on the node's labels) in the cluster. +This ensures that if the list of IPs on a node OR list of nodes change, the users +don't need to manually intervene to include those new IPs. The label selectors will +take care of this automatically. Note that the nodeIPs that this type of peer matches +on are the IPs present in `Node.Status.Addresses` field of the node. + +``` +// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. +// Exactly one of the selector pointers must be set for a given peer. If a +// consumer observes none of its fields are set, they must assume an unknown +// option has been specified and fail closed. +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type AdminNetworkPolicyEgressPeer struct { + + // Nodes defines a way to select a set of nodes in + // in the cluster. This field follows standard label selector + // semantics; if present but empty, it selects all Nodes. + // + // Support: Core + // + // +optional + Nodes *metav1.LabelSelector `json:"nodes,omitempty"` +} +``` + +Note that `AdminNetworkPolicyPeer` will be changed to +`AdminNetworkPolicyEgressPeer` and `AdminNetworkPolicyIngressPeer` since ingress and +egress peers have started to diverge at this point and it is easy to +maintain it with two sets of peer definitions. +This ensures nodes can be referred to only as "egress peers". + +Example: Admin wants to deny egress traffic from tenants who don't have +`restricted`, `confidential` or `internal` level security clearance +to control-plane nodes at 443 and 6443 ports in the cluster + +``` +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: node-as-egress-peer +spec: + priority: 55 + subject: + namespaces: + matchExpressions: + - {key: security, operator: notIn, values: [restricted, confidential, internal]} + egress: + - name: "deny-all-egress-to-kapi-server" + action: "Deny" + to: + - nodes: + matchLabels: + node-role.kubernetes.io/control-plane: + ports: + - portNumber: + protocol: TCP + port: 443 + - portNumber: + protocol: TCP + port: 6443 +``` + +### Implementing egress traffic control towards CIDRs + +This NPEP proposes to add a new type of `AdminNetworkPolicyEgressPeer` called `Networks` +to be able to select destination CIDRs. This is provided to be able to select entities +outside the cluster that cannot be selected using the other peer types. +This peer type will not be supported in `AdminNetworkPolicyIngressPeer`. + +``` +// AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. +// Exactly one of the selector pointers must be set for a given peer. If a +// consumer observes none of its fields are set, they must assume an unknown +// option has been specified and fail closed. +// +kubebuilder:validation:MaxProperties=1 +// +kubebuilder:validation:MinProperties=1 +type AdminNetworkPolicyEgressPeer struct { + + // Networks defines a way to select peers via CIDR blocks. This is + // intended for representing entities that live outside the cluster, + // which can't be selected by pods and namespaces peers, but note + // that cluster-internal traffic will be checked against the rule as + // well, so if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + // or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + // add a rule that Passes all pod traffic before the Networks rule. + // + // Support: Core + // + // +optional + // +kubebuilder:validation:MinItems=1 + // +kubebuilder:validation:MaxItems=100 + Networks []string `json:"networks,omitempty" validate:"omitempty,dive,cidr"` +} +``` + +Note: It is recommended to use `networks` to select a set of CIDR range destinations +that represent entities outside the cluster. If a user puts a podCIDR, nodeCIDR, +serviceCIDR or other intra-cluster networks, it will work but it is better to use +namespaces, pods, nodes peers to express such entities. Not all implementations can +correctly define the boundary between "internal" and "external" destinations with respect +to a Kubernetes cluster which is why this field is generic enough to select any CIDR +destination. + +Example: Let's define ANP and BANP that refer to some CIDR networks: +``` +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: AdminNetworkPolicy +metadata: + name: network-as-egress-peer +spec: + priority: 70 + subject: + namespaces: {} + egress: + - name: "deny-egress-to-external-dns-servers" + action: "Deny" + to: + - networks: + - 194.0.2.0/24 + - 205.0.113.15/32 + - 199.51.100.10/32 + ports: + - portNumber: + protocol: UDP + port: 53 + - name: "allow-all-egress-to-intranet" + action: "Allow" + to: + - networks: + - 192.0.2.0/24 + - 203.0.113.0/24 + - 198.51.100.0/24 + - name: "allow-all-intra-cluster-traffic" + action: "Allow" + to: + - networks: + - POD_CIDR + - NODE_CIDR + - SERVICE_CIDR + - name: "pass-all-egress-to-internet" + action: "Pass" + to: + - networks: + - 0.0.0.0/0 +--- +apiVersion: policy.networking.k8s.io/v1alpha1 +kind: BaselineAdminNetworkPolicy +metadata: + name: default +spec: + subject: + namespaces: {} + egress: + - name: "deny-all-egress-to-internet" + action: "Deny" + to: + - networks: + - 0.0.0.0/0 +``` +This allows admins to specify rules that define: + +* all pods cannot talk to company's intranet DNS servers. +* all pods can talk to rest of the company's intranet. +* all pods can talk to other pods, nodes, services. +* all pods cannot talk to internet (using last ANP Pass rule + BANP guardrail rule) ## Alternatives -(List other design alternatives and why we did not go in that -direction) +* Instead of adding CIDR peer directly into the main object, we can +define a new object called `NetworkSet` and use selectors or +name of that object to be referred to from AdminNetworkPolicy and +BaselineAdminNetworkPolicy objects. This is particularly useful +if CIDR ranges are prone to changes versus the current model is +is better if the set of CIDRs are mostly a constant and are only referred +to from one or two egress rules. It increases readability. However the +drawback is if the CIDRs do change, then one has to ensure to update all +the relevant ANPs and BANP accordingly. In order to see whether we need +a new object to be able to define CIDRs in addition to the in-line peer, +we have another NPEP where that is being discussed +https://github.com/kubernetes-sigs/network-policy-api/pull/183. The scope +of this NPEP is limited to inline CIDR peers. ## References diff --git a/site-src/npeps/npep-133.md b/site-src/npeps/npep-133.md new file mode 100644 index 00000000..f9d89b58 --- /dev/null +++ b/site-src/npeps/npep-133.md @@ -0,0 +1,173 @@ +# NPEP-133: FQDN Selector for Egress Traffic + +* Issue: + [#133](https://github.com/kubernetes-sigs/network-policy-api/issues/133) +* Status: Provisional + +## TLDR + +This enhancement proposes adding a new optional selector to specify egress peers +using [Fully Qualified Domain +Names](https://www.wikipedia.org/wiki/Fully_qualified_domain_name) (FQDNs). + +## Goals + +* Provide a selector to specify egress peers using a Fully Qualified Domain Name + (for example `kubernetes.io`). +* Support basic wildcard matching capabilities when specifying FQDNs (for + example `*.cloud-provider.io`) +* Currently only `ALLOW` type rules are proposed. + * Safely enforcing `DENY` rules based on FQDN selectors is difficult as there + is no guarantee a Network Policy plugin is aware of all IPs backing a FQDN + policy. If a Network Policy plugin has incomplete information, it may + accidentally allow traffic to an IP belonging to a denied domain. This would + constitute a security breach. + + By contrast, `ALLOW` rules, which may also have an incomplete list of IPs, + would not create a security breach. In case of incomplete information, valid + traffic would be dropped as the plugin believes the destination IP does not + belong to the domain. While this is definitely undesirable, it is at least + not an unsafe failure. + +* Currently only AdminNetworkPolicy is the intended scope for this proposal. + * Since Kubernetes NetworkPolicy does not have a FQDN selector, adding this + capability to BaselineAdminNetworkPolicy could result in writing baseline + rules that can't be replicated by an overriding NetworkPolicy. For example, + if BANP allows traffic to `example.io`, but the namespace admin installs a + Kubernetes Network Policy, the namespace admin has no way to replicate the + `example.io` selector using just Kubernetes Network Policies. + +## Non-Goals + +* This enhancement does not include a FQDN selector for allowing ingress + traffic. +* This enhancement only describes enhancements to the existing L4 filtering as + provided by AdminNetworkPolicy. It does not propose any new L7 matching or + filtering capabilities, like matching HTTP traffic or URL paths. + * This selector should not control what DNS records are resolvable from a + particular workload. +* This enhancement does not provide a mechanism for selecting in-cluster + endpoints using FQDNs. To select Pods, Nodes, or the API Server, + AdminNetworkPolicy has other more specific selectors. + * Using the FQDN selector to refer to other Kubernetes endpoints, while not + explicitly disallowed, is not defined by this spec and left up to individual + providers. Trying to allow traffic to the following domains is NOT + guaranteed to work: + * `my-svc.my-namespace.svc.cluster.local` (the generated DNS record for a + Service as defined + [here](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#services)) + * `pod-ip-address.my-namespace.pod.cluster.local` (the generated DNS record + for a Pod as defined + [here](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods)) +* This enhancement does not add any new mechanisms for specifying how traffic is + routed to a destination (egress gateways, alternative SNAT IPs, etc). It just + adds a new way of specifying packets to be allowed or dropped on the normal + egress data path. +* This enhancement does not require any mechanism for securing DNS resolution + (e.g. DNSSEC or DNS-over-TLS). Unsecured DNS requests are expected to be + sufficient for looking up FQDNs. + +## Introduction + +FQDN-based egress controls are a common enterprise security practice. +Administrators often prefer to write security policies using DNS names such as +“www.kubernetes.io” instead of capturing all the IP addresses the DNS name might +resolve to. Keeping up with changing IP addresses is a maintenance burden, and +hampers the readability of the network policies. + +## User Stories + +* As a cluster admin, I want to allow all Pods in the cluster to send traffic to + an external service specified by a well-known domain name. For example, all + Pods must be able to talk to `my-service.com`. + +* As a cluster admin, I want to allow Pods in the "monitoring" namespace to be + able to send traffic to a logs-sink, hosted at `logs-storage.com` + +* As a cluster admin, I want to allow all Pods in the cluster to send traffic to + any of the managed services provided by my Cloud Provider. Since the cloud + provider has a well known parent domain, I want to allow Pods to send traffic + to all sub-domains using a wild-card selector -- `*.my-cloud-provider.com` + +### Future User Stories + +These are some user stories we want to keep in mind, but due to limitations of +the existing Network Policy API, cannot be implemented currently. The design +goal in this case is to ensure we do not make these unimplementable down the +line. + +* As a cluster admin, I want to block all cluster egress traffic by default, and + require namespace admins to create NetworkPolicies explicitly allowing egress + to the domains they need to talk to. + + The Cluster admin would use a `BaselineAdminNetworkPolicy` object to switch + the default disposition of the cluster. Namespace admins would then use a FQDN + selector in the Kubernetes `NetworkPolicy` objects to allow `my-service.com`. + +## API + +TODO: https://github.com/kubernetes-sigs/network-policy-api/issues/133 + +## Alternatives + +### IP Block Selector + +IP blocks are an important tool for specifying Network Policies. However, they +do not address all user needs and have a few short-comings when compared to FQDN +selectors: + +* IP-based selectors can become verbose if a single logical service has numerous + IPs backing it. +* IP-based selectors pose an ongoing maintenance burden for administrators, who + need to be aware of changing IPs. +* IP-based selectors can result in policies that are difficult to read and + audit. + +### L4 Proxy + +Users can also configure a L4 Proxy (e.g. using SOCKS) to inspect their traffic +and implement egress firewalls. They present a few trade-ofs when compared to a +FQDN selector: + +* Additional configuration and maintenance burden of the proxy application + itself +* Configuring new routes to direct traffic leaving the application to the L4 + proxy. + +### L7 Policy + +Another alternative is to provide a L7 selector, similar to the policies +provided by Service Mesh providers. While L7 selectors can offer more +expressivity, they often come trade-offs that are not suitable for all users: + +* L7 selectors necessarily support a select set of protocols. Users may be + using a custom protocol for application-level communication, but still want + the ability to specify endpoints using DNS. +* L7 selectors often require proxies to perform deep packet inspection and + enforce the policies. These proxies can introduce un-desireable latencies in + the datapath of applications. + +## References + +* [NPEP #126](https://github.com/kubernetes-sigs/network-policy-api/issues/126): + Egress Control in ANP + +### Implementations + +* [Antrea](https://antrea.io/docs/main/docs/antrea-network-policy/#fqdn-based-filtering) +* [Calico](https://docs.tigera.io/calico-enterprise/latest/network-policy/domain-based-policy) +* [Cilium](https://docs.cilium.io/en/latest/security/policy/language/#dns-based) +* [OpenShift](https://docs.openshift.com/container-platform/latest/networking/openshift_sdn/configuring-egress-firewall.html) + +The following is a best-effort breakdown of capabilities of different +NetworkPolicy providers, as of 2023-09-25. This information may be out-of-date, +or inaccurate. + +| | Antrea | Calico | Cilium | OpenShift
(current) | OpenShift
(future) | +| -------------- | ------------------------------ | ------------ | ------------ | ------------------------- | ------------------------ | +| Implementation | DNS Snooping
+ Async DNS | DNS Snooping | DNS Snooping | Async DNS | DNS Snooping | +| Wildcards | ✔ | ️✔ | ✔ | ❌ | ✔ | +| Egress Rules | ✔ | ️✔ | ✔ | ✔ | ✔ | +| Ingress Rules | ❌ | ️❌ | ❌ | ❌ | ❌ | +| Allow Rules | ✔ | ️✔ | ✔ | ✔ | ✔ | +| Deny Rules | ✔ | ️❌(?) | ❌ | ✔ | ❌(?) | \ No newline at end of file