diff --git a/CHANGELOG.md b/CHANGELOG.md index 0bef016..ab9ef12 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0 ## [Unreleased] +### Changed + +- Synchronize CRDs. + ## [0.18.1] - 2024-05-08 ### Changed diff --git a/pkg/crds/apps.yaml b/pkg/crds/apps.yaml index 31272fe..794fd2f 100644 --- a/pkg/crds/apps.yaml +++ b/pkg/crds/apps.yaml @@ -143,6 +143,11 @@ spec: type: object nullable: true type: array + x-kubernetes-list-map-keys: + - kind + - name + - namespace + x-kubernetes-list-type: map install: description: Install is the config used when installing the app. nullable: true @@ -163,11 +168,11 @@ spec: when deploying the app. properties: context: - description: Context is the kubeconfig context. + description: 'Deprecated: this field is no longer used.' nullable: true properties: name: - description: Name is the name of the kubeconfig context. e.g. + description: Name is the name of the kubeconfig context e.g. giantswarm-12345. type: string required: diff --git a/pkg/crds/ciliumclusterwidenetworkpolicies.yaml b/pkg/crds/ciliumclusterwidenetworkpolicies.yaml index b7a210d..b5010e4 100644 --- a/pkg/crds/ciliumclusterwidenetworkpolicies.yaml +++ b/pkg/crds/ciliumclusterwidenetworkpolicies.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.7.0 + controller-gen.kubebuilder.io/version: v0.14.0 creationTimestamp: null name: ciliumclusterwidenetworkpolicies.cilium.io spec: @@ -63,31 +62,31 @@ spec: items: description: "EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint - and exits the endpoint selected by the endpointSelector. \n - + and exits the endpoint selected by the endpointSelector. \n - All members of this structure are optional. If omitted or empty, - the member will have no effect on the rule. \n - If multiple - members of the structure are specified, then all members must - match in order for the rule to take effect. The exception to this - \ rule is the ToRequires member; the effects of any Requires - field in any rule will apply to all other rules as well. \n - \ - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and - ToGroups are mutually exclusive. Only one of these members - may be present within an individual rule." + the member will have no effect on the rule. \n - If multiple members + of the structure are specified, then all members must match in + order for the rule to take effect. The exception to this rule + is the ToRequires member; the effects of any Requires field in + any rule will apply to all other rules as well. \n - ToEndpoints, + ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually + exclusive. Only one of these members may be present within an + individual rule." properties: - auth: - description: Auth is the required authentication type for the - allowed traffic, if any. + authentication: + description: Authentication is the required authentication type + for the allowed traffic, if any. properties: - type: - description: Type is the required authentication type for + mode: + description: Mode is the required authentication mode for the allowed traffic, if any. enum: - - "null" - - mtls-spiffe - - always-fail + - disabled + - required + - test-always-fail type: string required: - - type + - mode type: object icmps: description: "ICMPs is a list of ICMP rule identified by type @@ -112,11 +111,31 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be 0-255 - (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | NeighborSolicitation + | NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery | ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation | MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + | ExtendedEchoRequest | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -173,8 +192,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that - the endpoint, subject to the rule, can (Ingress) or - cannot (IngressDeny) receive connections from. + the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -235,11 +255,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -279,7 +301,7 @@ spec: type: string type: array toFQDNs: - description: "ToFQDN allows whitelisting DNS names in place + description: 'ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this EgressRule @@ -292,15 +314,7 @@ spec: egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: ToFQDN cannot occur - in the same policy as other To* rules. \n The current implementation - has a number of limitations: - The DNS resolution originates - from cilium-agent, and not from the pods. Differences between - the responses seen by cilium agent and a particular pod will - whitelist the incorrect IP. - DNS TTLs are ignored, and cilium-agent - will repoll on a short interval (5 seconds). Each change to - the DNS data will trigger a policy regeneration. This may - result in delayed updates to the policy for an endpoint when - the data changes often or the system is under load." + in the same policy as other To* rules.' items: properties: matchName: @@ -317,14 +331,14 @@ spec: \".\" matches all subdomains as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` matches subomains - of cilium at that level www.cilium.io and blog.cilium.io + of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains ends with \"cilium.io\" - \ except those containing \".\" separator, subcilium.io - and sub-cilium.io match, www.cilium.io and blog.cilium.io + except those containing \".\" separator, subcilium.io + and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium - where the subdomain component begins with \"sub\" sub.cilium.io - and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, + where the subdomain component begins with \"sub\" sub.cilium.io + and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string @@ -334,10 +348,10 @@ spec: description: "ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: - toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" items: - description: ToGroups structure to store all kinds of new - integrations that needs a new derivative policy. + description: Groups structure to store all kinds of new integrations + that needs a new derivative policy. properties: aws: description: AWSGroup is an structure that can be used @@ -360,6 +374,66 @@ spec: type: object type: object type: array + toNodes: + description: ToNodes is a list of nodes identified by an EndpointSelector + to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array toPorts: description: "ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to @@ -377,7 +451,7 @@ spec: properties: envoyConfig: description: EnvoyConfig is a reference to the CEC - or CCNP resource in which the listener is defined. + or CCEC resource in which the listener is defined. properties: kind: description: Kind is the resource type being referred @@ -405,6 +479,14 @@ spec: description: Name is the name of the listener. minLength: 1 type: string + priority: + description: Priority for this Listener that is used + when multiple rules would apply different listeners + to a policy map entry. Behavior of this is implementation + dependent. + maximum: 100 + minimum: 1 + type: integer required: - envoyConfig - name @@ -434,11 +516,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for - the following items: - ''ca.crt'' - Which represents - the trusted CA to verify remote source. - ''tls.crt'' - - Which represents the public key certificate. - + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - ''tls.key'' - Which represents the private key matching - the public key certificate.' + the public key certificate.' properties: name: description: Name is the name of the secret. @@ -523,16 +605,16 @@ spec: well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` matches subomains - of cilium at that level www.cilium.io and + of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and - all subdomains ends with \"cilium.io\" except + all subdomains ends with \"cilium.io\" except those containing \".\" separator, subcilium.io - and sub-cilium.io match, www.cilium.io and + and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component - begins with \"sub\" sub.cilium.io and subdomain.cilium.io - match, www.cilium.io, blog.cilium.io, cilium.io + begins with \"sub\" sub.cilium.io and subdomain.cilium.io + match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string @@ -692,15 +774,15 @@ spec: such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. - \n The following values are supported: - - \"produce\": Allow producing to the topics - specified in the rule - \"consume\": Allow - consuming from the topics specified in the - rule \n This field is incompatible with the - APIKey field, i.e APIKey and Role cannot both - be specified in the same rule. \n If omitted - or empty, and if APIKey is not specified, - then all keys are allowed." + \n The following values are supported: - \"produce\": + Allow producing to the topics specified in + the rule - \"consume\": Allow consuming from + the topics specified in the rule \n This field + is incompatible with the APIKey field, i.e + APIKey and Role cannot both be specified in + the same rule. \n If omitted or empty, and + if APIKey is not specified, then all keys + are allowed." enum: - produce - consume @@ -773,11 +855,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for - the following items: - ''ca.crt'' - Which represents - the trusted CA to verify remote source. - ''tls.crt'' - - Which represents the public key certificate. - + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - ''tls.key'' - Which represents the private key matching - the public key certificate.' + the public key certificate.' properties: name: description: Name is the name of the secret. @@ -844,11 +926,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -926,11 +1010,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the @@ -962,15 +1048,15 @@ spec: description: "EgressDenyRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. - \n - All members of this structure are optional. If omitted - or empty, the member will have no effect on the rule. \n - - If multiple members of the structure are specified, then all members - \ must match in order for the rule to take effect. The exception - to this rule is the ToRequires member; the effects of any - Requires field in any rule will apply to all other rules as - well. \n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices - and ToGroups are mutually exclusive. Only one of these members - may be present within an individual rule." + \n - All members of this structure are optional. If omitted or + empty, the member will have no effect on the rule. \n - If multiple + members of the structure are specified, then all members must + match in order for the rule to take effect. The exception to this + rule is the ToRequires member; the effects of any Requires field + in any rule will apply to all other rules as well. \n - ToEndpoints, + ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually + exclusive. Only one of these members may be present within an + individual rule." properties: icmps: description: "ICMPs is a list of ICMP rule identified by type @@ -995,11 +1081,31 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be 0-255 - (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | NeighborSolicitation + | NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery | ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation | MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + | ExtendedEchoRequest | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -1056,8 +1162,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that - the endpoint, subject to the rule, can (Ingress) or - cannot (IngressDeny) receive connections from. + the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -1118,11 +1225,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -1165,10 +1274,10 @@ spec: description: "ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: - toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" items: - description: ToGroups structure to store all kinds of new - integrations that needs a new derivative policy. + description: Groups structure to store all kinds of new integrations + that needs a new derivative policy. properties: aws: description: AWSGroup is an structure that can be used @@ -1191,6 +1300,66 @@ spec: type: object type: object type: array + toNodes: + description: ToNodes is a list of nodes identified by an EndpointSelector + to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array toPorts: description: "ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to @@ -1281,11 +1450,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -1363,11 +1534,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the @@ -1390,6 +1563,28 @@ spec: type: array type: object type: array + enableDefaultDeny: + description: "EnableDefaultDeny determines whether this policy configures + the subject endpoint(s) to have a default deny mode. If enabled, + this causes all traffic not explicitly allowed by a network policy + to be dropped. \n If not specified, the default is true for each + traffic direction that has rules, and false otherwise. For example, + if a policy only has Ingress or IngressDeny rules, then the default + for ingress is true and egress is false. \n If multiple policies + apply to an endpoint, that endpoint's default deny will be enabled + if any policy requests it. \n This is useful for creating broad-based + network policies that will not cause endpoints to enter default-deny + mode." + properties: + egress: + description: Whether or not the endpoint should have a default-deny + rule applied to egress traffic. + type: boolean + ingress: + description: Whether or not the endpoint should have a default-deny + rule applied to ingress traffic. + type: boolean + type: object endpointSelector: description: EndpointSelector selects all endpoints which should be subject to this rule. EndpointSelector and NodeSelector cannot be @@ -1426,11 +1621,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from the @@ -1452,30 +1649,29 @@ spec: description: "IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. - \n - All members of this structure are optional. If omitted - or empty, the member will have no effect on the rule. \n - - If multiple members are set, all of them need to match in order - for the rule to take effect. The exception to this rule is - FromRequires field; the effects of any Requires field in any - rule will apply to all other rules as well. \n - FromEndpoints, - FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. - Only one of these members may be present within an individual - \ rule." + \n - All members of this structure are optional. If omitted or + empty, the member will have no effect on the rule. \n - If multiple + members are set, all of them need to match in order for the rule + to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all + other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet + and FromEntities are mutually exclusive. Only one of these members + may be present within an individual rule." properties: - auth: - description: Auth is the required authentication type for the - allowed traffic, if any. + authentication: + description: Authentication is the required authentication type + for the allowed traffic, if any. properties: - type: - description: Type is the required authentication type for + mode: + description: Mode is the required authentication mode for the allowed traffic, if any. enum: - - "null" - - mtls-spiffe - - always-fail + - disabled + - required + - test-always-fail type: string required: - - type + - mode type: object fromCIDR: description: "FromCIDR is a list of IP blocks which the endpoint @@ -1529,8 +1725,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that - the endpoint, subject to the rule, can (Ingress) or - cannot (IngressDeny) receive connections from. + the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -1591,11 +1788,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -1633,6 +1832,97 @@ spec: - kube-apiserver type: string type: array + fromGroups: + description: "FromGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is supported, + and the rule can select by multiple sub directives: \n Example: + FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: Groups structure to store all kinds of new integrations + that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: FromNodes is a list of nodes identified by an EndpointSelector + which are allowed to communicate with the endpoint subject + to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array fromRequires: description: "FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be @@ -1676,11 +1966,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -1719,11 +2011,31 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be 0-255 - (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | NeighborSolicitation + | NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery | ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation | MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + | ExtendedEchoRequest | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -1747,7 +2059,7 @@ spec: properties: envoyConfig: description: EnvoyConfig is a reference to the CEC - or CCNP resource in which the listener is defined. + or CCEC resource in which the listener is defined. properties: kind: description: Kind is the resource type being referred @@ -1775,6 +2087,14 @@ spec: description: Name is the name of the listener. minLength: 1 type: string + priority: + description: Priority for this Listener that is used + when multiple rules would apply different listeners + to a policy map entry. Behavior of this is implementation + dependent. + maximum: 100 + minimum: 1 + type: integer required: - envoyConfig - name @@ -1804,11 +2124,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for - the following items: - ''ca.crt'' - Which represents - the trusted CA to verify remote source. - ''tls.crt'' - - Which represents the public key certificate. - + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - ''tls.key'' - Which represents the private key matching - the public key certificate.' + the public key certificate.' properties: name: description: Name is the name of the secret. @@ -1893,16 +2213,16 @@ spec: well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` matches subomains - of cilium at that level www.cilium.io and + of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and - all subdomains ends with \"cilium.io\" except + all subdomains ends with \"cilium.io\" except those containing \".\" separator, subcilium.io - and sub-cilium.io match, www.cilium.io and + and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component - begins with \"sub\" sub.cilium.io and subdomain.cilium.io - match, www.cilium.io, blog.cilium.io, cilium.io + begins with \"sub\" sub.cilium.io and subdomain.cilium.io + match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string @@ -2062,15 +2382,15 @@ spec: such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. - \n The following values are supported: - - \"produce\": Allow producing to the topics - specified in the rule - \"consume\": Allow - consuming from the topics specified in the - rule \n This field is incompatible with the - APIKey field, i.e APIKey and Role cannot both - be specified in the same rule. \n If omitted - or empty, and if APIKey is not specified, - then all keys are allowed." + \n The following values are supported: - \"produce\": + Allow producing to the topics specified in + the rule - \"consume\": Allow consuming from + the topics specified in the rule \n This field + is incompatible with the APIKey field, i.e + APIKey and Role cannot both be specified in + the same rule. \n If omitted or empty, and + if APIKey is not specified, then all keys + are allowed." enum: - produce - consume @@ -2143,11 +2463,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for - the following items: - ''ca.crt'' - Which represents - the trusted CA to verify remote source. - ''tls.crt'' - - Which represents the public key certificate. - + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - ''tls.key'' - Which represents the private key matching - the public key certificate.' + the public key certificate.' properties: name: description: Name is the name of the secret. @@ -2182,15 +2502,14 @@ spec: description: "IngressDenyRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. - \n - All members of this structure are optional. If omitted - or empty, the member will have no effect on the rule. \n - - If multiple members are set, all of them need to match in order - for the rule to take effect. The exception to this rule is - FromRequires field; the effects of any Requires field in any - rule will apply to all other rules as well. \n - FromEndpoints, - FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. - Only one of these members may be present within an individual - \ rule." + \n - All members of this structure are optional. If omitted or + empty, the member will have no effect on the rule. \n - If multiple + members are set, all of them need to match in order for the rule + to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all + other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet, + FromGroups and FromEntities are mutually exclusive. Only one of + these members may be present within an individual rule." properties: fromCIDR: description: "FromCIDR is a list of IP blocks which the endpoint @@ -2244,8 +2563,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that - the endpoint, subject to the rule, can (Ingress) or - cannot (IngressDeny) receive connections from. + the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -2306,11 +2626,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -2348,14 +2670,40 @@ spec: - kube-apiserver type: string type: array - fromRequires: - description: "FromRequires is a list of additional constraints - which must be met in order for the selected endpoints to be - reachable. These additional constraints do no by itself grant - access privileges and must always be accompanied with at least - one matching FromEndpoints. \n Example: Any Endpoint with - the label \"team=A\" requires consuming endpoint to also carry - the label \"team=A\"." + fromGroups: + description: "FromGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is supported, + and the rule can select by multiple sub directives: \n Example: + FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: Groups structure to store all kinds of new integrations + that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: FromNodes is a list of nodes identified by an EndpointSelector + which are allowed to communicate with the endpoint subject + to the rule. items: description: EndpointSelector is a wrapper for k8s LabelSelector. properties: @@ -2391,11 +2739,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -2411,21 +2761,86 @@ spec: type: object type: object type: array - icmps: - description: "ICMPs is a list of ICMP rule identified by type - number which the endpoint subject to the rule is not allowed - to receive connections on. \n Example: Any endpoint with the - label \"app=httpd\" can not accept incoming type 8 ICMP connections." + fromRequires: + description: "FromRequires is a list of additional constraints + which must be met in order for the selected endpoints to be + reachable. These additional constraints do no by itself grant + access privileges and must always be accompanied with at least + one matching FromEndpoints. \n Example: Any Endpoint with + the label \"team=A\" requires consuming endpoint to also carry + the label \"team=A\"." items: - description: ICMPRule is a list of ICMP fields. + description: EndpointSelector is a wrapper for k8s LabelSelector. properties: - fields: - description: Fields is a list of ICMP fields. + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: ICMPField is a ICMP field. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: - family: - default: IPv4 + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + icmps: + description: "ICMPs is a list of ICMP rule identified by type + number which the endpoint subject to the rule is not allowed + to receive connections on. \n Example: Any endpoint with the + label \"app=httpd\" can not accept incoming type 8 ICMP connections." + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 description: Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default. @@ -2434,11 +2849,31 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be 0-255 - (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | NeighborSolicitation + | NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery | ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation | MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + | ExtendedEchoRequest | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -2550,11 +2985,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from the @@ -2604,31 +3041,30 @@ spec: description: "EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. - \n - All members of this structure are optional. If omitted - or empty, the member will have no effect on the rule. \n - \ - If multiple members of the structure are specified, then - all members must match in order for the rule to take effect. - The exception to this rule is the ToRequires member; the - effects of any Requires field in any rule will apply to - all other rules as well. \n - ToEndpoints, ToCIDR, ToCIDRSet, - ToEntities, ToServices and ToGroups are mutually exclusive. - Only one of these members may be present within an individual - rule." + \n - All members of this structure are optional. If omitted + or empty, the member will have no effect on the rule. \n - If + multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception + to this rule is the ToRequires member; the effects of any Requires + field in any rule will apply to all other rules as well. \n + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and + ToGroups are mutually exclusive. Only one of these members may + be present within an individual rule." properties: - auth: - description: Auth is the required authentication type for - the allowed traffic, if any. + authentication: + description: Authentication is the required authentication + type for the allowed traffic, if any. properties: - type: - description: Type is the required authentication type + mode: + description: Mode is the required authentication mode for the allowed traffic, if any. enum: - - "null" - - mtls-spiffe - - always-fail + - disabled + - required + - test-always-fail type: string required: - - type + - mode type: object icmps: description: "ICMPs is a list of ICMP rule identified by type @@ -2653,11 +3089,32 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be - 0-255 (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation | NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest + | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation + | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix + | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest + | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -2714,8 +3171,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs - that the endpoint, subject to the rule, can (Ingress) - or cannot (IngressDeny) receive connections from. + that the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -2777,11 +3235,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -2821,7 +3281,7 @@ spec: type: string type: array toFQDNs: - description: "ToFQDN allows whitelisting DNS names in place + description: 'ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this @@ -2834,16 +3294,7 @@ spec: and will enforce egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: - ToFQDN cannot occur in the same policy as other To* rules. - \n The current implementation has a number of limitations: - - The DNS resolution originates from cilium-agent, and not - from the pods. Differences between the responses seen by - cilium agent and a particular pod will whitelist the incorrect - IP. - DNS TTLs are ignored, and cilium-agent will repoll - on a short interval (5 seconds). Each change to the DNS - data will trigger a policy regeneration. This may result - in delayed updates to the policy for an endpoint when the - data changes often or the system is under load." + ToFQDN cannot occur in the same policy as other To* rules.' items: properties: matchName: @@ -2860,16 +3311,16 @@ spec: without a following \".\" matches all subdomains as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` - matches subomains of cilium at that level www.cilium.io + matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains - ends with \"cilium.io\" except those containing - \".\" separator, subcilium.io and sub-cilium.io match, - \ www.cilium.io and blog.cilium.io does not sub*.cilium.io - matches subdomains of cilium where the subdomain component - begins with \"sub\" sub.cilium.io and subdomain.cilium.io - match, www.cilium.io, blog.cilium.io, cilium.io - and google.com do not" + ends with \"cilium.io\" except those containing \".\" + separator, subcilium.io and sub-cilium.io match, www.cilium.io + and blog.cilium.io does not sub*.cilium.io matches + subdomains of cilium where the subdomain component + begins with \"sub\" sub.cilium.io and subdomain.cilium.io + match, www.cilium.io, blog.cilium.io, cilium.io and + google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string type: object @@ -2878,10 +3329,9 @@ spec: description: "ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: - \n Example: toGroups: - aws: securityGroupsIds: - - 'sg-XXXXXXXXXXXXX'" + \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" items: - description: ToGroups structure to store all kinds of new + description: Groups structure to store all kinds of new integrations that needs a new derivative policy. properties: aws: @@ -2905,6 +3355,66 @@ spec: type: object type: object type: array + toNodes: + description: ToNodes is a list of nodes identified by an EndpointSelector + to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array toPorts: description: "ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to @@ -2922,7 +3432,7 @@ spec: properties: envoyConfig: description: EnvoyConfig is a reference to the CEC - or CCNP resource in which the listener is defined. + or CCEC resource in which the listener is defined. properties: kind: description: Kind is the resource type being @@ -2951,6 +3461,14 @@ spec: description: Name is the name of the listener. minLength: 1 type: string + priority: + description: Priority for this Listener that is + used when multiple rules would apply different + listeners to a policy map entry. Behavior of this + is implementation dependent. + maximum: 100 + minimum: 1 + type: integer required: - envoyConfig - name @@ -2981,11 +3499,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret - for the following items: - ''ca.crt'' - Which - represents the trusted CA to verify remote source. - - ''tls.crt'' - Which represents the public key - certificate. - ''tls.key'' - Which represents - the private key matching the public key certificate.' + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' properties: name: description: Name is the name of the secret. @@ -3070,17 +3588,17 @@ spec: as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` matches subomains - of cilium at that level www.cilium.io - and blog.cilium.io match, cilium.io and - google.com do not `*cilium.io` matches cilium.io - and all subdomains ends with \"cilium.io\" - \ except those containing \".\" separator, - subcilium.io and sub-cilium.io match, www.cilium.io - and blog.cilium.io does not sub*.cilium.io - matches subdomains of cilium where the subdomain - component begins with \"sub\" sub.cilium.io + of cilium at that level www.cilium.io and + blog.cilium.io match, cilium.io and google.com + do not `*cilium.io` matches cilium.io and + all subdomains ends with \"cilium.io\" except + those containing \".\" separator, subcilium.io + and sub-cilium.io match, www.cilium.io and + blog.cilium.io does not sub*.cilium.io matches + subdomains of cilium where the subdomain + component begins with \"sub\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, - \ blog.cilium.io, cilium.io and google.com + blog.cilium.io, cilium.io and google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string @@ -3242,9 +3760,9 @@ spec: such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. - \n The following values are supported: - + \n The following values are supported: - \"produce\": Allow producing to the topics - specified in the rule - \"consume\": Allow + specified in the rule - \"consume\": Allow consuming from the topics specified in the rule \n This field is incompatible with the APIKey field, i.e APIKey and Role cannot @@ -3327,11 +3845,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret - for the following items: - ''ca.crt'' - Which - represents the trusted CA to verify remote source. - - ''tls.crt'' - Which represents the public key - certificate. - ''tls.key'' - Which represents - the private key matching the public key certificate.' + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' properties: name: description: Name is the name of the secret. @@ -3399,11 +3917,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -3484,11 +4004,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the @@ -3520,16 +4042,15 @@ spec: description: "EgressDenyRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. - \n - All members of this structure are optional. If omitted - or empty, the member will have no effect on the rule. \n - \ - If multiple members of the structure are specified, then - all members must match in order for the rule to take effect. - The exception to this rule is the ToRequires member; the - effects of any Requires field in any rule will apply to - all other rules as well. \n - ToEndpoints, ToCIDR, ToCIDRSet, - ToEntities, ToServices and ToGroups are mutually exclusive. - Only one of these members may be present within an individual - rule." + \n - All members of this structure are optional. If omitted + or empty, the member will have no effect on the rule. \n - If + multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception + to this rule is the ToRequires member; the effects of any Requires + field in any rule will apply to all other rules as well. \n + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and + ToGroups are mutually exclusive. Only one of these members may + be present within an individual rule." properties: icmps: description: "ICMPs is a list of ICMP rule identified by type @@ -3554,11 +4075,32 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be - 0-255 (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation | NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest + | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation + | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix + | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest + | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -3615,8 +4157,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs - that the endpoint, subject to the rule, can (Ingress) - or cannot (IngressDeny) receive connections from. + that the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -3678,11 +4221,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -3725,10 +4270,9 @@ spec: description: "ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: - \n Example: toGroups: - aws: securityGroupsIds: - - 'sg-XXXXXXXXXXXXX'" + \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" items: - description: ToGroups structure to store all kinds of new + description: Groups structure to store all kinds of new integrations that needs a new derivative policy. properties: aws: @@ -3752,6 +4296,66 @@ spec: type: object type: object type: array + toNodes: + description: ToNodes is a list of nodes identified by an EndpointSelector + to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array toPorts: description: "ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to @@ -3843,11 +4447,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -3928,11 +4534,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the @@ -3955,6 +4563,28 @@ spec: type: array type: object type: array + enableDefaultDeny: + description: "EnableDefaultDeny determines whether this policy configures + the subject endpoint(s) to have a default deny mode. If enabled, + this causes all traffic not explicitly allowed by a network policy + to be dropped. \n If not specified, the default is true for each + traffic direction that has rules, and false otherwise. For example, + if a policy only has Ingress or IngressDeny rules, then the default + for ingress is true and egress is false. \n If multiple policies + apply to an endpoint, that endpoint's default deny will be enabled + if any policy requests it. \n This is useful for creating broad-based + network policies that will not cause endpoints to enter default-deny + mode." + properties: + egress: + description: Whether or not the endpoint should have a default-deny + rule applied to egress traffic. + type: boolean + ingress: + description: Whether or not the endpoint should have a default-deny + rule applied to ingress traffic. + type: boolean + type: object endpointSelector: description: EndpointSelector selects all endpoints which should be subject to this rule. EndpointSelector and NodeSelector cannot @@ -3991,11 +4621,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from the @@ -4017,30 +4649,30 @@ spec: description: "IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the - endpointSelector. \n - All members of this structure are optional. - If omitted or empty, the member will have no effect on the - rule. \n - If multiple members are set, all of them need to - match in order for the rule to take effect. The exception - to this rule is FromRequires field; the effects of any Requires - field in any rule will apply to all other rules as well. - \n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities - are mutually exclusive. Only one of these members may be - present within an individual rule." + endpointSelector. \n - All members of this structure are optional. + If omitted or empty, the member will have no effect on the rule. + \n - If multiple members are set, all of them need to match + in order for the rule to take effect. The exception to this + rule is FromRequires field; the effects of any Requires field + in any rule will apply to all other rules as well. \n - FromEndpoints, + FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. + Only one of these members may be present within an individual + rule." properties: - auth: - description: Auth is the required authentication type for - the allowed traffic, if any. + authentication: + description: Authentication is the required authentication + type for the allowed traffic, if any. properties: - type: - description: Type is the required authentication type + mode: + description: Mode is the required authentication mode for the allowed traffic, if any. enum: - - "null" - - mtls-spiffe - - always-fail + - disabled + - required + - test-always-fail type: string required: - - type + - mode type: object fromCIDR: description: "FromCIDR is a list of IP blocks which the endpoint @@ -4094,8 +4726,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs - that the endpoint, subject to the rule, can (Ingress) - or cannot (IngressDeny) receive connections from. + that the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -4157,11 +4790,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -4199,6 +4834,97 @@ spec: - kube-apiserver type: string type: array + fromGroups: + description: "FromGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is + supported, and the rule can select by multiple sub directives: + \n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: Groups structure to store all kinds of new + integrations that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the + endpoint subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array fromRequires: description: "FromRequires is a list of additional constraints which must be met in order for the selected endpoints to @@ -4242,11 +4968,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -4286,11 +5014,32 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be - 0-255 (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation | NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest + | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation + | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix + | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest + | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -4314,7 +5063,7 @@ spec: properties: envoyConfig: description: EnvoyConfig is a reference to the CEC - or CCNP resource in which the listener is defined. + or CCEC resource in which the listener is defined. properties: kind: description: Kind is the resource type being @@ -4343,6 +5092,14 @@ spec: description: Name is the name of the listener. minLength: 1 type: string + priority: + description: Priority for this Listener that is + used when multiple rules would apply different + listeners to a policy map entry. Behavior of this + is implementation dependent. + maximum: 100 + minimum: 1 + type: integer required: - envoyConfig - name @@ -4373,11 +5130,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret - for the following items: - ''ca.crt'' - Which - represents the trusted CA to verify remote source. - - ''tls.crt'' - Which represents the public key - certificate. - ''tls.key'' - Which represents - the private key matching the public key certificate.' + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' properties: name: description: Name is the name of the secret. @@ -4462,17 +5219,17 @@ spec: as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` matches subomains - of cilium at that level www.cilium.io - and blog.cilium.io match, cilium.io and - google.com do not `*cilium.io` matches cilium.io - and all subdomains ends with \"cilium.io\" - \ except those containing \".\" separator, - subcilium.io and sub-cilium.io match, www.cilium.io - and blog.cilium.io does not sub*.cilium.io - matches subdomains of cilium where the subdomain - component begins with \"sub\" sub.cilium.io + of cilium at that level www.cilium.io and + blog.cilium.io match, cilium.io and google.com + do not `*cilium.io` matches cilium.io and + all subdomains ends with \"cilium.io\" except + those containing \".\" separator, subcilium.io + and sub-cilium.io match, www.cilium.io and + blog.cilium.io does not sub*.cilium.io matches + subdomains of cilium where the subdomain + component begins with \"sub\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, - \ blog.cilium.io, cilium.io and google.com + blog.cilium.io, cilium.io and google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string @@ -4634,9 +5391,9 @@ spec: such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. - \n The following values are supported: - + \n The following values are supported: - \"produce\": Allow producing to the topics - specified in the rule - \"consume\": Allow + specified in the rule - \"consume\": Allow consuming from the topics specified in the rule \n This field is incompatible with the APIKey field, i.e APIKey and Role cannot @@ -4719,11 +5476,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret - for the following items: - ''ca.crt'' - Which - represents the trusted CA to verify remote source. - - ''tls.crt'' - Which represents the public key - certificate. - ''tls.key'' - Which represents - the private key matching the public key certificate.' + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' properties: name: description: Name is the name of the secret. @@ -4758,15 +5515,15 @@ spec: description: "IngressDenyRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected - by the endpointSelector. \n - All members of this structure - are optional. If omitted or empty, the member will have - no effect on the rule. \n - If multiple members are set, all - of them need to match in order for the rule to take effect. - The exception to this rule is FromRequires field; the effects - of any Requires field in any rule will apply to all other rules - as well. \n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities - are mutually exclusive. Only one of these members may be - present within an individual rule." + by the endpointSelector. \n - All members of this structure + are optional. If omitted or empty, the member will have no effect + on the rule. \n - If multiple members are set, all of them need + to match in order for the rule to take effect. The exception + to this rule is FromRequires field; the effects of any Requires + field in any rule will apply to all other rules as well. \n + - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities + are mutually exclusive. Only one of these members may be present + within an individual rule." properties: fromCIDR: description: "FromCIDR is a list of IP blocks which the endpoint @@ -4820,8 +5577,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs - that the endpoint, subject to the rule, can (Ingress) - or cannot (IngressDeny) receive connections from. + that the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -4883,11 +5641,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -4925,6 +5685,97 @@ spec: - kube-apiserver type: string type: array + fromGroups: + description: "FromGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is + supported, and the rule can select by multiple sub directives: + \n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: Groups structure to store all kinds of new + integrations that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the + endpoint subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array fromRequires: description: "FromRequires is a list of additional constraints which must be met in order for the selected endpoints to @@ -4968,11 +5819,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -5012,11 +5865,32 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be - 0-255 (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation | NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest + | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation + | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix + | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest + | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -5130,11 +6004,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from the diff --git a/pkg/crds/ciliumnetworkpolicies.yaml b/pkg/crds/ciliumnetworkpolicies.yaml index b122c73..784c6a2 100644 --- a/pkg/crds/ciliumnetworkpolicies.yaml +++ b/pkg/crds/ciliumnetworkpolicies.yaml @@ -1,10 +1,9 @@ - --- apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.7.0 + controller-gen.kubebuilder.io/version: v0.14.0 creationTimestamp: null name: ciliumnetworkpolicies.cilium.io spec: @@ -67,31 +66,31 @@ spec: items: description: "EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint - and exits the endpoint selected by the endpointSelector. \n - + and exits the endpoint selected by the endpointSelector. \n - All members of this structure are optional. If omitted or empty, - the member will have no effect on the rule. \n - If multiple - members of the structure are specified, then all members must - match in order for the rule to take effect. The exception to this - \ rule is the ToRequires member; the effects of any Requires - field in any rule will apply to all other rules as well. \n - \ - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and - ToGroups are mutually exclusive. Only one of these members - may be present within an individual rule." + the member will have no effect on the rule. \n - If multiple members + of the structure are specified, then all members must match in + order for the rule to take effect. The exception to this rule + is the ToRequires member; the effects of any Requires field in + any rule will apply to all other rules as well. \n - ToEndpoints, + ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually + exclusive. Only one of these members may be present within an + individual rule." properties: - auth: - description: Auth is the required authentication type for the - allowed traffic, if any. + authentication: + description: Authentication is the required authentication type + for the allowed traffic, if any. properties: - type: - description: Type is the required authentication type for + mode: + description: Mode is the required authentication mode for the allowed traffic, if any. enum: - - "null" - - mtls-spiffe - - always-fail + - disabled + - required + - test-always-fail type: string required: - - type + - mode type: object icmps: description: "ICMPs is a list of ICMP rule identified by type @@ -116,11 +115,31 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be 0-255 - (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | NeighborSolicitation + | NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery | ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation | MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + | ExtendedEchoRequest | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -177,8 +196,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that - the endpoint, subject to the rule, can (Ingress) or - cannot (IngressDeny) receive connections from. + the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -239,11 +259,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -283,7 +305,7 @@ spec: type: string type: array toFQDNs: - description: "ToFQDN allows whitelisting DNS names in place + description: 'ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this EgressRule @@ -296,15 +318,7 @@ spec: egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: ToFQDN cannot occur - in the same policy as other To* rules. \n The current implementation - has a number of limitations: - The DNS resolution originates - from cilium-agent, and not from the pods. Differences between - the responses seen by cilium agent and a particular pod will - whitelist the incorrect IP. - DNS TTLs are ignored, and cilium-agent - will repoll on a short interval (5 seconds). Each change to - the DNS data will trigger a policy regeneration. This may - result in delayed updates to the policy for an endpoint when - the data changes often or the system is under load." + in the same policy as other To* rules.' items: properties: matchName: @@ -321,14 +335,14 @@ spec: \".\" matches all subdomains as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` matches subomains - of cilium at that level www.cilium.io and blog.cilium.io + of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains ends with \"cilium.io\" - \ except those containing \".\" separator, subcilium.io - and sub-cilium.io match, www.cilium.io and blog.cilium.io + except those containing \".\" separator, subcilium.io + and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium - where the subdomain component begins with \"sub\" sub.cilium.io - and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, + where the subdomain component begins with \"sub\" sub.cilium.io + and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string @@ -338,10 +352,10 @@ spec: description: "ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: - toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" items: - description: ToGroups structure to store all kinds of new - integrations that needs a new derivative policy. + description: Groups structure to store all kinds of new integrations + that needs a new derivative policy. properties: aws: description: AWSGroup is an structure that can be used @@ -364,6 +378,66 @@ spec: type: object type: object type: array + toNodes: + description: ToNodes is a list of nodes identified by an EndpointSelector + to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array toPorts: description: "ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to @@ -381,7 +455,7 @@ spec: properties: envoyConfig: description: EnvoyConfig is a reference to the CEC - or CCNP resource in which the listener is defined. + or CCEC resource in which the listener is defined. properties: kind: description: Kind is the resource type being referred @@ -409,6 +483,14 @@ spec: description: Name is the name of the listener. minLength: 1 type: string + priority: + description: Priority for this Listener that is used + when multiple rules would apply different listeners + to a policy map entry. Behavior of this is implementation + dependent. + maximum: 100 + minimum: 1 + type: integer required: - envoyConfig - name @@ -438,11 +520,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for - the following items: - ''ca.crt'' - Which represents - the trusted CA to verify remote source. - ''tls.crt'' - - Which represents the public key certificate. - + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - ''tls.key'' - Which represents the private key matching - the public key certificate.' + the public key certificate.' properties: name: description: Name is the name of the secret. @@ -527,16 +609,16 @@ spec: well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` matches subomains - of cilium at that level www.cilium.io and + of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and - all subdomains ends with \"cilium.io\" except + all subdomains ends with \"cilium.io\" except those containing \".\" separator, subcilium.io - and sub-cilium.io match, www.cilium.io and + and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component - begins with \"sub\" sub.cilium.io and subdomain.cilium.io - match, www.cilium.io, blog.cilium.io, cilium.io + begins with \"sub\" sub.cilium.io and subdomain.cilium.io + match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string @@ -696,15 +778,15 @@ spec: such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. - \n The following values are supported: - - \"produce\": Allow producing to the topics - specified in the rule - \"consume\": Allow - consuming from the topics specified in the - rule \n This field is incompatible with the - APIKey field, i.e APIKey and Role cannot both - be specified in the same rule. \n If omitted - or empty, and if APIKey is not specified, - then all keys are allowed." + \n The following values are supported: - \"produce\": + Allow producing to the topics specified in + the rule - \"consume\": Allow consuming from + the topics specified in the rule \n This field + is incompatible with the APIKey field, i.e + APIKey and Role cannot both be specified in + the same rule. \n If omitted or empty, and + if APIKey is not specified, then all keys + are allowed." enum: - produce - consume @@ -777,11 +859,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for - the following items: - ''ca.crt'' - Which represents - the trusted CA to verify remote source. - ''tls.crt'' - - Which represents the public key certificate. - + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - ''tls.key'' - Which represents the private key matching - the public key certificate.' + the public key certificate.' properties: name: description: Name is the name of the secret. @@ -848,11 +930,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -930,11 +1014,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the @@ -966,15 +1052,15 @@ spec: description: "EgressDenyRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. - \n - All members of this structure are optional. If omitted - or empty, the member will have no effect on the rule. \n - - If multiple members of the structure are specified, then all members - \ must match in order for the rule to take effect. The exception - to this rule is the ToRequires member; the effects of any - Requires field in any rule will apply to all other rules as - well. \n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices - and ToGroups are mutually exclusive. Only one of these members - may be present within an individual rule." + \n - All members of this structure are optional. If omitted or + empty, the member will have no effect on the rule. \n - If multiple + members of the structure are specified, then all members must + match in order for the rule to take effect. The exception to this + rule is the ToRequires member; the effects of any Requires field + in any rule will apply to all other rules as well. \n - ToEndpoints, + ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually + exclusive. Only one of these members may be present within an + individual rule." properties: icmps: description: "ICMPs is a list of ICMP rule identified by type @@ -999,11 +1085,31 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be 0-255 - (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | NeighborSolicitation + | NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery | ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation | MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + | ExtendedEchoRequest | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -1060,8 +1166,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that - the endpoint, subject to the rule, can (Ingress) or - cannot (IngressDeny) receive connections from. + the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -1122,11 +1229,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -1169,10 +1278,10 @@ spec: description: "ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: - toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" items: - description: ToGroups structure to store all kinds of new - integrations that needs a new derivative policy. + description: Groups structure to store all kinds of new integrations + that needs a new derivative policy. properties: aws: description: AWSGroup is an structure that can be used @@ -1195,6 +1304,66 @@ spec: type: object type: object type: array + toNodes: + description: ToNodes is a list of nodes identified by an EndpointSelector + to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array toPorts: description: "ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to @@ -1285,11 +1454,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -1367,11 +1538,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the @@ -1394,6 +1567,28 @@ spec: type: array type: object type: array + enableDefaultDeny: + description: "EnableDefaultDeny determines whether this policy configures + the subject endpoint(s) to have a default deny mode. If enabled, + this causes all traffic not explicitly allowed by a network policy + to be dropped. \n If not specified, the default is true for each + traffic direction that has rules, and false otherwise. For example, + if a policy only has Ingress or IngressDeny rules, then the default + for ingress is true and egress is false. \n If multiple policies + apply to an endpoint, that endpoint's default deny will be enabled + if any policy requests it. \n This is useful for creating broad-based + network policies that will not cause endpoints to enter default-deny + mode." + properties: + egress: + description: Whether or not the endpoint should have a default-deny + rule applied to egress traffic. + type: boolean + ingress: + description: Whether or not the endpoint should have a default-deny + rule applied to ingress traffic. + type: boolean + type: object endpointSelector: description: EndpointSelector selects all endpoints which should be subject to this rule. EndpointSelector and NodeSelector cannot be @@ -1430,11 +1625,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from the @@ -1456,30 +1653,29 @@ spec: description: "IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. - \n - All members of this structure are optional. If omitted - or empty, the member will have no effect on the rule. \n - - If multiple members are set, all of them need to match in order - for the rule to take effect. The exception to this rule is - FromRequires field; the effects of any Requires field in any - rule will apply to all other rules as well. \n - FromEndpoints, - FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. - Only one of these members may be present within an individual - \ rule." + \n - All members of this structure are optional. If omitted or + empty, the member will have no effect on the rule. \n - If multiple + members are set, all of them need to match in order for the rule + to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all + other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet + and FromEntities are mutually exclusive. Only one of these members + may be present within an individual rule." properties: - auth: - description: Auth is the required authentication type for the - allowed traffic, if any. + authentication: + description: Authentication is the required authentication type + for the allowed traffic, if any. properties: - type: - description: Type is the required authentication type for + mode: + description: Mode is the required authentication mode for the allowed traffic, if any. enum: - - "null" - - mtls-spiffe - - always-fail + - disabled + - required + - test-always-fail type: string required: - - type + - mode type: object fromCIDR: description: "FromCIDR is a list of IP blocks which the endpoint @@ -1533,8 +1729,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that - the endpoint, subject to the rule, can (Ingress) or - cannot (IngressDeny) receive connections from. + the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -1595,11 +1792,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -1637,6 +1836,97 @@ spec: - kube-apiserver type: string type: array + fromGroups: + description: "FromGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is supported, + and the rule can select by multiple sub directives: \n Example: + FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: Groups structure to store all kinds of new integrations + that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: FromNodes is a list of nodes identified by an EndpointSelector + which are allowed to communicate with the endpoint subject + to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array fromRequires: description: "FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be @@ -1680,11 +1970,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -1723,11 +2015,31 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be 0-255 - (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | NeighborSolicitation + | NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery | ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation | MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + | ExtendedEchoRequest | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -1751,7 +2063,7 @@ spec: properties: envoyConfig: description: EnvoyConfig is a reference to the CEC - or CCNP resource in which the listener is defined. + or CCEC resource in which the listener is defined. properties: kind: description: Kind is the resource type being referred @@ -1779,6 +2091,14 @@ spec: description: Name is the name of the listener. minLength: 1 type: string + priority: + description: Priority for this Listener that is used + when multiple rules would apply different listeners + to a policy map entry. Behavior of this is implementation + dependent. + maximum: 100 + minimum: 1 + type: integer required: - envoyConfig - name @@ -1808,11 +2128,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for - the following items: - ''ca.crt'' - Which represents - the trusted CA to verify remote source. - ''tls.crt'' - - Which represents the public key certificate. - + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - ''tls.key'' - Which represents the private key matching - the public key certificate.' + the public key certificate.' properties: name: description: Name is the name of the secret. @@ -1897,16 +2217,16 @@ spec: well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` matches subomains - of cilium at that level www.cilium.io and + of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and - all subdomains ends with \"cilium.io\" except + all subdomains ends with \"cilium.io\" except those containing \".\" separator, subcilium.io - and sub-cilium.io match, www.cilium.io and + and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component - begins with \"sub\" sub.cilium.io and subdomain.cilium.io - match, www.cilium.io, blog.cilium.io, cilium.io + begins with \"sub\" sub.cilium.io and subdomain.cilium.io + match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string @@ -2066,15 +2386,15 @@ spec: such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. - \n The following values are supported: - - \"produce\": Allow producing to the topics - specified in the rule - \"consume\": Allow - consuming from the topics specified in the - rule \n This field is incompatible with the - APIKey field, i.e APIKey and Role cannot both - be specified in the same rule. \n If omitted - or empty, and if APIKey is not specified, - then all keys are allowed." + \n The following values are supported: - \"produce\": + Allow producing to the topics specified in + the rule - \"consume\": Allow consuming from + the topics specified in the rule \n This field + is incompatible with the APIKey field, i.e + APIKey and Role cannot both be specified in + the same rule. \n If omitted or empty, and + if APIKey is not specified, then all keys + are allowed." enum: - produce - consume @@ -2147,11 +2467,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for - the following items: - ''ca.crt'' - Which represents - the trusted CA to verify remote source. - ''tls.crt'' - - Which represents the public key certificate. - + the following items: - ''ca.crt'' - Which represents + the trusted CA to verify remote source. - ''tls.crt'' + - Which represents the public key certificate. - ''tls.key'' - Which represents the private key matching - the public key certificate.' + the public key certificate.' properties: name: description: Name is the name of the secret. @@ -2186,15 +2506,14 @@ spec: description: "IngressDenyRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. - \n - All members of this structure are optional. If omitted - or empty, the member will have no effect on the rule. \n - - If multiple members are set, all of them need to match in order - for the rule to take effect. The exception to this rule is - FromRequires field; the effects of any Requires field in any - rule will apply to all other rules as well. \n - FromEndpoints, - FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. - Only one of these members may be present within an individual - \ rule." + \n - All members of this structure are optional. If omitted or + empty, the member will have no effect on the rule. \n - If multiple + members are set, all of them need to match in order for the rule + to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all + other rules as well. \n - FromEndpoints, FromCIDR, FromCIDRSet, + FromGroups and FromEntities are mutually exclusive. Only one of + these members may be present within an individual rule." properties: fromCIDR: description: "FromCIDR is a list of IP blocks which the endpoint @@ -2248,8 +2567,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that - the endpoint, subject to the rule, can (Ingress) or - cannot (IngressDeny) receive connections from. + the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -2310,11 +2630,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -2352,14 +2674,40 @@ spec: - kube-apiserver type: string type: array - fromRequires: - description: "FromRequires is a list of additional constraints - which must be met in order for the selected endpoints to be - reachable. These additional constraints do no by itself grant - access privileges and must always be accompanied with at least - one matching FromEndpoints. \n Example: Any Endpoint with - the label \"team=A\" requires consuming endpoint to also carry - the label \"team=A\"." + fromGroups: + description: "FromGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is supported, + and the rule can select by multiple sub directives: \n Example: + FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: Groups structure to store all kinds of new integrations + that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: FromNodes is a list of nodes identified by an EndpointSelector + which are allowed to communicate with the endpoint subject + to the rule. items: description: EndpointSelector is a wrapper for k8s LabelSelector. properties: @@ -2395,11 +2743,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from @@ -2415,21 +2765,86 @@ spec: type: object type: object type: array - icmps: - description: "ICMPs is a list of ICMP rule identified by type - number which the endpoint subject to the rule is not allowed - to receive connections on. \n Example: Any endpoint with the - label \"app=httpd\" can not accept incoming type 8 ICMP connections." + fromRequires: + description: "FromRequires is a list of additional constraints + which must be met in order for the selected endpoints to be + reachable. These additional constraints do no by itself grant + access privileges and must always be accompanied with at least + one matching FromEndpoints. \n Example: Any Endpoint with + the label \"team=A\" requires consuming endpoint to also carry + the label \"team=A\"." items: - description: ICMPRule is a list of ICMP fields. + description: EndpointSelector is a wrapper for k8s LabelSelector. properties: - fields: - description: Fields is a list of ICMP fields. + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: ICMPField is a ICMP field. + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. properties: - family: - default: IPv4 + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists or + DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is + "key", the operator is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + type: array + icmps: + description: "ICMPs is a list of ICMP rule identified by type + number which the endpoint subject to the rule is not allowed + to receive connections on. \n Example: Any endpoint with the + label \"app=httpd\" can not accept incoming type 8 ICMP connections." + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 description: Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default. @@ -2438,11 +2853,31 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be 0-255 - (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | NeighborSolicitation + | NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery | ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation | MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + | ExtendedEchoRequest | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -2554,11 +2989,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from the @@ -2608,31 +3045,30 @@ spec: description: "EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. - \n - All members of this structure are optional. If omitted - or empty, the member will have no effect on the rule. \n - \ - If multiple members of the structure are specified, then - all members must match in order for the rule to take effect. - The exception to this rule is the ToRequires member; the - effects of any Requires field in any rule will apply to - all other rules as well. \n - ToEndpoints, ToCIDR, ToCIDRSet, - ToEntities, ToServices and ToGroups are mutually exclusive. - Only one of these members may be present within an individual - rule." + \n - All members of this structure are optional. If omitted + or empty, the member will have no effect on the rule. \n - If + multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception + to this rule is the ToRequires member; the effects of any Requires + field in any rule will apply to all other rules as well. \n + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and + ToGroups are mutually exclusive. Only one of these members may + be present within an individual rule." properties: - auth: - description: Auth is the required authentication type for - the allowed traffic, if any. + authentication: + description: Authentication is the required authentication + type for the allowed traffic, if any. properties: - type: - description: Type is the required authentication type + mode: + description: Mode is the required authentication mode for the allowed traffic, if any. enum: - - "null" - - mtls-spiffe - - always-fail + - disabled + - required + - test-always-fail type: string required: - - type + - mode type: object icmps: description: "ICMPs is a list of ICMP rule identified by type @@ -2657,11 +3093,32 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be - 0-255 (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation | NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest + | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation + | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix + | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest + | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -2718,8 +3175,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs - that the endpoint, subject to the rule, can (Ingress) - or cannot (IngressDeny) receive connections from. + that the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -2781,11 +3239,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -2825,7 +3285,7 @@ spec: type: string type: array toFQDNs: - description: "ToFQDN allows whitelisting DNS names in place + description: 'ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this @@ -2838,16 +3298,7 @@ spec: and will enforce egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: - ToFQDN cannot occur in the same policy as other To* rules. - \n The current implementation has a number of limitations: - - The DNS resolution originates from cilium-agent, and not - from the pods. Differences between the responses seen by - cilium agent and a particular pod will whitelist the incorrect - IP. - DNS TTLs are ignored, and cilium-agent will repoll - on a short interval (5 seconds). Each change to the DNS - data will trigger a policy regeneration. This may result - in delayed updates to the policy for an endpoint when the - data changes often or the system is under load." + ToFQDN cannot occur in the same policy as other To* rules.' items: properties: matchName: @@ -2864,16 +3315,16 @@ spec: without a following \".\" matches all subdomains as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` - matches subomains of cilium at that level www.cilium.io + matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains - ends with \"cilium.io\" except those containing - \".\" separator, subcilium.io and sub-cilium.io match, - \ www.cilium.io and blog.cilium.io does not sub*.cilium.io - matches subdomains of cilium where the subdomain component - begins with \"sub\" sub.cilium.io and subdomain.cilium.io - match, www.cilium.io, blog.cilium.io, cilium.io - and google.com do not" + ends with \"cilium.io\" except those containing \".\" + separator, subcilium.io and sub-cilium.io match, www.cilium.io + and blog.cilium.io does not sub*.cilium.io matches + subdomains of cilium where the subdomain component + begins with \"sub\" sub.cilium.io and subdomain.cilium.io + match, www.cilium.io, blog.cilium.io, cilium.io and + google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string type: object @@ -2882,10 +3333,9 @@ spec: description: "ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: - \n Example: toGroups: - aws: securityGroupsIds: - - 'sg-XXXXXXXXXXXXX'" + \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" items: - description: ToGroups structure to store all kinds of new + description: Groups structure to store all kinds of new integrations that needs a new derivative policy. properties: aws: @@ -2909,6 +3359,66 @@ spec: type: object type: object type: array + toNodes: + description: ToNodes is a list of nodes identified by an EndpointSelector + to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array toPorts: description: "ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to @@ -2926,7 +3436,7 @@ spec: properties: envoyConfig: description: EnvoyConfig is a reference to the CEC - or CCNP resource in which the listener is defined. + or CCEC resource in which the listener is defined. properties: kind: description: Kind is the resource type being @@ -2955,6 +3465,14 @@ spec: description: Name is the name of the listener. minLength: 1 type: string + priority: + description: Priority for this Listener that is + used when multiple rules would apply different + listeners to a policy map entry. Behavior of this + is implementation dependent. + maximum: 100 + minimum: 1 + type: integer required: - envoyConfig - name @@ -2985,11 +3503,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret - for the following items: - ''ca.crt'' - Which - represents the trusted CA to verify remote source. - - ''tls.crt'' - Which represents the public key - certificate. - ''tls.key'' - Which represents - the private key matching the public key certificate.' + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' properties: name: description: Name is the name of the secret. @@ -3074,17 +3592,17 @@ spec: as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` matches subomains - of cilium at that level www.cilium.io - and blog.cilium.io match, cilium.io and - google.com do not `*cilium.io` matches cilium.io - and all subdomains ends with \"cilium.io\" - \ except those containing \".\" separator, - subcilium.io and sub-cilium.io match, www.cilium.io - and blog.cilium.io does not sub*.cilium.io - matches subdomains of cilium where the subdomain - component begins with \"sub\" sub.cilium.io + of cilium at that level www.cilium.io and + blog.cilium.io match, cilium.io and google.com + do not `*cilium.io` matches cilium.io and + all subdomains ends with \"cilium.io\" except + those containing \".\" separator, subcilium.io + and sub-cilium.io match, www.cilium.io and + blog.cilium.io does not sub*.cilium.io matches + subdomains of cilium where the subdomain + component begins with \"sub\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, - \ blog.cilium.io, cilium.io and google.com + blog.cilium.io, cilium.io and google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string @@ -3246,9 +3764,9 @@ spec: such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. - \n The following values are supported: - + \n The following values are supported: - \"produce\": Allow producing to the topics - specified in the rule - \"consume\": Allow + specified in the rule - \"consume\": Allow consuming from the topics specified in the rule \n This field is incompatible with the APIKey field, i.e APIKey and Role cannot @@ -3331,11 +3849,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret - for the following items: - ''ca.crt'' - Which - represents the trusted CA to verify remote source. - - ''tls.crt'' - Which represents the public key - certificate. - ''tls.key'' - Which represents - the private key matching the public key certificate.' + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' properties: name: description: Name is the name of the secret. @@ -3403,11 +3921,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -3488,11 +4008,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the @@ -3524,16 +4046,15 @@ spec: description: "EgressDenyRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. - \n - All members of this structure are optional. If omitted - or empty, the member will have no effect on the rule. \n - \ - If multiple members of the structure are specified, then - all members must match in order for the rule to take effect. - The exception to this rule is the ToRequires member; the - effects of any Requires field in any rule will apply to - all other rules as well. \n - ToEndpoints, ToCIDR, ToCIDRSet, - ToEntities, ToServices and ToGroups are mutually exclusive. - Only one of these members may be present within an individual - rule." + \n - All members of this structure are optional. If omitted + or empty, the member will have no effect on the rule. \n - If + multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception + to this rule is the ToRequires member; the effects of any Requires + field in any rule will apply to all other rules as well. \n + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and + ToGroups are mutually exclusive. Only one of these members may + be present within an individual rule." properties: icmps: description: "ICMPs is a list of ICMP rule identified by type @@ -3558,11 +4079,32 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be - 0-255 (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation | NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest + | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation + | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix + | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest + | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -3619,8 +4161,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs - that the endpoint, subject to the rule, can (Ingress) - or cannot (IngressDeny) receive connections from. + that the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -3682,11 +4225,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -3729,10 +4274,9 @@ spec: description: "ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: - \n Example: toGroups: - aws: securityGroupsIds: - - 'sg-XXXXXXXXXXXXX'" + \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" items: - description: ToGroups structure to store all kinds of new + description: Groups structure to store all kinds of new integrations that needs a new derivative policy. properties: aws: @@ -3756,6 +4300,66 @@ spec: type: object type: object type: array + toNodes: + description: ToNodes is a list of nodes identified by an EndpointSelector + to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array toPorts: description: "ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to @@ -3847,11 +4451,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -3932,11 +4538,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the @@ -3959,6 +4567,28 @@ spec: type: array type: object type: array + enableDefaultDeny: + description: "EnableDefaultDeny determines whether this policy configures + the subject endpoint(s) to have a default deny mode. If enabled, + this causes all traffic not explicitly allowed by a network policy + to be dropped. \n If not specified, the default is true for each + traffic direction that has rules, and false otherwise. For example, + if a policy only has Ingress or IngressDeny rules, then the default + for ingress is true and egress is false. \n If multiple policies + apply to an endpoint, that endpoint's default deny will be enabled + if any policy requests it. \n This is useful for creating broad-based + network policies that will not cause endpoints to enter default-deny + mode." + properties: + egress: + description: Whether or not the endpoint should have a default-deny + rule applied to egress traffic. + type: boolean + ingress: + description: Whether or not the endpoint should have a default-deny + rule applied to ingress traffic. + type: boolean + type: object endpointSelector: description: EndpointSelector selects all endpoints which should be subject to this rule. EndpointSelector and NodeSelector cannot @@ -3995,11 +4625,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from the @@ -4021,30 +4653,30 @@ spec: description: "IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the - endpointSelector. \n - All members of this structure are optional. - If omitted or empty, the member will have no effect on the - rule. \n - If multiple members are set, all of them need to - match in order for the rule to take effect. The exception - to this rule is FromRequires field; the effects of any Requires - field in any rule will apply to all other rules as well. - \n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities - are mutually exclusive. Only one of these members may be - present within an individual rule." + endpointSelector. \n - All members of this structure are optional. + If omitted or empty, the member will have no effect on the rule. + \n - If multiple members are set, all of them need to match + in order for the rule to take effect. The exception to this + rule is FromRequires field; the effects of any Requires field + in any rule will apply to all other rules as well. \n - FromEndpoints, + FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. + Only one of these members may be present within an individual + rule." properties: - auth: - description: Auth is the required authentication type for - the allowed traffic, if any. + authentication: + description: Authentication is the required authentication + type for the allowed traffic, if any. properties: - type: - description: Type is the required authentication type + mode: + description: Mode is the required authentication mode for the allowed traffic, if any. enum: - - "null" - - mtls-spiffe - - always-fail + - disabled + - required + - test-always-fail type: string required: - - type + - mode type: object fromCIDR: description: "FromCIDR is a list of IP blocks which the endpoint @@ -4098,8 +4730,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs - that the endpoint, subject to the rule, can (Ingress) - or cannot (IngressDeny) receive connections from. + that the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -4161,11 +4794,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -4203,6 +4838,97 @@ spec: - kube-apiserver type: string type: array + fromGroups: + description: "FromGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is + supported, and the rule can select by multiple sub directives: + \n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: Groups structure to store all kinds of new + integrations that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the + endpoint subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array fromRequires: description: "FromRequires is a list of additional constraints which must be met in order for the selected endpoints to @@ -4246,11 +4972,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -4290,11 +5018,32 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be - 0-255 (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation | NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest + | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation + | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix + | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest + | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -4318,7 +5067,7 @@ spec: properties: envoyConfig: description: EnvoyConfig is a reference to the CEC - or CCNP resource in which the listener is defined. + or CCEC resource in which the listener is defined. properties: kind: description: Kind is the resource type being @@ -4347,6 +5096,14 @@ spec: description: Name is the name of the listener. minLength: 1 type: string + priority: + description: Priority for this Listener that is + used when multiple rules would apply different + listeners to a policy map entry. Behavior of this + is implementation dependent. + maximum: 100 + minimum: 1 + type: integer required: - envoyConfig - name @@ -4377,11 +5134,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret - for the following items: - ''ca.crt'' - Which - represents the trusted CA to verify remote source. - - ''tls.crt'' - Which represents the public key - certificate. - ''tls.key'' - Which represents - the private key matching the public key certificate.' + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' properties: name: description: Name is the name of the secret. @@ -4466,17 +5223,17 @@ spec: as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: `*.cilium.io` matches subomains - of cilium at that level www.cilium.io - and blog.cilium.io match, cilium.io and - google.com do not `*cilium.io` matches cilium.io - and all subdomains ends with \"cilium.io\" - \ except those containing \".\" separator, - subcilium.io and sub-cilium.io match, www.cilium.io - and blog.cilium.io does not sub*.cilium.io - matches subdomains of cilium where the subdomain - component begins with \"sub\" sub.cilium.io + of cilium at that level www.cilium.io and + blog.cilium.io match, cilium.io and google.com + do not `*cilium.io` matches cilium.io and + all subdomains ends with \"cilium.io\" except + those containing \".\" separator, subcilium.io + and sub-cilium.io match, www.cilium.io and + blog.cilium.io does not sub*.cilium.io matches + subdomains of cilium where the subdomain + component begins with \"sub\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, - \ blog.cilium.io, cilium.io and google.com + blog.cilium.io, cilium.io and google.com do not" pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ type: string @@ -4638,9 +5395,9 @@ spec: such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. - \n The following values are supported: - + \n The following values are supported: - \"produce\": Allow producing to the topics - specified in the rule - \"consume\": Allow + specified in the rule - \"consume\": Allow consuming from the topics specified in the rule \n This field is incompatible with the APIKey field, i.e APIKey and Role cannot @@ -4723,11 +5480,11 @@ spec: description: 'Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret - for the following items: - ''ca.crt'' - Which - represents the trusted CA to verify remote source. - - ''tls.crt'' - Which represents the public key - certificate. - ''tls.key'' - Which represents - the private key matching the public key certificate.' + for the following items: - ''ca.crt'' - Which + represents the trusted CA to verify remote source. + - ''tls.crt'' - Which represents the public key + certificate. - ''tls.key'' - Which represents + the private key matching the public key certificate.' properties: name: description: Name is the name of the secret. @@ -4762,15 +5519,15 @@ spec: description: "IngressDenyRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected - by the endpointSelector. \n - All members of this structure - are optional. If omitted or empty, the member will have - no effect on the rule. \n - If multiple members are set, all - of them need to match in order for the rule to take effect. - The exception to this rule is FromRequires field; the effects - of any Requires field in any rule will apply to all other rules - as well. \n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities - are mutually exclusive. Only one of these members may be - present within an individual rule." + by the endpointSelector. \n - All members of this structure + are optional. If omitted or empty, the member will have no effect + on the rule. \n - If multiple members are set, all of them need + to match in order for the rule to take effect. The exception + to this rule is FromRequires field; the effects of any Requires + field in any rule will apply to all other rules as well. \n + - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities + are mutually exclusive. Only one of these members may be present + within an individual rule." properties: fromCIDR: description: "FromCIDR is a list of IP blocks which the endpoint @@ -4824,8 +5581,9 @@ spec: cidrGroupRef: description: CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs - that the endpoint, subject to the rule, can (Ingress) - or cannot (IngressDeny) receive connections from. + that the endpoint, subject to the rule, can (Ingress/Egress) + or cannot (IngressDeny/EgressDeny) receive connections + from. maxLength: 253 pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ type: string @@ -4887,11 +5645,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -4929,6 +5689,97 @@ spec: - kube-apiserver type: string type: array + fromGroups: + description: "FromGroups is a directive that allows the integration + with multiple outside providers. Currently, only AWS is + supported, and the rule can select by multiple sub directives: + \n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'" + items: + description: Groups structure to store all kinds of new + integrations that needs a new derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the + endpoint subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + type: array fromRequires: description: "FromRequires is a list of additional constraints which must be met in order for the selected endpoints to @@ -4972,11 +5823,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value @@ -5016,11 +5869,32 @@ spec: - IPv6 type: string type: - description: Type is a ICMP-type. It should be - 0-255 (8bit). - maximum: 255 - minimum: 0 - type: integer + anyOf: + - type: integer + - type: string + description: 'Type is a ICMP-type. It should be + an 8bit code (0-255), or it''s CamelCase name + (for example, "EchoReply"). Allowed ICMP types + are: Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest | RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + | Timestamp | TimestampReply | Photuris | ExtendedEcho + Request | ExtendedEcho Reply Ipv6: DestinationUnreachable + | PacketTooBig | TimeExceeded | ParameterProblem + | EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport | MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation | NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest + | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation + | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix + | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest + | ExtendedEchoReply' + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true required: - type type: object @@ -5134,11 +6008,13 @@ spec: items: type: string type: array + x-kubernetes-list-type: atomic required: - key - operator type: object type: array + x-kubernetes-list-type: atomic matchLabels: additionalProperties: description: MatchLabelsValue represents the value from the diff --git a/pkg/crds/podmonitors.yaml b/pkg/crds/podmonitors.yaml index 51cea6e..bf42984 100644 --- a/pkg/crds/podmonitors.yaml +++ b/pkg/crds/podmonitors.yaml @@ -3,8 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 + operator.prometheus.io/version: 0.73.2 name: podmonitors.monitoring.coreos.com spec: group: monitoring.coreos.com @@ -25,14 +25,19 @@ spec: description: PodMonitor defines monitoring for a set of pods. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object @@ -41,41 +46,85 @@ spec: by Prometheus. properties: attachMetadata: - description: Attaches node metadata to discovered targets. Requires - Prometheus v2.35.0 and above. + description: |- + `attachMetadata` defines additional metadata which is added to the + discovered targets. + + + It requires Prometheus >= v2.37.0. properties: node: - description: When set to true, Prometheus must have permissions - to get Nodes. + description: |- + When set to true, Prometheus must have the `get` permission on the + `Nodes` objects. type: boolean type: object + bodySizeLimit: + description: |- + When defined, bodySizeLimit specifies a job level limit on the size + of uncompressed response body that will be accepted by Prometheus. + + + It requires Prometheus >= v2.28.0. + pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ + type: string jobLabel: - description: The label to use to retrieve the job name from. + description: |- + The label to use to retrieve the job name from. + `jobLabel` selects the label from the associated Kubernetes `Pod` + object which will be used as the `job` label for all metrics. + + + For example if `jobLabel` is set to `foo` and the Kubernetes `Pod` + object is labeled with `foo: bar`, then Prometheus adds the `job="bar"` + label to all ingested metrics. + + + If the value of this field is empty, the `job` label of the metrics + defaults to the namespace and name of the PodMonitor object (e.g. `/`). type: string + keepDroppedTargets: + description: |- + Per-scrape limit on the number of targets dropped by relabeling + that will be kept in memory. 0 means no limit. + + + It requires Prometheus >= v2.47.0. + format: int64 + type: integer labelLimit: - description: Per-scrape limit on number of labels that will be accepted - for a sample. Only valid in Prometheus versions 2.27.0 and newer. + description: |- + Per-scrape limit on number of labels that will be accepted for a sample. + + + It requires Prometheus >= v2.27.0. format: int64 type: integer labelNameLengthLimit: - description: Per-scrape limit on length of labels name that will be - accepted for a sample. Only valid in Prometheus versions 2.27.0 - and newer. + description: |- + Per-scrape limit on length of labels name that will be accepted for a sample. + + + It requires Prometheus >= v2.27.0. format: int64 type: integer labelValueLengthLimit: - description: Per-scrape limit on length of labels value that will - be accepted for a sample. Only valid in Prometheus versions 2.27.0 - and newer. + description: |- + Per-scrape limit on length of labels value that will be accepted for a sample. + + + It requires Prometheus >= v2.27.0. format: int64 type: integer namespaceSelector: - description: Selector to select which namespaces the Endpoints objects + description: |- + Selector to select which namespaces the Kubernetes `Pods` objects are discovered from. properties: any: - description: Boolean describing whether all namespaces are selected - in contrast to a list restricting them. + description: |- + Boolean describing whether all namespaces are selected in contrast to a + list restricting them. type: boolean matchNames: description: List of namespace names to select from. @@ -84,25 +133,33 @@ spec: type: array type: object podMetricsEndpoints: - description: A list of endpoints allowed as part of this PodMonitor. + description: List of endpoints part of this PodMonitor. items: - description: PodMetricsEndpoint defines a scrapeable endpoint of - a Kubernetes Pod serving Prometheus metrics. + description: |- + PodMetricsEndpoint defines an endpoint serving Prometheus metrics to be scraped by + Prometheus. properties: authorization: - description: Authorization section for this endpoint + description: |- + `authorization` configures the Authorization header credentials to use when + scraping the target. + + + Cannot be set at the same time as `basicAuth`, or `oauth2`. properties: credentials: - description: The secret's key that contains the credentials - of the request + description: Selects a key of a Secret in the namespace + that contains the credentials for authentication. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -113,25 +170,38 @@ spec: type: object x-kubernetes-map-type: atomic type: - description: Set the authentication type. Defaults to Bearer, - Basic will cause an error + description: |- + Defines the authentication type. The value is case-insensitive. + + + "Basic" is not a supported value. + + + Default: "Bearer" type: string type: object basicAuth: - description: 'BasicAuth allow an endpoint to authenticate over - basic authentication. More info: https://prometheus.io/docs/operating/configuration/#endpoint' + description: |- + `basicAuth` configures the Basic Authentication credentials to use when + scraping the target. + + + Cannot be set at the same time as `authorization`, or `oauth2`. properties: password: - description: The secret in the service monitor namespace - that contains the password for authentication. + description: |- + `password` specifies a key of a Secret containing the password for + authentication. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -142,16 +212,19 @@ spec: type: object x-kubernetes-map-type: atomic username: - description: The secret in the service monitor namespace - that contains the username for authentication. + description: |- + `username` specifies a key of a Secret containing the username for + authentication. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -163,17 +236,23 @@ spec: x-kubernetes-map-type: atomic type: object bearerTokenSecret: - description: Secret to mount to read bearer token for scraping - targets. The secret needs to be in the same namespace as the - pod monitor and accessible by the Prometheus Operator. + description: |- + `bearerTokenSecret` specifies a key of a Secret containing the bearer + token for scraping targets. The secret needs to be in the same namespace + as the PodMonitor object and readable by the Prometheus Operator. + + + Deprecated: use `authorization` instead. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -184,43 +263,66 @@ spec: type: object x-kubernetes-map-type: atomic enableHttp2: - description: Whether to enable HTTP2. + description: '`enableHttp2` can be used to disable HTTP2 when + scraping the target.' type: boolean filterRunning: - description: 'Drop pods that are not running. (Failed, Succeeded). - Enabled by default. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase' + description: |- + When true, the pods which are not running (e.g. either in Failed or + Succeeded state) are dropped during the target discovery. + + + If unset, the filtering is enabled. + + + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase type: boolean followRedirects: - description: FollowRedirects configures whether scrape requests - follow HTTP 3xx redirects. + description: |- + `followRedirects` defines whether the scrape requests should follow HTTP + 3xx redirects. type: boolean honorLabels: - description: HonorLabels chooses the metric's labels on collisions - with target labels. + description: |- + When true, `honorLabels` preserves the metric's labels when they collide + with the target's labels. type: boolean honorTimestamps: - description: HonorTimestamps controls whether Prometheus respects - the timestamps present in scraped data. + description: |- + `honorTimestamps` controls whether Prometheus preserves the timestamps + when exposed by the target. type: boolean interval: - description: Interval at which metrics should be scraped If - not specified Prometheus' global scrape interval is used. + description: |- + Interval at which Prometheus scrapes the metrics from the target. + + + If empty, Prometheus uses the global scrape interval. pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ type: string metricRelabelings: - description: MetricRelabelConfigs to apply to samples before - ingestion. + description: |- + `metricRelabelings` configures the relabeling rules to apply to the + samples before ingestion. items: - description: 'RelabelConfig allows dynamic rewriting of the - label set, being applied to samples before ingestion. It - defines ``-section of Prometheus - configuration. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs' + description: |- + RelabelConfig allows dynamic rewriting of the label set for targets, alerts, + scraped samples and remote write samples. + + + More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config properties: action: default: replace - description: Action to perform based on regex matching. - Default is 'replace'. uppercase and lowercase actions - require Prometheus >= 2.36. + description: |- + Action to perform based on the regex matching. + + + `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. + `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. + + + Default: "Replace" enum: - replace - Replace @@ -246,49 +348,68 @@ spec: - DropEqual type: string modulus: - description: Modulus to take of the hash of the source - label values. + description: |- + Modulus to take of the hash of the source label values. + + + Only applicable when the action is `HashMod`. format: int64 type: integer regex: description: Regular expression against which the extracted - value is matched. Default is '(.*)' + value is matched. type: string replacement: - description: Replacement value against which a regex replace - is performed if the regular expression matches. Regex - capture groups are available. Default is '$1' + description: |- + Replacement value against which a Replace action is performed if the + regular expression matches. + + + Regex capture groups are available. type: string separator: - description: Separator placed between concatenated source - label values. default is ';'. + description: Separator is the string between concatenated + SourceLabels. type: string sourceLabels: - description: The source labels select values from existing - labels. Their content is concatenated using the configured - separator and matched against the configured regular - expression for the replace, keep, and drop actions. + description: |- + The source labels select values from existing labels. Their content is + concatenated using the configured Separator and matched against the + configured regular expression. items: - description: LabelName is a valid Prometheus label name - which may only contain ASCII letters, numbers, as - well as underscores. + description: |- + LabelName is a valid Prometheus label name which may only contain ASCII + letters, numbers, as well as underscores. pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ type: string type: array targetLabel: - description: Label to which the resulting value is written - in a replace action. It is mandatory for replace actions. + description: |- + Label to which the resulting string is written in a replacement. + + + It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, + `KeepEqual` and `DropEqual` actions. + + Regex capture groups are available. type: string type: object type: array oauth2: - description: OAuth2 for the URL. Only valid in Prometheus versions - 2.27.0 and newer. + description: |- + `oauth2` configures the OAuth2 settings to use when scraping the target. + + + It requires Prometheus >= 2.27.0. + + + Cannot be set at the same time as `authorization`, or `basicAuth`. properties: clientId: - description: The secret or configmap containing the OAuth2 - client id + description: |- + `clientId` specifies a key of a Secret or ConfigMap containing the + OAuth2 client's ID. properties: configMap: description: ConfigMap containing data to use for the @@ -298,9 +419,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its @@ -318,9 +440,10 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key @@ -332,15 +455,19 @@ spec: x-kubernetes-map-type: atomic type: object clientSecret: - description: The secret containing the OAuth2 client secret + description: |- + `clientSecret` specifies a key of a Secret containing the OAuth2 + client's secret. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -353,15 +480,19 @@ spec: endpointParams: additionalProperties: type: string - description: Parameters to append to the token URL + description: |- + `endpointParams` configures the HTTP parameters to append to the token + URL. type: object scopes: - description: OAuth2 scopes used for the token request + description: '`scopes` defines the OAuth2 scopes used for + the token request.' items: type: string type: array tokenUrl: - description: The URL to fetch the token from + description: '`tokenURL` configures the URL to fetch the + token from.' minLength: 1 type: string required: @@ -374,37 +505,59 @@ spec: items: type: string type: array - description: Optional HTTP URL parameters + description: '`params` define optional HTTP URL parameters.' type: object path: - description: HTTP path to scrape for metrics. If empty, Prometheus - uses the default value (e.g. `/metrics`). + description: |- + HTTP path from which to scrape for metrics. + + + If empty, Prometheus uses the default value (e.g. `/metrics`). type: string port: - description: Name of the pod port this endpoint refers to. Mutually - exclusive with targetPort. + description: |- + Name of the Pod port which this endpoint refers to. + + + It takes precedence over `targetPort`. type: string proxyUrl: - description: ProxyURL eg http://proxyserver:2195 Directs scrapes - to proxy through this endpoint. + description: |- + `proxyURL` configures the HTTP Proxy URL (e.g. + "http://proxyserver:2195") to go through when scraping the target. type: string relabelings: - description: 'RelabelConfigs to apply to samples before scraping. - Prometheus Operator automatically adds relabelings for a few - standard Kubernetes fields. The original scrape job''s name - is available via the `__tmp_prometheus_job_name` label. More - info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config' + description: |- + `relabelings` configures the relabeling rules to apply the target's + metadata labels. + + + The Operator automatically adds relabelings for a few standard Kubernetes fields. + + + The original scrape job's name is available via the `__tmp_prometheus_job_name` label. + + + More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config items: - description: 'RelabelConfig allows dynamic rewriting of the - label set, being applied to samples before ingestion. It - defines ``-section of Prometheus - configuration. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs' + description: |- + RelabelConfig allows dynamic rewriting of the label set for targets, alerts, + scraped samples and remote write samples. + + + More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config properties: action: default: replace - description: Action to perform based on regex matching. - Default is 'replace'. uppercase and lowercase actions - require Prometheus >= 2.36. + description: |- + Action to perform based on the regex matching. + + + `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. + `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. + + + Default: "Replace" enum: - replace - Replace @@ -430,64 +583,90 @@ spec: - DropEqual type: string modulus: - description: Modulus to take of the hash of the source - label values. + description: |- + Modulus to take of the hash of the source label values. + + + Only applicable when the action is `HashMod`. format: int64 type: integer regex: description: Regular expression against which the extracted - value is matched. Default is '(.*)' + value is matched. type: string replacement: - description: Replacement value against which a regex replace - is performed if the regular expression matches. Regex - capture groups are available. Default is '$1' + description: |- + Replacement value against which a Replace action is performed if the + regular expression matches. + + + Regex capture groups are available. type: string separator: - description: Separator placed between concatenated source - label values. default is ';'. + description: Separator is the string between concatenated + SourceLabels. type: string sourceLabels: - description: The source labels select values from existing - labels. Their content is concatenated using the configured - separator and matched against the configured regular - expression for the replace, keep, and drop actions. + description: |- + The source labels select values from existing labels. Their content is + concatenated using the configured Separator and matched against the + configured regular expression. items: - description: LabelName is a valid Prometheus label name - which may only contain ASCII letters, numbers, as - well as underscores. + description: |- + LabelName is a valid Prometheus label name which may only contain ASCII + letters, numbers, as well as underscores. pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ type: string type: array targetLabel: - description: Label to which the resulting value is written - in a replace action. It is mandatory for replace actions. + description: |- + Label to which the resulting string is written in a replacement. + + + It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, + `KeepEqual` and `DropEqual` actions. + + Regex capture groups are available. type: string type: object type: array scheme: - description: HTTP scheme to use for scraping. `http` and `https` - are the expected values unless you rewrite the `__scheme__` - label via relabeling. If empty, Prometheus uses the default - value `http`. + description: |- + HTTP scheme to use for scraping. + + + `http` and `https` are the expected values unless you rewrite the + `__scheme__` label via relabeling. + + + If empty, Prometheus uses the default value `http`. enum: - http - https type: string scrapeTimeout: - description: Timeout after which the scrape is ended If not - specified, the Prometheus global scrape interval is used. + description: |- + Timeout after which Prometheus considers the scrape to be failed. + + + If empty, Prometheus uses the global scrape timeout unless it is less + than the target's scrape interval value in which the latter is used. pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ type: string targetPort: anyOf: - type: integer - type: string - description: 'Deprecated: Use ''port'' instead.' + description: |- + Name or number of the target port of the `Pod` object behind the Service, the + port must be specified with container port property. + + + Deprecated: use 'port' instead. x-kubernetes-int-or-string: true tlsConfig: - description: TLS configuration to use when scraping the endpoint. + description: TLS configuration to use when scraping the target. properties: ca: description: Certificate authority used when verifying server @@ -501,9 +680,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its @@ -521,9 +701,10 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key @@ -545,9 +726,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its @@ -565,9 +747,10 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key @@ -590,8 +773,10 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -605,44 +790,85 @@ spec: description: Used to verify the hostname for the targets. type: string type: object + trackTimestampsStaleness: + description: |- + `trackTimestampsStaleness` defines whether Prometheus tracks staleness of + the metrics that have an explicit timestamp present in scraped data. + Has no effect if `honorTimestamps` is false. + + + It requires Prometheus >= v2.48.0. + type: boolean type: object type: array podTargetLabels: - description: PodTargetLabels transfers labels on the Kubernetes Pod - onto the target. + description: |- + `podTargetLabels` defines the labels which are transferred from the + associated Kubernetes `Pod` object onto the ingested metrics. items: type: string type: array sampleLimit: - description: SampleLimit defines per-scrape limit on number of scraped - samples that will be accepted. + description: |- + `sampleLimit` defines a per-scrape limit on the number of scraped samples + that will be accepted. format: int64 type: integer + scrapeClass: + description: The scrape class to apply. + minLength: 1 + type: string + scrapeProtocols: + description: |- + `scrapeProtocols` defines the protocols to negotiate during a scrape. It tells clients the + protocols supported by Prometheus in order of preference (from most to least preferred). + + + If unset, Prometheus uses its default value. + + + It requires Prometheus >= v2.49.0. + items: + description: |- + ScrapeProtocol represents a protocol used by Prometheus for scraping metrics. + Supported values are: + * `OpenMetricsText0.0.1` + * `OpenMetricsText1.0.0` + * `PrometheusProto` + * `PrometheusText0.0.4` + enum: + - PrometheusProto + - OpenMetricsText0.0.1 + - OpenMetricsText1.0.0 + - PrometheusText0.0.4 + type: string + type: array + x-kubernetes-list-type: set selector: - description: Selector to select Pod objects. + description: Label selector to select the Kubernetes `Pod` objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -655,21 +881,20 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic targetLimit: - description: TargetLimit defines a limit on the number of scraped - targets that will be accepted. + description: |- + `targetLimit` defines a limit on the number of scraped targets that will + be accepted. format: int64 type: integer required: - - podMetricsEndpoints - selector type: object required: diff --git a/pkg/crds/policyexception.yaml b/pkg/crds/policyexception.yaml index 05e1f24..87830f1 100644 --- a/pkg/crds/policyexception.yaml +++ b/pkg/crds/policyexception.yaml @@ -2,12 +2,14 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: - annotations: - controller-gen.kubebuilder.io/version: v0.11.3 labels: - app.kubernetes.io/name: kyverno + app.kubernetes.io/managed-by: Helm app.kubernetes.io/part-of: kyverno - app.kubernetes.io/version: 1.10.2 + app.kubernetes.io/version: 1.11.2 + annotations: + app.kubernetes.io/managed-by: Helm + meta.helm.sh/release-name: kyverno-crds + meta.helm.sh/release-namespace: kyverno name: policyexceptions.kyverno.io spec: group: kyverno.io @@ -22,7 +24,338 @@ spec: singular: policyexception scope: Namespaced versions: - - name: v2alpha1 + - deprecated: true + name: v2alpha1 + schema: + openAPIV3Schema: + description: PolicyException declares resources to be excluded from specified policies. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: Spec declares policy exception behaviors. + properties: + background: + description: Background controls if exceptions are applied to existing policies during a background scan. Optional. Default value is "true". The value must be set to "false" if the policy rule uses variables that are only available in the admission review request (e.g. user name). + type: boolean + exceptions: + description: Exceptions is a list policy/rules to be excluded + items: + description: Exception stores infos about a policy and rules + properties: + policyName: + description: PolicyName identifies the policy to which the exception is applied. The policy name uses the format / unless it references a ClusterPolicy. + type: string + ruleNames: + description: RuleNames identifies the rules to which the exception is applied. + items: + type: string + type: array + required: + - policyName + - ruleNames + type: object + type: array + match: + description: Match defines match clause used to check if a resource applies to the exception + properties: + all: + description: All allows specifying resources which will be ANDed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action. + items: + description: AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + any: + description: Any allows specifying resources which will be ORed + items: + description: ResourceFilter allow users to "AND" or "OR" between resources + properties: + clusterRoles: + description: ClusterRoles is the list of cluster-wide role names for the user. + items: + type: string + type: array + resources: + description: ResourceDescription contains information about the resource being created or modified. + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a map of annotations (key-value pairs of type string). Annotation keys and values support the wildcard characters "*" (matches zero or many characters) and "?" (matches at least one character). + type: object + kinds: + description: Kinds is a list of resource kinds. + items: + type: string + type: array + name: + description: 'Name is the name of the resource. The name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). NOTE: "Name" is being deprecated in favor of "Names".' + type: string + names: + description: Names are the names of the resources. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + namespaceSelector: + description: 'NamespaceSelector is a label selector for the resource namespace. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character).Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + namespaces: + description: Namespaces is a list of namespaces names. Each name supports wildcard characters "*" (matches zero or many characters) and "?" (at least one character). + items: + type: string + type: array + operations: + description: Operations can contain values ["CREATE, "UPDATE", "CONNECT", "DELETE"], which are used to match a specific action. + items: + description: AdmissionOperation can have one of the values CREATE, UPDATE, CONNECT, DELETE, which are used to match a specific action. + enum: + - CREATE + - CONNECT + - UPDATE + - DELETE + type: string + type: array + selector: + description: 'Selector is a label selector. Label keys and values in `matchLabels` support the wildcard characters `*` (matches zero or many characters) and `?` (matches one character). Wildcards allows writing label selectors like ["storage.k8s.io/*": "*"]. Note that using ["*" : "*"] matches any key and value but does not match an empty label set.' + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + roles: + description: Roles is the list of namespaced role names for the user. + items: + type: string + type: array + subjects: + description: Subjects is the list of subject names like users, user groups, and service accounts. + items: + description: Subject contains a reference to the object or user identities a role binding applies to. This can either hold a direct API object reference, or a value for non-objects such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced subject. Defaults to "" for ServiceAccount subjects. Defaults to "rbac.authorization.k8s.io" for User and Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined by this API group are "User", "Group", and "ServiceAccount". If the Authorizer does not recognized the kind value, the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the object kind is non-namespace, such as "User" or "Group", and this value is not empty the Authorizer should report an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + type: object + type: array + type: object + required: + - exceptions + - match + type: object + required: + - spec + type: object + served: true + storage: false + - name: v2beta1 schema: openAPIV3Schema: description: PolicyException declares resources to be excluded from specified policies. diff --git a/pkg/crds/servicemonitors.yaml b/pkg/crds/servicemonitors.yaml index 4f88efc..00b6bda 100644 --- a/pkg/crds/servicemonitors.yaml +++ b/pkg/crds/servicemonitors.yaml @@ -3,8 +3,8 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.11.1 - creationTimestamp: null + controller-gen.kubebuilder.io/version: v0.14.0 + operator.prometheus.io/version: 0.73.2 name: servicemonitors.monitoring.coreos.com spec: group: monitoring.coreos.com @@ -25,50 +25,78 @@ spec: description: ServiceMonitor defines monitoring for a set of services. properties: apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources type: string kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds type: string metadata: type: object spec: - description: Specification of desired Service selection for target discovery - by Prometheus. + description: |- + Specification of desired Service selection for target discovery by + Prometheus. properties: attachMetadata: - description: Attaches node metadata to discovered targets. Requires - Prometheus v2.37.0 and above. + description: |- + `attachMetadata` defines additional metadata which is added to the + discovered targets. + + + It requires Prometheus >= v2.37.0. properties: node: - description: When set to true, Prometheus must have permissions - to get Nodes. + description: |- + When set to true, Prometheus must have the `get` permission on the + `Nodes` objects. type: boolean type: object + bodySizeLimit: + description: |- + When defined, bodySizeLimit specifies a job level limit on the size + of uncompressed response body that will be accepted by Prometheus. + + + It requires Prometheus >= v2.28.0. + pattern: (^0|([0-9]*[.])?[0-9]+((K|M|G|T|E|P)i?)?B)$ + type: string endpoints: - description: A list of endpoints allowed as part of this ServiceMonitor. + description: List of endpoints part of this ServiceMonitor. items: - description: Endpoint defines a scrapeable endpoint serving Prometheus - metrics. + description: |- + Endpoint defines an endpoint serving Prometheus metrics to be scraped by + Prometheus. properties: authorization: - description: Authorization section for this endpoint + description: |- + `authorization` configures the Authorization header credentials to use when + scraping the target. + + + Cannot be set at the same time as `basicAuth`, or `oauth2`. properties: credentials: - description: The secret's key that contains the credentials - of the request + description: Selects a key of a Secret in the namespace + that contains the credentials for authentication. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -79,25 +107,38 @@ spec: type: object x-kubernetes-map-type: atomic type: - description: Set the authentication type. Defaults to Bearer, - Basic will cause an error + description: |- + Defines the authentication type. The value is case-insensitive. + + + "Basic" is not a supported value. + + + Default: "Bearer" type: string type: object basicAuth: - description: 'BasicAuth allow an endpoint to authenticate over - basic authentication More info: https://prometheus.io/docs/operating/configuration/#endpoints' + description: |- + `basicAuth` configures the Basic Authentication credentials to use when + scraping the target. + + + Cannot be set at the same time as `authorization`, or `oauth2`. properties: password: - description: The secret in the service monitor namespace - that contains the password for authentication. + description: |- + `password` specifies a key of a Secret containing the password for + authentication. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -108,16 +149,19 @@ spec: type: object x-kubernetes-map-type: atomic username: - description: The secret in the service monitor namespace - that contains the username for authentication. + description: |- + `username` specifies a key of a Secret containing the username for + authentication. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -129,20 +173,30 @@ spec: x-kubernetes-map-type: atomic type: object bearerTokenFile: - description: File to read bearer token for scraping targets. + description: |- + File to read bearer token for scraping the target. + + + Deprecated: use `authorization` instead. type: string bearerTokenSecret: - description: Secret to mount to read bearer token for scraping - targets. The secret needs to be in the same namespace as the - service monitor and accessible by the Prometheus Operator. + description: |- + `bearerTokenSecret` specifies a key of a Secret containing the bearer + token for scraping targets. The secret needs to be in the same namespace + as the ServiceMonitor object and readable by the Prometheus Operator. + + + Deprecated: use `authorization` instead. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -153,43 +207,66 @@ spec: type: object x-kubernetes-map-type: atomic enableHttp2: - description: Whether to enable HTTP2. + description: '`enableHttp2` can be used to disable HTTP2 when + scraping the target.' type: boolean filterRunning: - description: 'Drop pods that are not running. (Failed, Succeeded). - Enabled by default. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase' + description: |- + When true, the pods which are not running (e.g. either in Failed or + Succeeded state) are dropped during the target discovery. + + + If unset, the filtering is enabled. + + + More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#pod-phase type: boolean followRedirects: - description: FollowRedirects configures whether scrape requests - follow HTTP 3xx redirects. + description: |- + `followRedirects` defines whether the scrape requests should follow HTTP + 3xx redirects. type: boolean honorLabels: - description: HonorLabels chooses the metric's labels on collisions - with target labels. + description: |- + When true, `honorLabels` preserves the metric's labels when they collide + with the target's labels. type: boolean honorTimestamps: - description: HonorTimestamps controls whether Prometheus respects - the timestamps present in scraped data. + description: |- + `honorTimestamps` controls whether Prometheus preserves the timestamps + when exposed by the target. type: boolean interval: - description: Interval at which metrics should be scraped If - not specified Prometheus' global scrape interval is used. + description: |- + Interval at which Prometheus scrapes the metrics from the target. + + + If empty, Prometheus uses the global scrape interval. pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ type: string metricRelabelings: - description: MetricRelabelConfigs to apply to samples before - ingestion. + description: |- + `metricRelabelings` configures the relabeling rules to apply to the + samples before ingestion. items: - description: 'RelabelConfig allows dynamic rewriting of the - label set, being applied to samples before ingestion. It - defines ``-section of Prometheus - configuration. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs' + description: |- + RelabelConfig allows dynamic rewriting of the label set for targets, alerts, + scraped samples and remote write samples. + + + More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config properties: action: default: replace - description: Action to perform based on regex matching. - Default is 'replace'. uppercase and lowercase actions - require Prometheus >= 2.36. + description: |- + Action to perform based on the regex matching. + + + `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. + `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. + + + Default: "Replace" enum: - replace - Replace @@ -215,49 +292,68 @@ spec: - DropEqual type: string modulus: - description: Modulus to take of the hash of the source - label values. + description: |- + Modulus to take of the hash of the source label values. + + + Only applicable when the action is `HashMod`. format: int64 type: integer regex: description: Regular expression against which the extracted - value is matched. Default is '(.*)' + value is matched. type: string replacement: - description: Replacement value against which a regex replace - is performed if the regular expression matches. Regex - capture groups are available. Default is '$1' + description: |- + Replacement value against which a Replace action is performed if the + regular expression matches. + + + Regex capture groups are available. type: string separator: - description: Separator placed between concatenated source - label values. default is ';'. + description: Separator is the string between concatenated + SourceLabels. type: string sourceLabels: - description: The source labels select values from existing - labels. Their content is concatenated using the configured - separator and matched against the configured regular - expression for the replace, keep, and drop actions. + description: |- + The source labels select values from existing labels. Their content is + concatenated using the configured Separator and matched against the + configured regular expression. items: - description: LabelName is a valid Prometheus label name - which may only contain ASCII letters, numbers, as - well as underscores. + description: |- + LabelName is a valid Prometheus label name which may only contain ASCII + letters, numbers, as well as underscores. pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ type: string type: array targetLabel: - description: Label to which the resulting value is written - in a replace action. It is mandatory for replace actions. + description: |- + Label to which the resulting string is written in a replacement. + + + It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, + `KeepEqual` and `DropEqual` actions. + + Regex capture groups are available. type: string type: object type: array oauth2: - description: OAuth2 for the URL. Only valid in Prometheus versions - 2.27.0 and newer. + description: |- + `oauth2` configures the OAuth2 settings to use when scraping the target. + + + It requires Prometheus >= 2.27.0. + + + Cannot be set at the same time as `authorization`, or `basicAuth`. properties: clientId: - description: The secret or configmap containing the OAuth2 - client id + description: |- + `clientId` specifies a key of a Secret or ConfigMap containing the + OAuth2 client's ID. properties: configMap: description: ConfigMap containing data to use for the @@ -267,9 +363,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its @@ -287,9 +384,10 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key @@ -301,15 +399,19 @@ spec: x-kubernetes-map-type: atomic type: object clientSecret: - description: The secret containing the OAuth2 client secret + description: |- + `clientSecret` specifies a key of a Secret containing the OAuth2 + client's secret. properties: key: description: The key of the secret to select from. Must be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -322,15 +424,19 @@ spec: endpointParams: additionalProperties: type: string - description: Parameters to append to the token URL + description: |- + `endpointParams` configures the HTTP parameters to append to the token + URL. type: object scopes: - description: OAuth2 scopes used for the token request + description: '`scopes` defines the OAuth2 scopes used for + the token request.' items: type: string type: array tokenUrl: - description: The URL to fetch the token from + description: '`tokenURL` configures the URL to fetch the + token from.' minLength: 1 type: string required: @@ -343,37 +449,59 @@ spec: items: type: string type: array - description: Optional HTTP URL parameters + description: params define optional HTTP URL parameters. type: object path: - description: HTTP path to scrape for metrics. If empty, Prometheus - uses the default value (e.g. `/metrics`). + description: |- + HTTP path from which to scrape for metrics. + + + If empty, Prometheus uses the default value (e.g. `/metrics`). type: string port: - description: Name of the service port this endpoint refers to. - Mutually exclusive with targetPort. + description: |- + Name of the Service port which this endpoint refers to. + + + It takes precedence over `targetPort`. type: string proxyUrl: - description: ProxyURL eg http://proxyserver:2195 Directs scrapes - to proxy through this endpoint. + description: |- + `proxyURL` configures the HTTP Proxy URL (e.g. + "http://proxyserver:2195") to go through when scraping the target. type: string relabelings: - description: 'RelabelConfigs to apply to samples before scraping. - Prometheus Operator automatically adds relabelings for a few - standard Kubernetes fields. The original scrape job''s name - is available via the `__tmp_prometheus_job_name` label. More - info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config' + description: |- + `relabelings` configures the relabeling rules to apply the target's + metadata labels. + + + The Operator automatically adds relabelings for a few standard Kubernetes fields. + + + The original scrape job's name is available via the `__tmp_prometheus_job_name` label. + + + More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config items: - description: 'RelabelConfig allows dynamic rewriting of the - label set, being applied to samples before ingestion. It - defines ``-section of Prometheus - configuration. More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#metric_relabel_configs' + description: |- + RelabelConfig allows dynamic rewriting of the label set for targets, alerts, + scraped samples and remote write samples. + + + More info: https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config properties: action: default: replace - description: Action to perform based on regex matching. - Default is 'replace'. uppercase and lowercase actions - require Prometheus >= 2.36. + description: |- + Action to perform based on the regex matching. + + + `Uppercase` and `Lowercase` actions require Prometheus >= v2.36.0. + `DropEqual` and `KeepEqual` actions require Prometheus >= v2.41.0. + + + Default: "Replace" enum: - replace - Replace @@ -399,67 +527,87 @@ spec: - DropEqual type: string modulus: - description: Modulus to take of the hash of the source - label values. + description: |- + Modulus to take of the hash of the source label values. + + + Only applicable when the action is `HashMod`. format: int64 type: integer regex: description: Regular expression against which the extracted - value is matched. Default is '(.*)' + value is matched. type: string replacement: - description: Replacement value against which a regex replace - is performed if the regular expression matches. Regex - capture groups are available. Default is '$1' + description: |- + Replacement value against which a Replace action is performed if the + regular expression matches. + + + Regex capture groups are available. type: string separator: - description: Separator placed between concatenated source - label values. default is ';'. + description: Separator is the string between concatenated + SourceLabels. type: string sourceLabels: - description: The source labels select values from existing - labels. Their content is concatenated using the configured - separator and matched against the configured regular - expression for the replace, keep, and drop actions. + description: |- + The source labels select values from existing labels. Their content is + concatenated using the configured Separator and matched against the + configured regular expression. items: - description: LabelName is a valid Prometheus label name - which may only contain ASCII letters, numbers, as - well as underscores. + description: |- + LabelName is a valid Prometheus label name which may only contain ASCII + letters, numbers, as well as underscores. pattern: ^[a-zA-Z_][a-zA-Z0-9_]*$ type: string type: array targetLabel: - description: Label to which the resulting value is written - in a replace action. It is mandatory for replace actions. + description: |- + Label to which the resulting string is written in a replacement. + + + It is mandatory for `Replace`, `HashMod`, `Lowercase`, `Uppercase`, + `KeepEqual` and `DropEqual` actions. + + Regex capture groups are available. type: string type: object type: array scheme: - description: HTTP scheme to use for scraping. `http` and `https` - are the expected values unless you rewrite the `__scheme__` - label via relabeling. If empty, Prometheus uses the default - value `http`. + description: |- + HTTP scheme to use for scraping. + + + `http` and `https` are the expected values unless you rewrite the + `__scheme__` label via relabeling. + + + If empty, Prometheus uses the default value `http`. enum: - http - https type: string scrapeTimeout: - description: Timeout after which the scrape is ended If not - specified, the Prometheus global scrape timeout is used unless - it is less than `Interval` in which the latter is used. + description: |- + Timeout after which Prometheus considers the scrape to be failed. + + + If empty, Prometheus uses the global scrape timeout unless it is less + than the target's scrape interval value in which the latter is used. pattern: ^(0|(([0-9]+)y)?(([0-9]+)w)?(([0-9]+)d)?(([0-9]+)h)?(([0-9]+)m)?(([0-9]+)s)?(([0-9]+)ms)?)$ type: string targetPort: anyOf: - type: integer - type: string - description: Name or number of the target port of the Pod behind - the Service, the port must be specified with container port - property. Mutually exclusive with port. + description: |- + Name or number of the target port of the `Pod` object behind the + Service. The port must be specified with the container's port property. x-kubernetes-int-or-string: true tlsConfig: - description: TLS configuration to use when scraping the endpoint + description: TLS configuration to use when scraping the target. properties: ca: description: Certificate authority used when verifying server @@ -473,9 +621,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its @@ -493,9 +642,10 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key @@ -521,9 +671,10 @@ spec: description: The key to select. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the ConfigMap or its @@ -541,9 +692,10 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, - uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key @@ -574,8 +726,10 @@ spec: be a valid secret key. type: string name: - description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names - TODO: Add other useful fields. apiVersion, kind, uid?' + description: |- + Name of the referent. + More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid? type: string optional: description: Specify whether the Secret or its key must @@ -589,41 +743,74 @@ spec: description: Used to verify the hostname for the targets. type: string type: object + trackTimestampsStaleness: + description: |- + `trackTimestampsStaleness` defines whether Prometheus tracks staleness of + the metrics that have an explicit timestamp present in scraped data. + Has no effect if `honorTimestamps` is false. + + + It requires Prometheus >= v2.48.0. + type: boolean type: object type: array jobLabel: - description: "JobLabel selects the label from the associated Kubernetes - service which will be used as the `job` label for all metrics. \n - For example: If in `ServiceMonitor.spec.jobLabel: foo` and in `Service.metadata.labels.foo: - bar`, then the `job=\"bar\"` label is added to all metrics. \n If - the value of this field is empty or if the label doesn't exist for - the given Service, the `job` label of the metrics defaults to the - name of the Kubernetes Service." + description: |- + `jobLabel` selects the label from the associated Kubernetes `Service` + object which will be used as the `job` label for all metrics. + + + For example if `jobLabel` is set to `foo` and the Kubernetes `Service` + object is labeled with `foo: bar`, then Prometheus adds the `job="bar"` + label to all ingested metrics. + + + If the value of this field is empty or if the label doesn't exist for + the given Service, the `job` label of the metrics defaults to the name + of the associated Kubernetes `Service`. type: string + keepDroppedTargets: + description: |- + Per-scrape limit on the number of targets dropped by relabeling + that will be kept in memory. 0 means no limit. + + + It requires Prometheus >= v2.47.0. + format: int64 + type: integer labelLimit: - description: Per-scrape limit on number of labels that will be accepted - for a sample. Only valid in Prometheus versions 2.27.0 and newer. + description: |- + Per-scrape limit on number of labels that will be accepted for a sample. + + + It requires Prometheus >= v2.27.0. format: int64 type: integer labelNameLengthLimit: - description: Per-scrape limit on length of labels name that will be - accepted for a sample. Only valid in Prometheus versions 2.27.0 - and newer. + description: |- + Per-scrape limit on length of labels name that will be accepted for a sample. + + + It requires Prometheus >= v2.27.0. format: int64 type: integer labelValueLengthLimit: - description: Per-scrape limit on length of labels value that will - be accepted for a sample. Only valid in Prometheus versions 2.27.0 - and newer. + description: |- + Per-scrape limit on length of labels value that will be accepted for a sample. + + + It requires Prometheus >= v2.27.0. format: int64 type: integer namespaceSelector: - description: Selector to select which namespaces the Kubernetes Endpoints - objects are discovered from. + description: |- + Selector to select which namespaces the Kubernetes `Endpoints` objects + are discovered from. properties: any: - description: Boolean describing whether all namespaces are selected - in contrast to a list restricting them. + description: |- + Boolean describing whether all namespaces are selected in contrast to a + list restricting them. type: boolean matchNames: description: List of namespace names to select from. @@ -632,41 +819,73 @@ spec: type: array type: object podTargetLabels: - description: PodTargetLabels transfers labels on the Kubernetes `Pod` - onto the created metrics. + description: |- + `podTargetLabels` defines the labels which are transferred from the + associated Kubernetes `Pod` object onto the ingested metrics. items: type: string type: array sampleLimit: - description: SampleLimit defines per-scrape limit on number of scraped - samples that will be accepted. + description: |- + `sampleLimit` defines a per-scrape limit on the number of scraped samples + that will be accepted. format: int64 type: integer + scrapeClass: + description: The scrape class to apply. + minLength: 1 + type: string + scrapeProtocols: + description: |- + `scrapeProtocols` defines the protocols to negotiate during a scrape. It tells clients the + protocols supported by Prometheus in order of preference (from most to least preferred). + + + If unset, Prometheus uses its default value. + + + It requires Prometheus >= v2.49.0. + items: + description: |- + ScrapeProtocol represents a protocol used by Prometheus for scraping metrics. + Supported values are: + * `OpenMetricsText0.0.1` + * `OpenMetricsText1.0.0` + * `PrometheusProto` + * `PrometheusText0.0.4` + enum: + - PrometheusProto + - OpenMetricsText0.0.1 + - OpenMetricsText1.0.0 + - PrometheusText0.0.4 + type: string + type: array + x-kubernetes-list-type: set selector: - description: Selector to select Endpoints objects. + description: Label selector to select the Kubernetes `Endpoints` objects. properties: matchExpressions: description: matchExpressions is a list of label selector requirements. The requirements are ANDed. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. properties: key: description: key is the label key that the selector applies to. type: string operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. type: string values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic merge patch. items: type: string @@ -679,27 +898,27 @@ spec: matchLabels: additionalProperties: type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. type: object type: object x-kubernetes-map-type: atomic targetLabels: - description: TargetLabels transfers labels from the Kubernetes `Service` - onto the created metrics. + description: |- + `targetLabels` defines the labels which are transferred from the + associated Kubernetes `Service` object onto the ingested metrics. items: type: string type: array targetLimit: - description: TargetLimit defines a limit on the number of scraped - targets that will be accepted. + description: |- + `targetLimit` defines a limit on the number of scraped targets that will + be accepted. format: int64 type: integer required: - - endpoints - selector type: object required: diff --git a/pkg/crds/verticalpodautoscalers.yaml b/pkg/crds/verticalpodautoscalers.yaml index 5e4a8a7..93092ee 100644 --- a/pkg/crds/verticalpodautoscalers.yaml +++ b/pkg/crds/verticalpodautoscalers.yaml @@ -4,7 +4,213 @@ kind: CustomResourceDefinition metadata: annotations: api-approved.kubernetes.io: https://github.com/kubernetes/kubernetes/pull/63797 - controller-gen.kubebuilder.io/version: v0.4.0 + controller-gen.kubebuilder.io/version: v0.9.2 + creationTimestamp: null + name: verticalpodautoscalercheckpoints.autoscaling.k8s.io +spec: + group: autoscaling.k8s.io + names: + kind: VerticalPodAutoscalerCheckpoint + listKind: VerticalPodAutoscalerCheckpointList + plural: verticalpodautoscalercheckpoints + shortNames: + - vpacheckpoint + singular: verticalpodautoscalercheckpoint + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: VerticalPodAutoscalerCheckpoint is the checkpoint of the internal + state of VPA that is used for recovery after recommender's restart. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the checkpoint. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.' + properties: + containerName: + description: Name of the checkpointed container. + type: string + vpaObjectName: + description: Name of the VPA object that stored VerticalPodAutoscalerCheckpoint + object. + type: string + type: object + status: + description: Data of the checkpoint. + properties: + cpuHistogram: + description: Checkpoint of histogram for consumption of CPU. + properties: + bucketWeights: + description: Map from bucket index to bucket weight. + type: object + x-kubernetes-preserve-unknown-fields: true + referenceTimestamp: + description: Reference timestamp for samples collected within + this histogram. + format: date-time + nullable: true + type: string + totalWeight: + description: Sum of samples to be used as denominator for weights + from BucketWeights. + type: number + type: object + firstSampleStart: + description: Timestamp of the fist sample from the histograms. + format: date-time + nullable: true + type: string + lastSampleStart: + description: Timestamp of the last sample from the histograms. + format: date-time + nullable: true + type: string + lastUpdateTime: + description: The time when the status was last refreshed. + format: date-time + nullable: true + type: string + memoryHistogram: + description: Checkpoint of histogram for consumption of memory. + properties: + bucketWeights: + description: Map from bucket index to bucket weight. + type: object + x-kubernetes-preserve-unknown-fields: true + referenceTimestamp: + description: Reference timestamp for samples collected within + this histogram. + format: date-time + nullable: true + type: string + totalWeight: + description: Sum of samples to be used as denominator for weights + from BucketWeights. + type: number + type: object + totalSamplesCount: + description: Total number of samples in the histograms. + type: integer + version: + description: Version of the format of the stored data. + type: string + type: object + type: object + served: true + storage: true + - name: v1beta2 + schema: + openAPIV3Schema: + description: VerticalPodAutoscalerCheckpoint is the checkpoint of the internal + state of VPA that is used for recovery after recommender's restart. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: 'Specification of the checkpoint. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.' + properties: + containerName: + description: Name of the checkpointed container. + type: string + vpaObjectName: + description: Name of the VPA object that stored VerticalPodAutoscalerCheckpoint + object. + type: string + type: object + status: + description: Data of the checkpoint. + properties: + cpuHistogram: + description: Checkpoint of histogram for consumption of CPU. + properties: + bucketWeights: + description: Map from bucket index to bucket weight. + type: object + x-kubernetes-preserve-unknown-fields: true + referenceTimestamp: + description: Reference timestamp for samples collected within + this histogram. + format: date-time + nullable: true + type: string + totalWeight: + description: Sum of samples to be used as denominator for weights + from BucketWeights. + type: number + type: object + firstSampleStart: + description: Timestamp of the fist sample from the histograms. + format: date-time + nullable: true + type: string + lastSampleStart: + description: Timestamp of the last sample from the histograms. + format: date-time + nullable: true + type: string + lastUpdateTime: + description: The time when the status was last refreshed. + format: date-time + nullable: true + type: string + memoryHistogram: + description: Checkpoint of histogram for consumption of memory. + properties: + bucketWeights: + description: Map from bucket index to bucket weight. + type: object + x-kubernetes-preserve-unknown-fields: true + referenceTimestamp: + description: Reference timestamp for samples collected within + this histogram. + format: date-time + nullable: true + type: string + totalWeight: + description: Sum of samples to be used as denominator for weights + from BucketWeights. + type: number + type: object + totalSamplesCount: + description: Total number of samples in the histograms. + type: integer + version: + description: Version of the format of the stored data. + type: string + type: object + type: object + served: true + storage: false +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes/kubernetes/pull/63797 + controller-gen.kubebuilder.io/version: v0.9.2 creationTimestamp: null name: verticalpodautoscalers.autoscaling.k8s.io spec: @@ -55,7 +261,7 @@ spec: type: object spec: description: 'Specification of the behavior of the autoscaler. More info: - https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.' + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.' properties: recommenders: description: Recommender responsible for generating recommendation @@ -158,7 +364,7 @@ spec: description: API version of the referent type: string kind: - description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' + description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' @@ -167,11 +373,45 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic updatePolicy: description: Describes the rules on how changes are applied to the pods. If not specified, all fields in the `PodUpdatePolicy` are set to their default values. properties: + evictionRequirements: + description: EvictionRequirements is a list of EvictionRequirements + that need to evaluate to true in order for a Pod to be evicted. + If more than one EvictionRequirement is specified, all of them + need to be fulfilled to allow eviction. + items: + description: EvictionRequirement defines a single condition + which needs to be true in order to evict a Pod + properties: + changeRequirement: + description: EvictionChangeRequirement refers to the relationship + between the new target recommendation for a Pod and its + current requests, what kind of change is necessary for + the Pod to be evicted + enum: + - TargetHigherThanRequests + - TargetLowerThanRequests + type: string + resource: + description: Resources is a list of one or more resources + that the condition applies to. If more than one resource + is given, the EvictionRequirement is fulfilled if at least + one resource meets `changeRequirement`. + items: + description: ResourceName is the name identifying various + resources in a ResourceList. + type: string + type: array + required: + - changeRequirement + - resource + type: object + type: array minReplicas: description: Minimal number of replicas which need to be alive for Updater to attempt pod eviction (pending other checks like @@ -306,8 +546,11 @@ spec: type: object served: true storage: true - subresources: {} - - name: v1beta2 + subresources: + status: {} + - deprecated: true + deprecationWarning: autoscaling.k8s.io/v1beta2 API is deprecated + name: v1beta2 schema: openAPIV3Schema: description: VerticalPodAutoscaler is the configuration for a vertical pod @@ -328,7 +571,7 @@ spec: type: object spec: description: 'Specification of the behavior of the autoscaler. More info: - https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.' + https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status.' properties: resourcePolicy: description: Controls how the autoscaler computes recommended resources. @@ -397,7 +640,7 @@ spec: description: API version of the referent type: string kind: - description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"' + description: 'Kind of the referent; More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' type: string name: description: 'Name of the referent; More info: http://kubernetes.io/docs/user-guide/identifiers#names' @@ -406,6 +649,7 @@ spec: - kind - name type: object + x-kubernetes-map-type: atomic updatePolicy: description: Describes the rules on how changes are applied to the pods. If not specified, all fields in the `PodUpdatePolicy` are @@ -538,221 +782,5 @@ spec: type: object served: true storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] ---- -apiVersion: apiextensions.k8s.io/v1 -kind: CustomResourceDefinition -metadata: - annotations: - api-approved.kubernetes.io: https://github.com/kubernetes/kubernetes/pull/63797 - controller-gen.kubebuilder.io/version: v0.4.0 - creationTimestamp: null - name: verticalpodautoscalercheckpoints.autoscaling.k8s.io -spec: - group: autoscaling.k8s.io - names: - kind: VerticalPodAutoscalerCheckpoint - listKind: VerticalPodAutoscalerCheckpointList - plural: verticalpodautoscalercheckpoints - shortNames: - - vpacheckpoint - singular: verticalpodautoscalercheckpoint - scope: Namespaced - versions: - - name: v1 - schema: - openAPIV3Schema: - description: VerticalPodAutoscalerCheckpoint is the checkpoint of the internal - state of VPA that is used for recovery after recommender's restart. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Specification of the checkpoint. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.' - properties: - containerName: - description: Name of the checkpointed container. - type: string - vpaObjectName: - description: Name of the VPA object that stored VerticalPodAutoscalerCheckpoint - object. - type: string - type: object - status: - description: Data of the checkpoint. - properties: - cpuHistogram: - description: Checkpoint of histogram for consumption of CPU. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - firstSampleStart: - description: Timestamp of the fist sample from the histograms. - format: date-time - nullable: true - type: string - lastSampleStart: - description: Timestamp of the last sample from the histograms. - format: date-time - nullable: true - type: string - lastUpdateTime: - description: The time when the status was last refreshed. - format: date-time - nullable: true - type: string - memoryHistogram: - description: Checkpoint of histogram for consumption of memory. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - totalSamplesCount: - description: Total number of samples in the histograms. - type: integer - version: - description: Version of the format of the stored data. - type: string - type: object - type: object - served: true - storage: true - - name: v1beta2 - schema: - openAPIV3Schema: - description: VerticalPodAutoscalerCheckpoint is the checkpoint of the internal - state of VPA that is used for recovery after recommender's restart. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation - of an object. Servers should convert recognized schemas to the latest - internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this - object represents. Servers may infer this from the endpoint the client - submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: 'Specification of the checkpoint. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#spec-and-status.' - properties: - containerName: - description: Name of the checkpointed container. - type: string - vpaObjectName: - description: Name of the VPA object that stored VerticalPodAutoscalerCheckpoint - object. - type: string - type: object - status: - description: Data of the checkpoint. - properties: - cpuHistogram: - description: Checkpoint of histogram for consumption of CPU. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - firstSampleStart: - description: Timestamp of the fist sample from the histograms. - format: date-time - nullable: true - type: string - lastSampleStart: - description: Timestamp of the last sample from the histograms. - format: date-time - nullable: true - type: string - lastUpdateTime: - description: The time when the status was last refreshed. - format: date-time - nullable: true - type: string - memoryHistogram: - description: Checkpoint of histogram for consumption of memory. - properties: - bucketWeights: - description: Map from bucket index to bucket weight. - type: object - x-kubernetes-preserve-unknown-fields: true - referenceTimestamp: - description: Reference timestamp for samples collected within - this histogram. - format: date-time - nullable: true - type: string - totalWeight: - description: Sum of samples to be used as denominator for weights - from BucketWeights. - type: number - type: object - totalSamplesCount: - description: Total number of samples in the histograms. - type: integer - version: - description: Version of the format of the stored data. - type: string - type: object - type: object - served: true - storage: false -status: - acceptedNames: - kind: "" - plural: "" - conditions: [] - storedVersions: [] + subresources: + status: {}