2017-11-20 09:30:52 -05:00
|
|
|
/*
|
2018-07-25 04:17:02 -04:00
|
|
|
Copyright The Kubernetes Authors.
|
2017-11-20 09:30:52 -05:00
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
limitations under the License.
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
// This file was autogenerated by go-to-protobuf. Do not edit it manually!
|
|
|
|
|
|
|
|
syntax = 'proto2';
|
|
|
|
|
|
|
|
package k8s.io.api.networking.v1;
|
|
|
|
|
|
|
|
import "k8s.io/api/core/v1/generated.proto";
|
|
|
|
import "k8s.io/api/extensions/v1beta1/generated.proto";
|
|
|
|
import "k8s.io/api/policy/v1beta1/generated.proto";
|
|
|
|
import "k8s.io/apimachinery/pkg/apis/meta/v1/generated.proto";
|
|
|
|
import "k8s.io/apimachinery/pkg/runtime/generated.proto";
|
|
|
|
import "k8s.io/apimachinery/pkg/runtime/schema/generated.proto";
|
|
|
|
import "k8s.io/apimachinery/pkg/util/intstr/generated.proto";
|
|
|
|
|
|
|
|
// Package-wide variables from generator "generated".
|
|
|
|
option go_package = "v1";
|
|
|
|
|
|
|
|
// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed to the pods
|
|
|
|
// matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should
|
|
|
|
// not be included within this rule.
|
|
|
|
message IPBlock {
|
|
|
|
// CIDR is a string representing the IP Block
|
|
|
|
// Valid examples are "192.168.1.1/24"
|
|
|
|
optional string cidr = 1;
|
|
|
|
|
|
|
|
// Except is a slice of CIDRs that should not be included within an IP Block
|
|
|
|
// Valid examples are "192.168.1.1/24"
|
|
|
|
// Except values will be rejected if they are outside the CIDR range
|
|
|
|
// +optional
|
|
|
|
repeated string except = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// NetworkPolicy describes what network traffic is allowed for a set of Pods
|
|
|
|
message NetworkPolicy {
|
|
|
|
// Standard object's metadata.
|
|
|
|
// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
|
|
|
|
// +optional
|
|
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ObjectMeta metadata = 1;
|
|
|
|
|
|
|
|
// Specification of the desired behavior for this NetworkPolicy.
|
|
|
|
// +optional
|
|
|
|
optional NetworkPolicySpec spec = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
|
|
|
|
// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
|
|
|
|
// This type is beta-level in 1.8
|
|
|
|
message NetworkPolicyEgressRule {
|
|
|
|
// List of destination ports for outgoing traffic.
|
|
|
|
// Each item in this list is combined using a logical OR. If this field is
|
|
|
|
// empty or missing, this rule matches all ports (traffic not restricted by port).
|
|
|
|
// If this field is present and contains at least one item, then this rule allows
|
|
|
|
// traffic only if the traffic matches at least one port in the list.
|
|
|
|
// +optional
|
|
|
|
repeated NetworkPolicyPort ports = 1;
|
|
|
|
|
|
|
|
// List of destinations for outgoing traffic of pods selected for this rule.
|
|
|
|
// Items in this list are combined using a logical OR operation. If this field is
|
|
|
|
// empty or missing, this rule matches all destinations (traffic not restricted by
|
|
|
|
// destination). If this field is present and contains at least one item, this rule
|
|
|
|
// allows traffic only if the traffic matches at least one item in the to list.
|
|
|
|
// +optional
|
|
|
|
repeated NetworkPolicyPeer to = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
|
|
|
|
// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
|
|
|
|
message NetworkPolicyIngressRule {
|
|
|
|
// List of ports which should be made accessible on the pods selected for this
|
|
|
|
// rule. Each item in this list is combined using a logical OR. If this field is
|
|
|
|
// empty or missing, this rule matches all ports (traffic not restricted by port).
|
|
|
|
// If this field is present and contains at least one item, then this rule allows
|
|
|
|
// traffic only if the traffic matches at least one port in the list.
|
|
|
|
// +optional
|
|
|
|
repeated NetworkPolicyPort ports = 1;
|
|
|
|
|
|
|
|
// List of sources which should be able to access the pods selected for this rule.
|
|
|
|
// Items in this list are combined using a logical OR operation. If this field is
|
|
|
|
// empty or missing, this rule matches all sources (traffic not restricted by
|
|
|
|
// source). If this field is present and contains at least on item, this rule
|
|
|
|
// allows traffic only if the traffic matches at least one item in the from list.
|
|
|
|
// +optional
|
|
|
|
repeated NetworkPolicyPeer from = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// NetworkPolicyList is a list of NetworkPolicy objects.
|
|
|
|
message NetworkPolicyList {
|
|
|
|
// Standard list metadata.
|
|
|
|
// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
|
|
|
|
// +optional
|
|
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.ListMeta metadata = 1;
|
|
|
|
|
|
|
|
// Items is a list of schema objects.
|
|
|
|
repeated NetworkPolicy items = 2;
|
|
|
|
}
|
|
|
|
|
2018-07-25 04:17:02 -04:00
|
|
|
// NetworkPolicyPeer describes a peer to allow traffic from. Only certain combinations of
|
|
|
|
// fields are allowed
|
2017-11-20 09:30:52 -05:00
|
|
|
message NetworkPolicyPeer {
|
2018-07-25 04:17:02 -04:00
|
|
|
// This is a label selector which selects Pods. This field follows standard label
|
|
|
|
// selector semantics; if present but empty, it selects all pods.
|
|
|
|
//
|
|
|
|
// If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
|
|
|
|
// the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
|
|
|
|
// Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
|
2017-11-20 09:30:52 -05:00
|
|
|
// +optional
|
|
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector podSelector = 1;
|
|
|
|
|
2018-07-25 04:17:02 -04:00
|
|
|
// Selects Namespaces using cluster-scoped labels. This field follows standard label
|
|
|
|
// selector semantics; if present but empty, it selects all namespaces.
|
|
|
|
//
|
|
|
|
// If PodSelector is also set, then the NetworkPolicyPeer as a whole selects
|
|
|
|
// the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
|
|
|
|
// Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.
|
2017-11-20 09:30:52 -05:00
|
|
|
// +optional
|
|
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector namespaceSelector = 2;
|
|
|
|
|
2018-07-25 04:17:02 -04:00
|
|
|
// IPBlock defines policy on a particular IPBlock. If this field is set then
|
|
|
|
// neither of the other fields can be.
|
2017-11-20 09:30:52 -05:00
|
|
|
// +optional
|
|
|
|
optional IPBlock ipBlock = 3;
|
|
|
|
}
|
|
|
|
|
|
|
|
// NetworkPolicyPort describes a port to allow traffic on
|
|
|
|
message NetworkPolicyPort {
|
|
|
|
// The protocol (TCP or UDP) which traffic must match. If not specified, this
|
|
|
|
// field defaults to TCP.
|
|
|
|
// +optional
|
|
|
|
optional string protocol = 1;
|
|
|
|
|
|
|
|
// The port on the given protocol. This can either be a numerical or named port on
|
|
|
|
// a pod. If this field is not provided, this matches all port names and numbers.
|
|
|
|
// +optional
|
|
|
|
optional k8s.io.apimachinery.pkg.util.intstr.IntOrString port = 2;
|
|
|
|
}
|
|
|
|
|
|
|
|
// NetworkPolicySpec provides the specification of a NetworkPolicy
|
|
|
|
message NetworkPolicySpec {
|
|
|
|
// Selects the pods to which this NetworkPolicy object applies. The array of
|
|
|
|
// ingress rules is applied to any pods selected by this field. Multiple network
|
|
|
|
// policies can select the same set of pods. In this case, the ingress rules for
|
|
|
|
// each are combined additively. This field is NOT optional and follows standard
|
|
|
|
// label selector semantics. An empty podSelector matches all pods in this
|
|
|
|
// namespace.
|
|
|
|
optional k8s.io.apimachinery.pkg.apis.meta.v1.LabelSelector podSelector = 1;
|
|
|
|
|
|
|
|
// List of ingress rules to be applied to the selected pods. Traffic is allowed to
|
|
|
|
// a pod if there are no NetworkPolicies selecting the pod
|
|
|
|
// (and cluster policy otherwise allows the traffic), OR if the traffic source is
|
|
|
|
// the pod's local node, OR if the traffic matches at least one ingress rule
|
|
|
|
// across all of the NetworkPolicy objects whose podSelector matches the pod. If
|
|
|
|
// this field is empty then this NetworkPolicy does not allow any traffic (and serves
|
|
|
|
// solely to ensure that the pods it selects are isolated by default)
|
|
|
|
// +optional
|
|
|
|
repeated NetworkPolicyIngressRule ingress = 2;
|
|
|
|
|
|
|
|
// List of egress rules to be applied to the selected pods. Outgoing traffic is
|
|
|
|
// allowed if there are no NetworkPolicies selecting the pod (and cluster policy
|
|
|
|
// otherwise allows the traffic), OR if the traffic matches at least one egress rule
|
|
|
|
// across all of the NetworkPolicy objects whose podSelector matches the pod. If
|
|
|
|
// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
|
|
|
|
// solely to ensure that the pods it selects are isolated by default).
|
|
|
|
// This field is beta-level in 1.8
|
|
|
|
// +optional
|
|
|
|
repeated NetworkPolicyEgressRule egress = 3;
|
|
|
|
|
|
|
|
// List of rule types that the NetworkPolicy relates to.
|
|
|
|
// Valid options are Ingress, Egress, or Ingress,Egress.
|
|
|
|
// If this field is not specified, it will default based on the existence of Ingress or Egress rules;
|
|
|
|
// policies that contain an Egress section are assumed to affect Egress, and all policies
|
|
|
|
// (whether or not they contain an Ingress section) are assumed to affect Ingress.
|
|
|
|
// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
|
|
|
|
// Likewise, if you want to write a policy that specifies that no egress is allowed,
|
|
|
|
// you must specify a policyTypes value that include "Egress" (since such a policy would not include
|
|
|
|
// an Egress section and would otherwise default to just [ "Ingress" ]).
|
|
|
|
// This field is beta-level in 1.8
|
|
|
|
// +optional
|
|
|
|
repeated string policyTypes = 4;
|
|
|
|
}
|
|
|
|
|