{ "description": "CiliumNetworkPolicy is a Kubernetes third-party resource with an extended\nversion of NetworkPolicy.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "anyOf": [ { "properties": { "ingress": {} }, "required": [ "ingress" ] }, { "properties": { "ingressDeny": {} }, "required": [ "ingressDeny" ] }, { "properties": { "egress": {} }, "required": [ "egress" ] }, { "properties": { "egressDeny": {} }, "required": [ "egressDeny" ] } ], "description": "Spec is the desired Cilium specific rule specification.", "oneOf": [ { "properties": { "endpointSelector": {} }, "required": [ "endpointSelector" ] }, { "properties": { "nodeSelector": {} }, "required": [ "nodeSelector" ] } ], "properties": { "description": { "description": "Description is a free form string, it can be used by the creator of\nthe rule to store human readable explanation of the purpose of this\nrule. Rules cannot be identified by comment.", "type": "string" }, "egress": { "description": "Egress is a list of EgressRule which are enforced at egress.\nIf omitted or empty, this rule does not apply at egress.", "items": { "description": "EgressRule contains all rule types which can be applied at egress, i.e.\nnetwork traffic that originates inside the endpoint and exits the endpoint\nselected by the endpointSelector.\n\n - All members of this structure are optional. If omitted or empty, the\n member will have no effect on the rule.\n\n - If multiple members of the structure are specified, then all members\n must match in order for the rule to take effect.\n\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\n mutually exclusive. Only one of these members may be present within an\n individual rule.", "properties": { "authentication": { "description": "Authentication is the required authentication type for the allowed traffic, if any.", "properties": { "mode": { "description": "Mode is the required authentication mode for the allowed traffic, if any.", "enum": [ "disabled", "required", "test-always-fail" ], "type": "string" } }, "required": [ "mode" ], "type": "object", "additionalProperties": false }, "icmps": { "description": "ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is allowed to initiate\ntype 8 ICMP connections.", "items": { "description": "ICMPRule is a list of ICMP fields.", "properties": { "fields": { "description": "Fields is a list of ICMP fields.", "items": { "description": "ICMPField is a ICMP field.", "properties": { "family": { "default": "IPv4", "description": "Family is a IP address version.\nCurrently, we support `IPv4` and `IPv6`.\n`IPv4` is set as default.", "enum": [ "IPv4", "IPv6" ], "type": "string" }, "type": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply", "pattern": "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$", "x-kubernetes-int-or-string": true } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toCIDR": { "description": "ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" }, "toCIDRSet": { "description": "ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.", "items": { "description": "CIDRRule is a rule that specifies a CIDR prefix to/from which outside\ncommunication is allowed, along with an optional list of subnets within that\nCIDR prefix to/from which outside communication is not allowed.", "oneOf": [ { "properties": { "cidr": {} }, "required": [ "cidr" ] }, { "properties": { "cidrGroupRef": {} }, "required": [ "cidrGroupRef" ] }, { "properties": { "cidrGroupSelector": {} }, "required": [ "cidrGroupSelector" ] } ], "properties": { "cidr": { "description": "CIDR is a CIDR prefix / IP Block.", "format": "cidr", "type": "string" }, "cidrGroupRef": { "description": "CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from.", "maxLength": 253, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "cidrGroupSelector": { "description": "CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "except": { "description": "ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules.", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toEndpoints": { "description": "ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\".\n\nNote that while an empty non-nil ToEndpoints does not select anything,\nnil ToEndpoints is implicitly treated as a wildcard selector if ToPorts\nare also specified.\nTo select everything, use one EndpointSelector without any match requirements.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "toEntities": { "description": "ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\n`world`, `cluster`, `host`, `remote-node`, `kube-apiserver`, `ingress`, `init`,\n`health`, `unmanaged`, `none` and `all`.", "items": { "description": "Entity specifies the class of receiver/sender endpoints that do not have\nindividual identities. Entities are used to describe \"outside of cluster\",\n\"host\", etc.", "enum": [ "all", "world", "cluster", "host", "init", "ingress", "unmanaged", "remote-node", "health", "none", "kube-apiserver" ], "type": "string" }, "type": "array" }, "toFQDNs": { "description": "ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\nfrom DNS resolution of `ToFQDN.MatchName`s are added to the same\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\nL7 rules within this EgressRule will also apply to these IPs.\nThe DNS -> IP mapping is re-resolved periodically from within the\ncilium-agent, and the IPs in the DNS response are effected in the policy\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\nToFQDN counts as an egress rule and will enforce egress policy when\nPolicyEnforcment=default.\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\nToFQDN rule will not apply to that IP.\nNote: ToFQDN cannot occur in the same policy as other To* rules.", "items": { "oneOf": [ { "properties": { "matchName": {} }, "required": [ "matchName" ] }, { "properties": { "matchPattern": {} }, "required": [ "matchPattern" ] } ], "properties": { "matchName": { "description": "MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing.", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_]+[.]?)+$", "type": "string" }, "matchPattern": { "description": "MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"*\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"*\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n- \"**.\" is a special prefix which matches all multilevel subdomains in the prefix.\n\nExamples:\n1. `*.cilium.io` matches subdomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n2. `*cilium.io` matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\n3. `sub*.cilium.io` matches subdomains of cilium where the subdomain component\n begins with \"sub\". sub.cilium.io and subdomain.cilium.io match while www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not\n4. `**.cilium.io` matches all multilevel subdomains of cilium.io.\n \"app.cilium.io\" and \"test.app.cilium.io\" match but not \"cilium.io\"", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_*]+[.]?)+$", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toGroups": { "description": "ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'", "items": { "description": "Groups structure to store all kinds of new integrations that needs a new\nderivative policy.", "properties": { "aws": { "description": "AWSGroup is an structure that can be used to whitelisting information from AWS integration", "properties": { "labels": { "additionalProperties": { "type": "string" }, "type": "object" }, "region": { "type": "string" }, "securityGroupsIds": { "items": { "type": "string" }, "type": "array" }, "securityGroupsNames": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toNodes": { "description": "ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "toPorts": { "description": "ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nconnect to.\n\nExample:\nAny endpoint with the label \"role=frontend\" is allowed to initiate\nconnections to destination port 8080/tcp", "items": { "description": "PortRule is a list of ports/protocol combinations with optional Layer 7\nrules which must be met.", "properties": { "listener": { "description": "listener specifies the name of a custom Envoy listener to which this traffic should be\nredirected to.", "properties": { "envoyConfig": { "description": "EnvoyConfig is a reference to the CEC or CCEC resource in which\nthe listener is defined.", "properties": { "kind": { "description": "Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\nrespectively. The only case this is currently explicitly needed is when referring to a\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\nfrom a cluster scoped policy is not allowed.", "enum": [ "CiliumEnvoyConfig", "CiliumClusterwideEnvoyConfig" ], "type": "string" }, "name": { "description": "Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\nthe listener is defined in.", "minLength": 1, "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "name": { "description": "Name is the name of the listener.", "minLength": 1, "type": "string" }, "priority": { "description": "Priority for this Listener that is used when multiple rules would apply different\nlisteners to a policy map entry. Behavior of this is implementation dependent.", "maximum": 100, "minimum": 1, "type": "integer" } }, "required": [ "envoyConfig", "name" ], "type": "object", "additionalProperties": false }, "originatingTLS": { "description": "OriginatingTLS is the TLS context for the connections originated by\nthe L7 proxy. For egress policy this specifies the client-side TLS\nparameters for the upstream connection originating from the L7 proxy\nto the remote destination. For ingress policy this specifies the\nclient-side TLS parameters for the connection from the L7 proxy to\nthe local endpoint.", "properties": { "certificate": { "description": "Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist.", "type": "string" }, "privateKey": { "description": "PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist.", "type": "string" }, "secret": { "description": "Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "trustedCA": { "description": "TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist.", "type": "string" } }, "required": [ "secret" ], "type": "object", "additionalProperties": false }, "ports": { "description": "Ports is a list of L4 port/protocol", "items": { "description": "PortProtocol specifies an L4 port with an optional transport protocol", "properties": { "endPort": { "description": "EndPort can only be an L4 port number.", "format": "int32", "maximum": 65535, "minimum": 0, "type": "integer" }, "port": { "description": "Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\".", "pattern": "^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$", "type": "string" }, "protocol": { "description": "Protocol is the L4 protocol. If \"ANY\", omitted or empty, any protocols\nwith transport ports (TCP, UDP, SCTP) match.\n\nAccepted values: \"TCP\", \"UDP\", \"SCTP\", \"VRRP\", \"IGMP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this.", "enum": [ "TCP", "UDP", "SCTP", "VRRP", "IGMP", "ANY" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" }, "rules": { "description": "Rules is a list of additional port level rules which must be met in\norder for the PortRule to allow the traffic. If omitted or empty,\nno layer 7 rules are enforced.", "oneOf": [ { "properties": { "http": {} }, "required": [ "http" ] }, { "properties": { "kafka": {} }, "required": [ "kafka" ] }, { "properties": { "dns": {} }, "required": [ "dns" ] }, { "properties": { "l7proto": {} }, "required": [ "l7proto" ] } ], "properties": { "dns": { "description": "DNS-specific rules.", "items": { "description": "PortRuleDNS is a list of allowed DNS lookups.", "oneOf": [ { "properties": { "matchName": {} }, "required": [ "matchName" ] }, { "properties": { "matchPattern": {} }, "required": [ "matchPattern" ] } ], "properties": { "matchName": { "description": "MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing.", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_]+[.]?)+$", "type": "string" }, "matchPattern": { "description": "MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"*\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"*\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n- \"**.\" is a special prefix which matches all multilevel subdomains in the prefix.\n\nExamples:\n1. `*.cilium.io` matches subdomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n2. `*cilium.io` matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\n3. `sub*.cilium.io` matches subdomains of cilium where the subdomain component\n begins with \"sub\". sub.cilium.io and subdomain.cilium.io match while www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not\n4. `**.cilium.io` matches all multilevel subdomains of cilium.io.\n \"app.cilium.io\" and \"test.app.cilium.io\" match but not \"cilium.io\"", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_*]+[.]?)+$", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "http": { "description": "HTTP specific rules.", "items": { "description": "PortRuleHTTP is a list of HTTP protocol constraints. All fields are\noptional, if all fields are empty or missing, the rule does not have any\neffect.\n\nAll fields of this type are extended POSIX regex as defined by IEEE Std\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\nmatched against the path of an incoming request. Currently it can contain\ncharacters disallowed from the conventional \"path\" part of a URL as defined\nby RFC 3986.", "properties": { "headerMatches": { "description": "HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match.", "items": { "description": "HeaderMatch extends the HeaderValue for matching requirement of a\nnamed header field against an immediate string or a secret value.\nIf none of the optional fields is present, then the\nheader value is not matched, only presence of the header is enough.", "properties": { "mismatch": { "description": "Mismatch identifies what to do in case there is no match. The default is\nto drop the request. Otherwise the overall rule is still considered as\nmatching, but the mismatches are logged in the access log.", "enum": [ "LOG", "ADD", "DELETE", "REPLACE" ], "type": "string" }, "name": { "description": "Name identifies the header.", "minLength": 1, "type": "string" }, "secret": { "description": "Secret refers to a secret that contains the value to be matched against.\nThe secret must only contain one entry. If the referred secret does not\nexist, and there is no \"Value\" specified, the match will fail.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "value": { "description": "Value matches the exact value of the header. Can be specified either\nalone or together with \"Secret\"; will be used as the header value if the\nsecret can not be found in the latter case.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "headers": { "description": "Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present.", "items": { "type": "string" }, "type": "array" }, "host": { "description": "Host is an extended POSIX regex matched against the host header of a\nrequest. Examples:\n\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\n- foo\\.bar\\.com will only match the host foo.bar.com\n\nIf omitted or empty, the value of the host header is ignored.", "format": "idn-hostname", "type": "string" }, "method": { "description": "Method is an extended POSIX regex matched against the method of a\nrequest, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\nIf omitted or empty, all methods are allowed.", "type": "string" }, "path": { "description": "Path is an extended POSIX regex matched against the path of a\nrequest. Currently it can contain characters disallowed from the\nconventional \"path\" part of a URL as defined by RFC 3986.\n\nIf omitted or empty, all paths are all allowed.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "kafka": { "description": "Kafka-specific rules.\nDeprecated: This beta feature is deprecated and will be removed in a future release.", "items": { "description": "PortRule is a list of Kafka protocol constraints. All fields are\noptional, if all fields are empty or missing, the rule will match all\nKafka messages.", "properties": { "apiKey": { "description": "APIKey is a case-insensitive string matched against the key of a\nrequest, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al\nReference: https://kafka.apache.org/protocol#protocol_api_keys\n\nIf omitted or empty, and if Role is not specified, then all keys are allowed.", "type": "string" }, "apiVersion": { "description": "APIVersion is the version matched against the api version of the\nKafka message. If set, it has to be a string representing a positive\ninteger.\n\nIf omitted or empty, all versions are allowed.", "type": "string" }, "clientID": { "description": "ClientID is the client identifier as provided in the request.\n\nFrom Kafka protocol documentation:\nThis is a user supplied identifier for the client application. The\nuser can use any identifier they like and it will be used when\nlogging errors, monitoring aggregates, etc. For example, one might\nwant to monitor not just the requests per second overall, but the\nnumber coming from each client application (each of which could\nreside on multiple servers). This id acts as a logical grouping\nacross all requests from a particular client.\n\nIf omitted or empty, all client identifiers are allowed.", "type": "string" }, "role": { "description": "Role is a case-insensitive string and describes a group of API keys\nnecessary to perform certain higher-level Kafka operations such as \"produce\"\nor \"consume\". A Role automatically expands into all APIKeys required\nto perform the specified higher-level operation.\n\nThe following values are supported:\n - \"produce\": Allow producing to the topics specified in the rule\n - \"consume\": Allow consuming from the topics specified in the rule\n\nThis field is incompatible with the APIKey field, i.e APIKey and Role\ncannot both be specified in the same rule.\n\nIf omitted or empty, and if APIKey is not specified, then all keys are\nallowed.", "enum": [ "produce", "consume" ], "type": "string" }, "topic": { "description": "Topic is the topic name contained in the message. If a Kafka request\ncontains multiple topics, then all topics must be allowed or the\nmessage will be rejected.\n\nThis constraint is ignored if the matched request message type\ndoesn't contain any topic. Maximum size of Topic can be 249\ncharacters as per recent Kafka spec and allowed characters are\na-z, A-Z, 0-9, -, . and _.\n\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\nversion the length was changed from 255 to 249. For compatibility\nreasons we are using 255.\n\nIf omitted or empty, all topics are allowed.", "maxLength": 255, "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "l7": { "description": "Key-value pair rules.", "items": { "additionalProperties": { "type": "string" }, "description": "PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\nprotocol constraints. All fields are optional, if all fields are empty or\nmissing, the rule does not have any effect.", "type": "object" }, "type": "array" }, "l7proto": { "description": "Name of the L7 protocol for which the Key-value pair rules apply.", "type": "string" } }, "type": "object", "additionalProperties": false }, "serverNames": { "description": "ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake.", "items": { "description": "ServerName allows using prefix only wildcards to match DNS names.\n\n- \"*\" matches 0 or more DNS valid characters, and may only occur at the\nbeginning of the pattern. As a special case a \"*\" as the leftmost character,\nwithout a following \".\" matches all subdomains as well as the name to the right.\n\nExamples:\n - `*.cilium.io` matches exactly one subdomain of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not.\n - `**.cilium.io` matches more than one subdomain of cilium, e.g. sub1.sub2.cilium.io and sub.cilium.io match, cilium.io do not.", "maxLength": 255, "pattern": "^(\\*?\\*\\.)?([-a-zA-Z0-9_]+\\.?)+$", "type": "string" }, "minItems": 1, "type": "array", "x-kubernetes-list-type": "set" }, "terminatingTLS": { "description": "TerminatingTLS is the TLS context for the connection terminated by\nthe L7 proxy. For egress policy this specifies the server-side TLS\nparameters to be applied on the connections originated from the local\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\nthe server-side TLS parameters to be applied on the connections\noriginated from a remote source and terminated by the L7 proxy.", "properties": { "certificate": { "description": "Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist.", "type": "string" }, "privateKey": { "description": "PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist.", "type": "string" }, "secret": { "description": "Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "trustedCA": { "description": "TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist.", "type": "string" } }, "required": [ "secret" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toRequires": { "description": "Deprecated.", "items": { "type": "string" }, "maxItems": 0, "type": "array" }, "toServices": { "description": "ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services.", "items": { "description": "Service selects policy targets that are bundled as part of a\nlogical load-balanced service.\n\nCurrently only Kubernetes-based Services are supported.", "properties": { "k8sService": { "description": "K8sService selects service by name and namespace pair", "properties": { "namespace": { "type": "string" }, "serviceName": { "type": "string" } }, "type": "object", "additionalProperties": false }, "k8sServiceSelector": { "description": "K8sServiceSelector selects services by k8s labels and namespace", "properties": { "namespace": { "type": "string" }, "selector": { "description": "ServiceSelector is a label selector for k8s services", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "required": [ "selector" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "egressDeny": { "description": "EgressDeny is a list of EgressDenyRule which are enforced at egress.\nAny rule inserted here will be denied regardless of the allowed egress\nrules in the 'egress' field.\nIf omitted or empty, this rule does not apply at egress.", "items": { "description": "EgressDenyRule contains all rule types which can be applied at egress, i.e.\nnetwork traffic that originates inside the endpoint and exits the endpoint\nselected by the endpointSelector.\n\n - All members of this structure are optional. If omitted or empty, the\n member will have no effect on the rule.\n\n - If multiple members of the structure are specified, then all members\n must match in order for the rule to take effect.\n\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\n mutually exclusive. Only one of these members may be present within an\n individual rule.", "properties": { "icmps": { "description": "ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is not allowed to initiate\ntype 8 ICMP connections.", "items": { "description": "ICMPRule is a list of ICMP fields.", "properties": { "fields": { "description": "Fields is a list of ICMP fields.", "items": { "description": "ICMPField is a ICMP field.", "properties": { "family": { "default": "IPv4", "description": "Family is a IP address version.\nCurrently, we support `IPv4` and `IPv6`.\n`IPv4` is set as default.", "enum": [ "IPv4", "IPv6" ], "type": "string" }, "type": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply", "pattern": "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$", "x-kubernetes-int-or-string": true } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toCIDR": { "description": "ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" }, "toCIDRSet": { "description": "ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.", "items": { "description": "CIDRRule is a rule that specifies a CIDR prefix to/from which outside\ncommunication is allowed, along with an optional list of subnets within that\nCIDR prefix to/from which outside communication is not allowed.", "oneOf": [ { "properties": { "cidr": {} }, "required": [ "cidr" ] }, { "properties": { "cidrGroupRef": {} }, "required": [ "cidrGroupRef" ] }, { "properties": { "cidrGroupSelector": {} }, "required": [ "cidrGroupSelector" ] } ], "properties": { "cidr": { "description": "CIDR is a CIDR prefix / IP Block.", "format": "cidr", "type": "string" }, "cidrGroupRef": { "description": "CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from.", "maxLength": 253, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "cidrGroupSelector": { "description": "CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "except": { "description": "ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules.", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toEndpoints": { "description": "ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\".\n\nNote that while an empty non-nil ToEndpoints does not select anything,\nnil ToEndpoints is implicitly treated as a wildcard selector if ToPorts\nare also specified.\nTo select everything, use one EndpointSelector without any match requirements.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "toEntities": { "description": "ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\n`world`, `cluster`, `host`, `remote-node`, `kube-apiserver`, `ingress`, `init`,\n`health`, `unmanaged`, `none` and `all`.", "items": { "description": "Entity specifies the class of receiver/sender endpoints that do not have\nindividual identities. Entities are used to describe \"outside of cluster\",\n\"host\", etc.", "enum": [ "all", "world", "cluster", "host", "init", "ingress", "unmanaged", "remote-node", "health", "none", "kube-apiserver" ], "type": "string" }, "type": "array" }, "toGroups": { "description": "ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'", "items": { "description": "Groups structure to store all kinds of new integrations that needs a new\nderivative policy.", "properties": { "aws": { "description": "AWSGroup is an structure that can be used to whitelisting information from AWS integration", "properties": { "labels": { "additionalProperties": { "type": "string" }, "type": "object" }, "region": { "type": "string" }, "securityGroupsIds": { "items": { "type": "string" }, "type": "array" }, "securityGroupsNames": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toNodes": { "description": "ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "toPorts": { "description": "ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to connect\nto.\n\nExample:\nAny endpoint with the label \"role=frontend\" is not allowed to initiate\nconnections to destination port 8080/tcp", "items": { "description": "PortDenyRule is a list of ports/protocol that should be used for deny\npolicies. This structure lacks the L7Rules since it's not supported in deny\npolicies.", "properties": { "ports": { "description": "Ports is a list of L4 port/protocol", "items": { "description": "PortProtocol specifies an L4 port with an optional transport protocol", "properties": { "endPort": { "description": "EndPort can only be an L4 port number.", "format": "int32", "maximum": 65535, "minimum": 0, "type": "integer" }, "port": { "description": "Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\".", "pattern": "^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$", "type": "string" }, "protocol": { "description": "Protocol is the L4 protocol. If \"ANY\", omitted or empty, any protocols\nwith transport ports (TCP, UDP, SCTP) match.\n\nAccepted values: \"TCP\", \"UDP\", \"SCTP\", \"VRRP\", \"IGMP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this.", "enum": [ "TCP", "UDP", "SCTP", "VRRP", "IGMP", "ANY" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toRequires": { "description": "Deprecated.", "items": { "type": "string" }, "maxItems": 0, "type": "array" }, "toServices": { "description": "ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services.", "items": { "description": "Service selects policy targets that are bundled as part of a\nlogical load-balanced service.\n\nCurrently only Kubernetes-based Services are supported.", "properties": { "k8sService": { "description": "K8sService selects service by name and namespace pair", "properties": { "namespace": { "type": "string" }, "serviceName": { "type": "string" } }, "type": "object", "additionalProperties": false }, "k8sServiceSelector": { "description": "K8sServiceSelector selects services by k8s labels and namespace", "properties": { "namespace": { "type": "string" }, "selector": { "description": "ServiceSelector is a label selector for k8s services", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "required": [ "selector" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "enableDefaultDeny": { "description": "EnableDefaultDeny determines whether this policy configures the\nsubject endpoint(s) to have a default deny mode. If enabled,\nthis causes all traffic not explicitly allowed by a network policy\nto be dropped.\n\nIf not specified, the default is true for each traffic direction\nthat has rules, and false otherwise. For example, if a policy\nonly has Ingress or IngressDeny rules, then the default for\ningress is true and egress is false.\n\nIf multiple policies apply to an endpoint, that endpoint's default deny\nwill be enabled if any policy requests it.\n\nThis is useful for creating broad-based network policies that will not\ncause endpoints to enter default-deny mode.", "properties": { "egress": { "description": "Whether or not the endpoint should have a default-deny rule applied\nto egress traffic.", "type": "boolean" }, "ingress": { "description": "Whether or not the endpoint should have a default-deny rule applied\nto ingress traffic.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "endpointSelector": { "description": "EndpointSelector selects all endpoints which should be subject to\nthis rule. EndpointSelector and NodeSelector cannot be both empty and\nare mutually exclusive.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "ingress": { "description": "Ingress is a list of IngressRule which are enforced at ingress.\nIf omitted or empty, this rule does not apply at ingress.", "items": { "description": "IngressRule contains all rule types which can be applied at ingress,\ni.e. network traffic that originates outside of the endpoint and\nis entering the endpoint selected by the endpointSelector.\n\n - All members of this structure are optional. If omitted or empty, the\n member will have no effect on the rule.\n\n - If multiple members are set, all of them need to match in order for\n the rule to take effect.\n\n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually\n exclusive. Only one of these members may be present within an individual\n rule.", "properties": { "authentication": { "description": "Authentication is the required authentication type for the allowed traffic, if any.", "properties": { "mode": { "description": "Mode is the required authentication mode for the allowed traffic, if any.", "enum": [ "disabled", "required", "test-always-fail" ], "type": "string" } }, "required": [ "mode" ], "type": "object", "additionalProperties": false }, "fromCIDR": { "description": "FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo *not* originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" }, "fromCIDRSet": { "description": "FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.", "items": { "description": "CIDRRule is a rule that specifies a CIDR prefix to/from which outside\ncommunication is allowed, along with an optional list of subnets within that\nCIDR prefix to/from which outside communication is not allowed.", "oneOf": [ { "properties": { "cidr": {} }, "required": [ "cidr" ] }, { "properties": { "cidrGroupRef": {} }, "required": [ "cidrGroupRef" ] }, { "properties": { "cidrGroupSelector": {} }, "required": [ "cidrGroupSelector" ] } ], "properties": { "cidr": { "description": "CIDR is a CIDR prefix / IP Block.", "format": "cidr", "type": "string" }, "cidrGroupRef": { "description": "CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from.", "maxLength": 253, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "cidrGroupSelector": { "description": "CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "except": { "description": "ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules.", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "fromEndpoints": { "description": "FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\".\n\nNote that while an empty non-nil FromEndpoints does not select anything,\nnil FromEndpoints is implicitly treated as a wildcard selector if ToPorts\nare also specified.\nTo select everything, use one EndpointSelector without any match requirements.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "fromEntities": { "description": "FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\n`world`, `cluster`, `host`, `remote-node`, `kube-apiserver`, `ingress`, `init`,\n`health`, `unmanaged`, `none` and `all`.", "items": { "description": "Entity specifies the class of receiver/sender endpoints that do not have\nindividual identities. Entities are used to describe \"outside of cluster\",\n\"host\", etc.", "enum": [ "all", "world", "cluster", "host", "init", "ingress", "unmanaged", "remote-node", "health", "none", "kube-apiserver" ], "type": "string" }, "type": "array" }, "fromGroups": { "description": "FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'", "items": { "description": "Groups structure to store all kinds of new integrations that needs a new\nderivative policy.", "properties": { "aws": { "description": "AWSGroup is an structure that can be used to whitelisting information from AWS integration", "properties": { "labels": { "additionalProperties": { "type": "string" }, "type": "object" }, "region": { "type": "string" }, "securityGroupsIds": { "items": { "type": "string" }, "type": "array" }, "securityGroupsNames": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "fromNodes": { "description": "FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "fromRequires": { "description": "Deprecated.", "items": { "type": "string" }, "maxItems": 0, "type": "array" }, "icmps": { "description": "ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\ntype 8 ICMP connections.", "items": { "description": "ICMPRule is a list of ICMP fields.", "properties": { "fields": { "description": "Fields is a list of ICMP fields.", "items": { "description": "ICMPField is a ICMP field.", "properties": { "family": { "default": "IPv4", "description": "Family is a IP address version.\nCurrently, we support `IPv4` and `IPv6`.\n`IPv4` is set as default.", "enum": [ "IPv4", "IPv6" ], "type": "string" }, "type": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply", "pattern": "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$", "x-kubernetes-int-or-string": true } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toPorts": { "description": "ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\nconnections on port 80/tcp.", "items": { "description": "PortRule is a list of ports/protocol combinations with optional Layer 7\nrules which must be met.", "properties": { "listener": { "description": "listener specifies the name of a custom Envoy listener to which this traffic should be\nredirected to.", "properties": { "envoyConfig": { "description": "EnvoyConfig is a reference to the CEC or CCEC resource in which\nthe listener is defined.", "properties": { "kind": { "description": "Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\nrespectively. The only case this is currently explicitly needed is when referring to a\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\nfrom a cluster scoped policy is not allowed.", "enum": [ "CiliumEnvoyConfig", "CiliumClusterwideEnvoyConfig" ], "type": "string" }, "name": { "description": "Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\nthe listener is defined in.", "minLength": 1, "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "name": { "description": "Name is the name of the listener.", "minLength": 1, "type": "string" }, "priority": { "description": "Priority for this Listener that is used when multiple rules would apply different\nlisteners to a policy map entry. Behavior of this is implementation dependent.", "maximum": 100, "minimum": 1, "type": "integer" } }, "required": [ "envoyConfig", "name" ], "type": "object", "additionalProperties": false }, "originatingTLS": { "description": "OriginatingTLS is the TLS context for the connections originated by\nthe L7 proxy. For egress policy this specifies the client-side TLS\nparameters for the upstream connection originating from the L7 proxy\nto the remote destination. For ingress policy this specifies the\nclient-side TLS parameters for the connection from the L7 proxy to\nthe local endpoint.", "properties": { "certificate": { "description": "Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist.", "type": "string" }, "privateKey": { "description": "PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist.", "type": "string" }, "secret": { "description": "Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "trustedCA": { "description": "TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist.", "type": "string" } }, "required": [ "secret" ], "type": "object", "additionalProperties": false }, "ports": { "description": "Ports is a list of L4 port/protocol", "items": { "description": "PortProtocol specifies an L4 port with an optional transport protocol", "properties": { "endPort": { "description": "EndPort can only be an L4 port number.", "format": "int32", "maximum": 65535, "minimum": 0, "type": "integer" }, "port": { "description": "Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\".", "pattern": "^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$", "type": "string" }, "protocol": { "description": "Protocol is the L4 protocol. If \"ANY\", omitted or empty, any protocols\nwith transport ports (TCP, UDP, SCTP) match.\n\nAccepted values: \"TCP\", \"UDP\", \"SCTP\", \"VRRP\", \"IGMP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this.", "enum": [ "TCP", "UDP", "SCTP", "VRRP", "IGMP", "ANY" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" }, "rules": { "description": "Rules is a list of additional port level rules which must be met in\norder for the PortRule to allow the traffic. If omitted or empty,\nno layer 7 rules are enforced.", "oneOf": [ { "properties": { "http": {} }, "required": [ "http" ] }, { "properties": { "kafka": {} }, "required": [ "kafka" ] }, { "properties": { "dns": {} }, "required": [ "dns" ] }, { "properties": { "l7proto": {} }, "required": [ "l7proto" ] } ], "properties": { "dns": { "description": "DNS-specific rules.", "items": { "description": "PortRuleDNS is a list of allowed DNS lookups.", "oneOf": [ { "properties": { "matchName": {} }, "required": [ "matchName" ] }, { "properties": { "matchPattern": {} }, "required": [ "matchPattern" ] } ], "properties": { "matchName": { "description": "MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing.", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_]+[.]?)+$", "type": "string" }, "matchPattern": { "description": "MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"*\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"*\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n- \"**.\" is a special prefix which matches all multilevel subdomains in the prefix.\n\nExamples:\n1. `*.cilium.io` matches subdomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n2. `*cilium.io` matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\n3. `sub*.cilium.io` matches subdomains of cilium where the subdomain component\n begins with \"sub\". sub.cilium.io and subdomain.cilium.io match while www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not\n4. `**.cilium.io` matches all multilevel subdomains of cilium.io.\n \"app.cilium.io\" and \"test.app.cilium.io\" match but not \"cilium.io\"", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_*]+[.]?)+$", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "http": { "description": "HTTP specific rules.", "items": { "description": "PortRuleHTTP is a list of HTTP protocol constraints. All fields are\noptional, if all fields are empty or missing, the rule does not have any\neffect.\n\nAll fields of this type are extended POSIX regex as defined by IEEE Std\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\nmatched against the path of an incoming request. Currently it can contain\ncharacters disallowed from the conventional \"path\" part of a URL as defined\nby RFC 3986.", "properties": { "headerMatches": { "description": "HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match.", "items": { "description": "HeaderMatch extends the HeaderValue for matching requirement of a\nnamed header field against an immediate string or a secret value.\nIf none of the optional fields is present, then the\nheader value is not matched, only presence of the header is enough.", "properties": { "mismatch": { "description": "Mismatch identifies what to do in case there is no match. The default is\nto drop the request. Otherwise the overall rule is still considered as\nmatching, but the mismatches are logged in the access log.", "enum": [ "LOG", "ADD", "DELETE", "REPLACE" ], "type": "string" }, "name": { "description": "Name identifies the header.", "minLength": 1, "type": "string" }, "secret": { "description": "Secret refers to a secret that contains the value to be matched against.\nThe secret must only contain one entry. If the referred secret does not\nexist, and there is no \"Value\" specified, the match will fail.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "value": { "description": "Value matches the exact value of the header. Can be specified either\nalone or together with \"Secret\"; will be used as the header value if the\nsecret can not be found in the latter case.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "headers": { "description": "Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present.", "items": { "type": "string" }, "type": "array" }, "host": { "description": "Host is an extended POSIX regex matched against the host header of a\nrequest. Examples:\n\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\n- foo\\.bar\\.com will only match the host foo.bar.com\n\nIf omitted or empty, the value of the host header is ignored.", "format": "idn-hostname", "type": "string" }, "method": { "description": "Method is an extended POSIX regex matched against the method of a\nrequest, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\nIf omitted or empty, all methods are allowed.", "type": "string" }, "path": { "description": "Path is an extended POSIX regex matched against the path of a\nrequest. Currently it can contain characters disallowed from the\nconventional \"path\" part of a URL as defined by RFC 3986.\n\nIf omitted or empty, all paths are all allowed.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "kafka": { "description": "Kafka-specific rules.\nDeprecated: This beta feature is deprecated and will be removed in a future release.", "items": { "description": "PortRule is a list of Kafka protocol constraints. All fields are\noptional, if all fields are empty or missing, the rule will match all\nKafka messages.", "properties": { "apiKey": { "description": "APIKey is a case-insensitive string matched against the key of a\nrequest, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al\nReference: https://kafka.apache.org/protocol#protocol_api_keys\n\nIf omitted or empty, and if Role is not specified, then all keys are allowed.", "type": "string" }, "apiVersion": { "description": "APIVersion is the version matched against the api version of the\nKafka message. If set, it has to be a string representing a positive\ninteger.\n\nIf omitted or empty, all versions are allowed.", "type": "string" }, "clientID": { "description": "ClientID is the client identifier as provided in the request.\n\nFrom Kafka protocol documentation:\nThis is a user supplied identifier for the client application. The\nuser can use any identifier they like and it will be used when\nlogging errors, monitoring aggregates, etc. For example, one might\nwant to monitor not just the requests per second overall, but the\nnumber coming from each client application (each of which could\nreside on multiple servers). This id acts as a logical grouping\nacross all requests from a particular client.\n\nIf omitted or empty, all client identifiers are allowed.", "type": "string" }, "role": { "description": "Role is a case-insensitive string and describes a group of API keys\nnecessary to perform certain higher-level Kafka operations such as \"produce\"\nor \"consume\". A Role automatically expands into all APIKeys required\nto perform the specified higher-level operation.\n\nThe following values are supported:\n - \"produce\": Allow producing to the topics specified in the rule\n - \"consume\": Allow consuming from the topics specified in the rule\n\nThis field is incompatible with the APIKey field, i.e APIKey and Role\ncannot both be specified in the same rule.\n\nIf omitted or empty, and if APIKey is not specified, then all keys are\nallowed.", "enum": [ "produce", "consume" ], "type": "string" }, "topic": { "description": "Topic is the topic name contained in the message. If a Kafka request\ncontains multiple topics, then all topics must be allowed or the\nmessage will be rejected.\n\nThis constraint is ignored if the matched request message type\ndoesn't contain any topic. Maximum size of Topic can be 249\ncharacters as per recent Kafka spec and allowed characters are\na-z, A-Z, 0-9, -, . and _.\n\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\nversion the length was changed from 255 to 249. For compatibility\nreasons we are using 255.\n\nIf omitted or empty, all topics are allowed.", "maxLength": 255, "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "l7": { "description": "Key-value pair rules.", "items": { "additionalProperties": { "type": "string" }, "description": "PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\nprotocol constraints. All fields are optional, if all fields are empty or\nmissing, the rule does not have any effect.", "type": "object" }, "type": "array" }, "l7proto": { "description": "Name of the L7 protocol for which the Key-value pair rules apply.", "type": "string" } }, "type": "object", "additionalProperties": false }, "serverNames": { "description": "ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake.", "items": { "description": "ServerName allows using prefix only wildcards to match DNS names.\n\n- \"*\" matches 0 or more DNS valid characters, and may only occur at the\nbeginning of the pattern. As a special case a \"*\" as the leftmost character,\nwithout a following \".\" matches all subdomains as well as the name to the right.\n\nExamples:\n - `*.cilium.io` matches exactly one subdomain of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not.\n - `**.cilium.io` matches more than one subdomain of cilium, e.g. sub1.sub2.cilium.io and sub.cilium.io match, cilium.io do not.", "maxLength": 255, "pattern": "^(\\*?\\*\\.)?([-a-zA-Z0-9_]+\\.?)+$", "type": "string" }, "minItems": 1, "type": "array", "x-kubernetes-list-type": "set" }, "terminatingTLS": { "description": "TerminatingTLS is the TLS context for the connection terminated by\nthe L7 proxy. For egress policy this specifies the server-side TLS\nparameters to be applied on the connections originated from the local\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\nthe server-side TLS parameters to be applied on the connections\noriginated from a remote source and terminated by the L7 proxy.", "properties": { "certificate": { "description": "Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist.", "type": "string" }, "privateKey": { "description": "PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist.", "type": "string" }, "secret": { "description": "Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "trustedCA": { "description": "TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist.", "type": "string" } }, "required": [ "secret" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "ingressDeny": { "description": "IngressDeny is a list of IngressDenyRule which are enforced at ingress.\nAny rule inserted here will be denied regardless of the allowed ingress\nrules in the 'ingress' field.\nIf omitted or empty, this rule does not apply at ingress.", "items": { "description": "IngressDenyRule contains all rule types which can be applied at ingress,\ni.e. network traffic that originates outside of the endpoint and\nis entering the endpoint selected by the endpointSelector.\n\n - All members of this structure are optional. If omitted or empty, the\n member will have no effect on the rule.\n\n - If multiple members are set, all of them need to match in order for\n the rule to take effect.\n\n - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually\n exclusive. Only one of these members may be present within an individual\n rule.", "properties": { "fromCIDR": { "description": "FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo *not* originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" }, "fromCIDRSet": { "description": "FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.", "items": { "description": "CIDRRule is a rule that specifies a CIDR prefix to/from which outside\ncommunication is allowed, along with an optional list of subnets within that\nCIDR prefix to/from which outside communication is not allowed.", "oneOf": [ { "properties": { "cidr": {} }, "required": [ "cidr" ] }, { "properties": { "cidrGroupRef": {} }, "required": [ "cidrGroupRef" ] }, { "properties": { "cidrGroupSelector": {} }, "required": [ "cidrGroupSelector" ] } ], "properties": { "cidr": { "description": "CIDR is a CIDR prefix / IP Block.", "format": "cidr", "type": "string" }, "cidrGroupRef": { "description": "CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from.", "maxLength": 253, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "cidrGroupSelector": { "description": "CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "except": { "description": "ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules.", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "fromEndpoints": { "description": "FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\".\n\nNote that while an empty non-nil FromEndpoints does not select anything,\nnil FromEndpoints is implicitly treated as a wildcard selector if ToPorts\nare also specified.\nTo select everything, use one EndpointSelector without any match requirements.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "fromEntities": { "description": "FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\n`world`, `cluster`, `host`, `remote-node`, `kube-apiserver`, `ingress`, `init`,\n`health`, `unmanaged`, `none` and `all`.", "items": { "description": "Entity specifies the class of receiver/sender endpoints that do not have\nindividual identities. Entities are used to describe \"outside of cluster\",\n\"host\", etc.", "enum": [ "all", "world", "cluster", "host", "init", "ingress", "unmanaged", "remote-node", "health", "none", "kube-apiserver" ], "type": "string" }, "type": "array" }, "fromGroups": { "description": "FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'", "items": { "description": "Groups structure to store all kinds of new integrations that needs a new\nderivative policy.", "properties": { "aws": { "description": "AWSGroup is an structure that can be used to whitelisting information from AWS integration", "properties": { "labels": { "additionalProperties": { "type": "string" }, "type": "object" }, "region": { "type": "string" }, "securityGroupsIds": { "items": { "type": "string" }, "type": "array" }, "securityGroupsNames": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "fromNodes": { "description": "FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "fromRequires": { "description": "Deprecated.", "items": { "type": "string" }, "maxItems": 0, "type": "array" }, "icmps": { "description": "ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\ntype 8 ICMP connections.", "items": { "description": "ICMPRule is a list of ICMP fields.", "properties": { "fields": { "description": "Fields is a list of ICMP fields.", "items": { "description": "ICMPField is a ICMP field.", "properties": { "family": { "default": "IPv4", "description": "Family is a IP address version.\nCurrently, we support `IPv4` and `IPv6`.\n`IPv4` is set as default.", "enum": [ "IPv4", "IPv6" ], "type": "string" }, "type": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply", "pattern": "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$", "x-kubernetes-int-or-string": true } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toPorts": { "description": "ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\nconnections on port 80/tcp.", "items": { "description": "PortDenyRule is a list of ports/protocol that should be used for deny\npolicies. This structure lacks the L7Rules since it's not supported in deny\npolicies.", "properties": { "ports": { "description": "Ports is a list of L4 port/protocol", "items": { "description": "PortProtocol specifies an L4 port with an optional transport protocol", "properties": { "endPort": { "description": "EndPort can only be an L4 port number.", "format": "int32", "maximum": 65535, "minimum": 0, "type": "integer" }, "port": { "description": "Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\".", "pattern": "^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$", "type": "string" }, "protocol": { "description": "Protocol is the L4 protocol. If \"ANY\", omitted or empty, any protocols\nwith transport ports (TCP, UDP, SCTP) match.\n\nAccepted values: \"TCP\", \"UDP\", \"SCTP\", \"VRRP\", \"IGMP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this.", "enum": [ "TCP", "UDP", "SCTP", "VRRP", "IGMP", "ANY" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "labels": { "description": "Labels is a list of optional strings which can be used to\nre-identify the rule or to store metadata. It is possible to lookup\nor delete strings based on labels. Labels are not required to be\nunique, multiple rules can have overlapping or identical labels.", "items": { "description": "Label is the Cilium's representation of a container label.", "properties": { "key": { "type": "string" }, "source": { "description": "Source can be one of the above values (e.g.: LabelSourceContainer).", "type": "string" }, "value": { "type": "string" } }, "required": [ "key" ], "type": "object", "additionalProperties": false }, "type": "array" }, "log": { "description": "Log specifies custom policy-specific Hubble logging configuration.", "properties": { "value": { "description": "Value is a free-form string that is included in Hubble flows\nthat match this policy. The string is limited to 32 printable characters.", "maxLength": 32, "pattern": "^\\PC*$", "type": "string" } }, "type": "object", "additionalProperties": false }, "nodeSelector": { "description": "NodeSelector selects all nodes which should be subject to this rule.\nEndpointSelector and NodeSelector cannot be both empty and are mutually\nexclusive. Can only be used in CiliumClusterwideNetworkPolicies.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "specs": { "description": "Specs is a list of desired Cilium specific rule specification.", "items": { "anyOf": [ { "properties": { "ingress": {} }, "required": [ "ingress" ] }, { "properties": { "ingressDeny": {} }, "required": [ "ingressDeny" ] }, { "properties": { "egress": {} }, "required": [ "egress" ] }, { "properties": { "egressDeny": {} }, "required": [ "egressDeny" ] } ], "description": "Rule is a policy rule which must be applied to all endpoints which match the\nlabels contained in the endpointSelector\n\nEach rule is split into an ingress section which contains all rules\napplicable at ingress, and an egress section applicable at egress. For rule\ntypes such as `L4Rule` and `CIDR` which can be applied at both ingress and\negress, both ingress and egress side have to either specifically allow the\nconnection or one side has to be omitted.\n\nEither ingress, egress, or both can be provided. If both ingress and egress\nare omitted, the rule has no effect.", "oneOf": [ { "properties": { "endpointSelector": {} }, "required": [ "endpointSelector" ] }, { "properties": { "nodeSelector": {} }, "required": [ "nodeSelector" ] } ], "properties": { "description": { "description": "Description is a free form string, it can be used by the creator of\nthe rule to store human readable explanation of the purpose of this\nrule. Rules cannot be identified by comment.", "type": "string" }, "egress": { "description": "Egress is a list of EgressRule which are enforced at egress.\nIf omitted or empty, this rule does not apply at egress.", "items": { "description": "EgressRule contains all rule types which can be applied at egress, i.e.\nnetwork traffic that originates inside the endpoint and exits the endpoint\nselected by the endpointSelector.\n\n - All members of this structure are optional. If omitted or empty, the\n member will have no effect on the rule.\n\n - If multiple members of the structure are specified, then all members\n must match in order for the rule to take effect.\n\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\n mutually exclusive. Only one of these members may be present within an\n individual rule.", "properties": { "authentication": { "description": "Authentication is the required authentication type for the allowed traffic, if any.", "properties": { "mode": { "description": "Mode is the required authentication mode for the allowed traffic, if any.", "enum": [ "disabled", "required", "test-always-fail" ], "type": "string" } }, "required": [ "mode" ], "type": "object", "additionalProperties": false }, "icmps": { "description": "ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is allowed to initiate\ntype 8 ICMP connections.", "items": { "description": "ICMPRule is a list of ICMP fields.", "properties": { "fields": { "description": "Fields is a list of ICMP fields.", "items": { "description": "ICMPField is a ICMP field.", "properties": { "family": { "default": "IPv4", "description": "Family is a IP address version.\nCurrently, we support `IPv4` and `IPv6`.\n`IPv4` is set as default.", "enum": [ "IPv4", "IPv6" ], "type": "string" }, "type": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply", "pattern": "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$", "x-kubernetes-int-or-string": true } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toCIDR": { "description": "ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" }, "toCIDRSet": { "description": "ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.", "items": { "description": "CIDRRule is a rule that specifies a CIDR prefix to/from which outside\ncommunication is allowed, along with an optional list of subnets within that\nCIDR prefix to/from which outside communication is not allowed.", "oneOf": [ { "properties": { "cidr": {} }, "required": [ "cidr" ] }, { "properties": { "cidrGroupRef": {} }, "required": [ "cidrGroupRef" ] }, { "properties": { "cidrGroupSelector": {} }, "required": [ "cidrGroupSelector" ] } ], "properties": { "cidr": { "description": "CIDR is a CIDR prefix / IP Block.", "format": "cidr", "type": "string" }, "cidrGroupRef": { "description": "CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from.", "maxLength": 253, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "cidrGroupSelector": { "description": "CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "except": { "description": "ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules.", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toEndpoints": { "description": "ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\".\n\nNote that while an empty non-nil ToEndpoints does not select anything,\nnil ToEndpoints is implicitly treated as a wildcard selector if ToPorts\nare also specified.\nTo select everything, use one EndpointSelector without any match requirements.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "toEntities": { "description": "ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\n`world`, `cluster`, `host`, `remote-node`, `kube-apiserver`, `ingress`, `init`,\n`health`, `unmanaged`, `none` and `all`.", "items": { "description": "Entity specifies the class of receiver/sender endpoints that do not have\nindividual identities. Entities are used to describe \"outside of cluster\",\n\"host\", etc.", "enum": [ "all", "world", "cluster", "host", "init", "ingress", "unmanaged", "remote-node", "health", "none", "kube-apiserver" ], "type": "string" }, "type": "array" }, "toFQDNs": { "description": "ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\nfrom DNS resolution of `ToFQDN.MatchName`s are added to the same\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\nL7 rules within this EgressRule will also apply to these IPs.\nThe DNS -> IP mapping is re-resolved periodically from within the\ncilium-agent, and the IPs in the DNS response are effected in the policy\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\nToFQDN counts as an egress rule and will enforce egress policy when\nPolicyEnforcment=default.\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\nToFQDN rule will not apply to that IP.\nNote: ToFQDN cannot occur in the same policy as other To* rules.", "items": { "oneOf": [ { "properties": { "matchName": {} }, "required": [ "matchName" ] }, { "properties": { "matchPattern": {} }, "required": [ "matchPattern" ] } ], "properties": { "matchName": { "description": "MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing.", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_]+[.]?)+$", "type": "string" }, "matchPattern": { "description": "MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"*\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"*\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n- \"**.\" is a special prefix which matches all multilevel subdomains in the prefix.\n\nExamples:\n1. `*.cilium.io` matches subdomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n2. `*cilium.io` matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\n3. `sub*.cilium.io` matches subdomains of cilium where the subdomain component\n begins with \"sub\". sub.cilium.io and subdomain.cilium.io match while www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not\n4. `**.cilium.io` matches all multilevel subdomains of cilium.io.\n \"app.cilium.io\" and \"test.app.cilium.io\" match but not \"cilium.io\"", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_*]+[.]?)+$", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toGroups": { "description": "ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'", "items": { "description": "Groups structure to store all kinds of new integrations that needs a new\nderivative policy.", "properties": { "aws": { "description": "AWSGroup is an structure that can be used to whitelisting information from AWS integration", "properties": { "labels": { "additionalProperties": { "type": "string" }, "type": "object" }, "region": { "type": "string" }, "securityGroupsIds": { "items": { "type": "string" }, "type": "array" }, "securityGroupsNames": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toNodes": { "description": "ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "toPorts": { "description": "ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nconnect to.\n\nExample:\nAny endpoint with the label \"role=frontend\" is allowed to initiate\nconnections to destination port 8080/tcp", "items": { "description": "PortRule is a list of ports/protocol combinations with optional Layer 7\nrules which must be met.", "properties": { "listener": { "description": "listener specifies the name of a custom Envoy listener to which this traffic should be\nredirected to.", "properties": { "envoyConfig": { "description": "EnvoyConfig is a reference to the CEC or CCEC resource in which\nthe listener is defined.", "properties": { "kind": { "description": "Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\nrespectively. The only case this is currently explicitly needed is when referring to a\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\nfrom a cluster scoped policy is not allowed.", "enum": [ "CiliumEnvoyConfig", "CiliumClusterwideEnvoyConfig" ], "type": "string" }, "name": { "description": "Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\nthe listener is defined in.", "minLength": 1, "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "name": { "description": "Name is the name of the listener.", "minLength": 1, "type": "string" }, "priority": { "description": "Priority for this Listener that is used when multiple rules would apply different\nlisteners to a policy map entry. Behavior of this is implementation dependent.", "maximum": 100, "minimum": 1, "type": "integer" } }, "required": [ "envoyConfig", "name" ], "type": "object", "additionalProperties": false }, "originatingTLS": { "description": "OriginatingTLS is the TLS context for the connections originated by\nthe L7 proxy. For egress policy this specifies the client-side TLS\nparameters for the upstream connection originating from the L7 proxy\nto the remote destination. For ingress policy this specifies the\nclient-side TLS parameters for the connection from the L7 proxy to\nthe local endpoint.", "properties": { "certificate": { "description": "Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist.", "type": "string" }, "privateKey": { "description": "PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist.", "type": "string" }, "secret": { "description": "Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "trustedCA": { "description": "TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist.", "type": "string" } }, "required": [ "secret" ], "type": "object", "additionalProperties": false }, "ports": { "description": "Ports is a list of L4 port/protocol", "items": { "description": "PortProtocol specifies an L4 port with an optional transport protocol", "properties": { "endPort": { "description": "EndPort can only be an L4 port number.", "format": "int32", "maximum": 65535, "minimum": 0, "type": "integer" }, "port": { "description": "Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\".", "pattern": "^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$", "type": "string" }, "protocol": { "description": "Protocol is the L4 protocol. If \"ANY\", omitted or empty, any protocols\nwith transport ports (TCP, UDP, SCTP) match.\n\nAccepted values: \"TCP\", \"UDP\", \"SCTP\", \"VRRP\", \"IGMP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this.", "enum": [ "TCP", "UDP", "SCTP", "VRRP", "IGMP", "ANY" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" }, "rules": { "description": "Rules is a list of additional port level rules which must be met in\norder for the PortRule to allow the traffic. If omitted or empty,\nno layer 7 rules are enforced.", "oneOf": [ { "properties": { "http": {} }, "required": [ "http" ] }, { "properties": { "kafka": {} }, "required": [ "kafka" ] }, { "properties": { "dns": {} }, "required": [ "dns" ] }, { "properties": { "l7proto": {} }, "required": [ "l7proto" ] } ], "properties": { "dns": { "description": "DNS-specific rules.", "items": { "description": "PortRuleDNS is a list of allowed DNS lookups.", "oneOf": [ { "properties": { "matchName": {} }, "required": [ "matchName" ] }, { "properties": { "matchPattern": {} }, "required": [ "matchPattern" ] } ], "properties": { "matchName": { "description": "MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing.", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_]+[.]?)+$", "type": "string" }, "matchPattern": { "description": "MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"*\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"*\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n- \"**.\" is a special prefix which matches all multilevel subdomains in the prefix.\n\nExamples:\n1. `*.cilium.io` matches subdomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n2. `*cilium.io` matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\n3. `sub*.cilium.io` matches subdomains of cilium where the subdomain component\n begins with \"sub\". sub.cilium.io and subdomain.cilium.io match while www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not\n4. `**.cilium.io` matches all multilevel subdomains of cilium.io.\n \"app.cilium.io\" and \"test.app.cilium.io\" match but not \"cilium.io\"", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_*]+[.]?)+$", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "http": { "description": "HTTP specific rules.", "items": { "description": "PortRuleHTTP is a list of HTTP protocol constraints. All fields are\noptional, if all fields are empty or missing, the rule does not have any\neffect.\n\nAll fields of this type are extended POSIX regex as defined by IEEE Std\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\nmatched against the path of an incoming request. Currently it can contain\ncharacters disallowed from the conventional \"path\" part of a URL as defined\nby RFC 3986.", "properties": { "headerMatches": { "description": "HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match.", "items": { "description": "HeaderMatch extends the HeaderValue for matching requirement of a\nnamed header field against an immediate string or a secret value.\nIf none of the optional fields is present, then the\nheader value is not matched, only presence of the header is enough.", "properties": { "mismatch": { "description": "Mismatch identifies what to do in case there is no match. The default is\nto drop the request. Otherwise the overall rule is still considered as\nmatching, but the mismatches are logged in the access log.", "enum": [ "LOG", "ADD", "DELETE", "REPLACE" ], "type": "string" }, "name": { "description": "Name identifies the header.", "minLength": 1, "type": "string" }, "secret": { "description": "Secret refers to a secret that contains the value to be matched against.\nThe secret must only contain one entry. If the referred secret does not\nexist, and there is no \"Value\" specified, the match will fail.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "value": { "description": "Value matches the exact value of the header. Can be specified either\nalone or together with \"Secret\"; will be used as the header value if the\nsecret can not be found in the latter case.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "headers": { "description": "Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present.", "items": { "type": "string" }, "type": "array" }, "host": { "description": "Host is an extended POSIX regex matched against the host header of a\nrequest. Examples:\n\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\n- foo\\.bar\\.com will only match the host foo.bar.com\n\nIf omitted or empty, the value of the host header is ignored.", "format": "idn-hostname", "type": "string" }, "method": { "description": "Method is an extended POSIX regex matched against the method of a\nrequest, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\nIf omitted or empty, all methods are allowed.", "type": "string" }, "path": { "description": "Path is an extended POSIX regex matched against the path of a\nrequest. Currently it can contain characters disallowed from the\nconventional \"path\" part of a URL as defined by RFC 3986.\n\nIf omitted or empty, all paths are all allowed.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "kafka": { "description": "Kafka-specific rules.\nDeprecated: This beta feature is deprecated and will be removed in a future release.", "items": { "description": "PortRule is a list of Kafka protocol constraints. All fields are\noptional, if all fields are empty or missing, the rule will match all\nKafka messages.", "properties": { "apiKey": { "description": "APIKey is a case-insensitive string matched against the key of a\nrequest, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al\nReference: https://kafka.apache.org/protocol#protocol_api_keys\n\nIf omitted or empty, and if Role is not specified, then all keys are allowed.", "type": "string" }, "apiVersion": { "description": "APIVersion is the version matched against the api version of the\nKafka message. If set, it has to be a string representing a positive\ninteger.\n\nIf omitted or empty, all versions are allowed.", "type": "string" }, "clientID": { "description": "ClientID is the client identifier as provided in the request.\n\nFrom Kafka protocol documentation:\nThis is a user supplied identifier for the client application. The\nuser can use any identifier they like and it will be used when\nlogging errors, monitoring aggregates, etc. For example, one might\nwant to monitor not just the requests per second overall, but the\nnumber coming from each client application (each of which could\nreside on multiple servers). This id acts as a logical grouping\nacross all requests from a particular client.\n\nIf omitted or empty, all client identifiers are allowed.", "type": "string" }, "role": { "description": "Role is a case-insensitive string and describes a group of API keys\nnecessary to perform certain higher-level Kafka operations such as \"produce\"\nor \"consume\". A Role automatically expands into all APIKeys required\nto perform the specified higher-level operation.\n\nThe following values are supported:\n - \"produce\": Allow producing to the topics specified in the rule\n - \"consume\": Allow consuming from the topics specified in the rule\n\nThis field is incompatible with the APIKey field, i.e APIKey and Role\ncannot both be specified in the same rule.\n\nIf omitted or empty, and if APIKey is not specified, then all keys are\nallowed.", "enum": [ "produce", "consume" ], "type": "string" }, "topic": { "description": "Topic is the topic name contained in the message. If a Kafka request\ncontains multiple topics, then all topics must be allowed or the\nmessage will be rejected.\n\nThis constraint is ignored if the matched request message type\ndoesn't contain any topic. Maximum size of Topic can be 249\ncharacters as per recent Kafka spec and allowed characters are\na-z, A-Z, 0-9, -, . and _.\n\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\nversion the length was changed from 255 to 249. For compatibility\nreasons we are using 255.\n\nIf omitted or empty, all topics are allowed.", "maxLength": 255, "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "l7": { "description": "Key-value pair rules.", "items": { "additionalProperties": { "type": "string" }, "description": "PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\nprotocol constraints. All fields are optional, if all fields are empty or\nmissing, the rule does not have any effect.", "type": "object" }, "type": "array" }, "l7proto": { "description": "Name of the L7 protocol for which the Key-value pair rules apply.", "type": "string" } }, "type": "object", "additionalProperties": false }, "serverNames": { "description": "ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake.", "items": { "description": "ServerName allows using prefix only wildcards to match DNS names.\n\n- \"*\" matches 0 or more DNS valid characters, and may only occur at the\nbeginning of the pattern. As a special case a \"*\" as the leftmost character,\nwithout a following \".\" matches all subdomains as well as the name to the right.\n\nExamples:\n - `*.cilium.io` matches exactly one subdomain of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not.\n - `**.cilium.io` matches more than one subdomain of cilium, e.g. sub1.sub2.cilium.io and sub.cilium.io match, cilium.io do not.", "maxLength": 255, "pattern": "^(\\*?\\*\\.)?([-a-zA-Z0-9_]+\\.?)+$", "type": "string" }, "minItems": 1, "type": "array", "x-kubernetes-list-type": "set" }, "terminatingTLS": { "description": "TerminatingTLS is the TLS context for the connection terminated by\nthe L7 proxy. For egress policy this specifies the server-side TLS\nparameters to be applied on the connections originated from the local\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\nthe server-side TLS parameters to be applied on the connections\noriginated from a remote source and terminated by the L7 proxy.", "properties": { "certificate": { "description": "Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist.", "type": "string" }, "privateKey": { "description": "PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist.", "type": "string" }, "secret": { "description": "Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "trustedCA": { "description": "TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist.", "type": "string" } }, "required": [ "secret" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toRequires": { "description": "Deprecated.", "items": { "type": "string" }, "maxItems": 0, "type": "array" }, "toServices": { "description": "ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services.", "items": { "description": "Service selects policy targets that are bundled as part of a\nlogical load-balanced service.\n\nCurrently only Kubernetes-based Services are supported.", "properties": { "k8sService": { "description": "K8sService selects service by name and namespace pair", "properties": { "namespace": { "type": "string" }, "serviceName": { "type": "string" } }, "type": "object", "additionalProperties": false }, "k8sServiceSelector": { "description": "K8sServiceSelector selects services by k8s labels and namespace", "properties": { "namespace": { "type": "string" }, "selector": { "description": "ServiceSelector is a label selector for k8s services", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "required": [ "selector" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "egressDeny": { "description": "EgressDeny is a list of EgressDenyRule which are enforced at egress.\nAny rule inserted here will be denied regardless of the allowed egress\nrules in the 'egress' field.\nIf omitted or empty, this rule does not apply at egress.", "items": { "description": "EgressDenyRule contains all rule types which can be applied at egress, i.e.\nnetwork traffic that originates inside the endpoint and exits the endpoint\nselected by the endpointSelector.\n\n - All members of this structure are optional. If omitted or empty, the\n member will have no effect on the rule.\n\n - If multiple members of the structure are specified, then all members\n must match in order for the rule to take effect.\n\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\n mutually exclusive. Only one of these members may be present within an\n individual rule.", "properties": { "icmps": { "description": "ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is not allowed to initiate\ntype 8 ICMP connections.", "items": { "description": "ICMPRule is a list of ICMP fields.", "properties": { "fields": { "description": "Fields is a list of ICMP fields.", "items": { "description": "ICMPField is a ICMP field.", "properties": { "family": { "default": "IPv4", "description": "Family is a IP address version.\nCurrently, we support `IPv4` and `IPv6`.\n`IPv4` is set as default.", "enum": [ "IPv4", "IPv6" ], "type": "string" }, "type": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply", "pattern": "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$", "x-kubernetes-int-or-string": true } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toCIDR": { "description": "ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" }, "toCIDRSet": { "description": "ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.", "items": { "description": "CIDRRule is a rule that specifies a CIDR prefix to/from which outside\ncommunication is allowed, along with an optional list of subnets within that\nCIDR prefix to/from which outside communication is not allowed.", "oneOf": [ { "properties": { "cidr": {} }, "required": [ "cidr" ] }, { "properties": { "cidrGroupRef": {} }, "required": [ "cidrGroupRef" ] }, { "properties": { "cidrGroupSelector": {} }, "required": [ "cidrGroupSelector" ] } ], "properties": { "cidr": { "description": "CIDR is a CIDR prefix / IP Block.", "format": "cidr", "type": "string" }, "cidrGroupRef": { "description": "CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from.", "maxLength": 253, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "cidrGroupSelector": { "description": "CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "except": { "description": "ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules.", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toEndpoints": { "description": "ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\".\n\nNote that while an empty non-nil ToEndpoints does not select anything,\nnil ToEndpoints is implicitly treated as a wildcard selector if ToPorts\nare also specified.\nTo select everything, use one EndpointSelector without any match requirements.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "toEntities": { "description": "ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\n`world`, `cluster`, `host`, `remote-node`, `kube-apiserver`, `ingress`, `init`,\n`health`, `unmanaged`, `none` and `all`.", "items": { "description": "Entity specifies the class of receiver/sender endpoints that do not have\nindividual identities. Entities are used to describe \"outside of cluster\",\n\"host\", etc.", "enum": [ "all", "world", "cluster", "host", "init", "ingress", "unmanaged", "remote-node", "health", "none", "kube-apiserver" ], "type": "string" }, "type": "array" }, "toGroups": { "description": "ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'", "items": { "description": "Groups structure to store all kinds of new integrations that needs a new\nderivative policy.", "properties": { "aws": { "description": "AWSGroup is an structure that can be used to whitelisting information from AWS integration", "properties": { "labels": { "additionalProperties": { "type": "string" }, "type": "object" }, "region": { "type": "string" }, "securityGroupsIds": { "items": { "type": "string" }, "type": "array" }, "securityGroupsNames": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toNodes": { "description": "ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "toPorts": { "description": "ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to connect\nto.\n\nExample:\nAny endpoint with the label \"role=frontend\" is not allowed to initiate\nconnections to destination port 8080/tcp", "items": { "description": "PortDenyRule is a list of ports/protocol that should be used for deny\npolicies. This structure lacks the L7Rules since it's not supported in deny\npolicies.", "properties": { "ports": { "description": "Ports is a list of L4 port/protocol", "items": { "description": "PortProtocol specifies an L4 port with an optional transport protocol", "properties": { "endPort": { "description": "EndPort can only be an L4 port number.", "format": "int32", "maximum": 65535, "minimum": 0, "type": "integer" }, "port": { "description": "Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\".", "pattern": "^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$", "type": "string" }, "protocol": { "description": "Protocol is the L4 protocol. If \"ANY\", omitted or empty, any protocols\nwith transport ports (TCP, UDP, SCTP) match.\n\nAccepted values: \"TCP\", \"UDP\", \"SCTP\", \"VRRP\", \"IGMP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this.", "enum": [ "TCP", "UDP", "SCTP", "VRRP", "IGMP", "ANY" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toRequires": { "description": "Deprecated.", "items": { "type": "string" }, "maxItems": 0, "type": "array" }, "toServices": { "description": "ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services.", "items": { "description": "Service selects policy targets that are bundled as part of a\nlogical load-balanced service.\n\nCurrently only Kubernetes-based Services are supported.", "properties": { "k8sService": { "description": "K8sService selects service by name and namespace pair", "properties": { "namespace": { "type": "string" }, "serviceName": { "type": "string" } }, "type": "object", "additionalProperties": false }, "k8sServiceSelector": { "description": "K8sServiceSelector selects services by k8s labels and namespace", "properties": { "namespace": { "type": "string" }, "selector": { "description": "ServiceSelector is a label selector for k8s services", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "required": [ "selector" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "enableDefaultDeny": { "description": "EnableDefaultDeny determines whether this policy configures the\nsubject endpoint(s) to have a default deny mode. If enabled,\nthis causes all traffic not explicitly allowed by a network policy\nto be dropped.\n\nIf not specified, the default is true for each traffic direction\nthat has rules, and false otherwise. For example, if a policy\nonly has Ingress or IngressDeny rules, then the default for\ningress is true and egress is false.\n\nIf multiple policies apply to an endpoint, that endpoint's default deny\nwill be enabled if any policy requests it.\n\nThis is useful for creating broad-based network policies that will not\ncause endpoints to enter default-deny mode.", "properties": { "egress": { "description": "Whether or not the endpoint should have a default-deny rule applied\nto egress traffic.", "type": "boolean" }, "ingress": { "description": "Whether or not the endpoint should have a default-deny rule applied\nto ingress traffic.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "endpointSelector": { "description": "EndpointSelector selects all endpoints which should be subject to\nthis rule. EndpointSelector and NodeSelector cannot be both empty and\nare mutually exclusive.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "ingress": { "description": "Ingress is a list of IngressRule which are enforced at ingress.\nIf omitted or empty, this rule does not apply at ingress.", "items": { "description": "IngressRule contains all rule types which can be applied at ingress,\ni.e. network traffic that originates outside of the endpoint and\nis entering the endpoint selected by the endpointSelector.\n\n - All members of this structure are optional. If omitted or empty, the\n member will have no effect on the rule.\n\n - If multiple members are set, all of them need to match in order for\n the rule to take effect.\n\n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually\n exclusive. Only one of these members may be present within an individual\n rule.", "properties": { "authentication": { "description": "Authentication is the required authentication type for the allowed traffic, if any.", "properties": { "mode": { "description": "Mode is the required authentication mode for the allowed traffic, if any.", "enum": [ "disabled", "required", "test-always-fail" ], "type": "string" } }, "required": [ "mode" ], "type": "object", "additionalProperties": false }, "fromCIDR": { "description": "FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo *not* originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" }, "fromCIDRSet": { "description": "FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.", "items": { "description": "CIDRRule is a rule that specifies a CIDR prefix to/from which outside\ncommunication is allowed, along with an optional list of subnets within that\nCIDR prefix to/from which outside communication is not allowed.", "oneOf": [ { "properties": { "cidr": {} }, "required": [ "cidr" ] }, { "properties": { "cidrGroupRef": {} }, "required": [ "cidrGroupRef" ] }, { "properties": { "cidrGroupSelector": {} }, "required": [ "cidrGroupSelector" ] } ], "properties": { "cidr": { "description": "CIDR is a CIDR prefix / IP Block.", "format": "cidr", "type": "string" }, "cidrGroupRef": { "description": "CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from.", "maxLength": 253, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "cidrGroupSelector": { "description": "CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "except": { "description": "ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules.", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "fromEndpoints": { "description": "FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\".\n\nNote that while an empty non-nil FromEndpoints does not select anything,\nnil FromEndpoints is implicitly treated as a wildcard selector if ToPorts\nare also specified.\nTo select everything, use one EndpointSelector without any match requirements.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "fromEntities": { "description": "FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\n`world`, `cluster`, `host`, `remote-node`, `kube-apiserver`, `ingress`, `init`,\n`health`, `unmanaged`, `none` and `all`.", "items": { "description": "Entity specifies the class of receiver/sender endpoints that do not have\nindividual identities. Entities are used to describe \"outside of cluster\",\n\"host\", etc.", "enum": [ "all", "world", "cluster", "host", "init", "ingress", "unmanaged", "remote-node", "health", "none", "kube-apiserver" ], "type": "string" }, "type": "array" }, "fromGroups": { "description": "FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'", "items": { "description": "Groups structure to store all kinds of new integrations that needs a new\nderivative policy.", "properties": { "aws": { "description": "AWSGroup is an structure that can be used to whitelisting information from AWS integration", "properties": { "labels": { "additionalProperties": { "type": "string" }, "type": "object" }, "region": { "type": "string" }, "securityGroupsIds": { "items": { "type": "string" }, "type": "array" }, "securityGroupsNames": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "fromNodes": { "description": "FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "fromRequires": { "description": "Deprecated.", "items": { "type": "string" }, "maxItems": 0, "type": "array" }, "icmps": { "description": "ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\ntype 8 ICMP connections.", "items": { "description": "ICMPRule is a list of ICMP fields.", "properties": { "fields": { "description": "Fields is a list of ICMP fields.", "items": { "description": "ICMPField is a ICMP field.", "properties": { "family": { "default": "IPv4", "description": "Family is a IP address version.\nCurrently, we support `IPv4` and `IPv6`.\n`IPv4` is set as default.", "enum": [ "IPv4", "IPv6" ], "type": "string" }, "type": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply", "pattern": "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$", "x-kubernetes-int-or-string": true } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toPorts": { "description": "ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\nconnections on port 80/tcp.", "items": { "description": "PortRule is a list of ports/protocol combinations with optional Layer 7\nrules which must be met.", "properties": { "listener": { "description": "listener specifies the name of a custom Envoy listener to which this traffic should be\nredirected to.", "properties": { "envoyConfig": { "description": "EnvoyConfig is a reference to the CEC or CCEC resource in which\nthe listener is defined.", "properties": { "kind": { "description": "Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\nrespectively. The only case this is currently explicitly needed is when referring to a\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\nfrom a cluster scoped policy is not allowed.", "enum": [ "CiliumEnvoyConfig", "CiliumClusterwideEnvoyConfig" ], "type": "string" }, "name": { "description": "Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\nthe listener is defined in.", "minLength": 1, "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "name": { "description": "Name is the name of the listener.", "minLength": 1, "type": "string" }, "priority": { "description": "Priority for this Listener that is used when multiple rules would apply different\nlisteners to a policy map entry. Behavior of this is implementation dependent.", "maximum": 100, "minimum": 1, "type": "integer" } }, "required": [ "envoyConfig", "name" ], "type": "object", "additionalProperties": false }, "originatingTLS": { "description": "OriginatingTLS is the TLS context for the connections originated by\nthe L7 proxy. For egress policy this specifies the client-side TLS\nparameters for the upstream connection originating from the L7 proxy\nto the remote destination. For ingress policy this specifies the\nclient-side TLS parameters for the connection from the L7 proxy to\nthe local endpoint.", "properties": { "certificate": { "description": "Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist.", "type": "string" }, "privateKey": { "description": "PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist.", "type": "string" }, "secret": { "description": "Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "trustedCA": { "description": "TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist.", "type": "string" } }, "required": [ "secret" ], "type": "object", "additionalProperties": false }, "ports": { "description": "Ports is a list of L4 port/protocol", "items": { "description": "PortProtocol specifies an L4 port with an optional transport protocol", "properties": { "endPort": { "description": "EndPort can only be an L4 port number.", "format": "int32", "maximum": 65535, "minimum": 0, "type": "integer" }, "port": { "description": "Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\".", "pattern": "^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$", "type": "string" }, "protocol": { "description": "Protocol is the L4 protocol. If \"ANY\", omitted or empty, any protocols\nwith transport ports (TCP, UDP, SCTP) match.\n\nAccepted values: \"TCP\", \"UDP\", \"SCTP\", \"VRRP\", \"IGMP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this.", "enum": [ "TCP", "UDP", "SCTP", "VRRP", "IGMP", "ANY" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" }, "rules": { "description": "Rules is a list of additional port level rules which must be met in\norder for the PortRule to allow the traffic. If omitted or empty,\nno layer 7 rules are enforced.", "oneOf": [ { "properties": { "http": {} }, "required": [ "http" ] }, { "properties": { "kafka": {} }, "required": [ "kafka" ] }, { "properties": { "dns": {} }, "required": [ "dns" ] }, { "properties": { "l7proto": {} }, "required": [ "l7proto" ] } ], "properties": { "dns": { "description": "DNS-specific rules.", "items": { "description": "PortRuleDNS is a list of allowed DNS lookups.", "oneOf": [ { "properties": { "matchName": {} }, "required": [ "matchName" ] }, { "properties": { "matchPattern": {} }, "required": [ "matchPattern" ] } ], "properties": { "matchName": { "description": "MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing.", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_]+[.]?)+$", "type": "string" }, "matchPattern": { "description": "MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"*\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"*\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n- \"**.\" is a special prefix which matches all multilevel subdomains in the prefix.\n\nExamples:\n1. `*.cilium.io` matches subdomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n2. `*cilium.io` matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\n3. `sub*.cilium.io` matches subdomains of cilium where the subdomain component\n begins with \"sub\". sub.cilium.io and subdomain.cilium.io match while www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not\n4. `**.cilium.io` matches all multilevel subdomains of cilium.io.\n \"app.cilium.io\" and \"test.app.cilium.io\" match but not \"cilium.io\"", "maxLength": 255, "pattern": "^([-a-zA-Z0-9_*]+[.]?)+$", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "http": { "description": "HTTP specific rules.", "items": { "description": "PortRuleHTTP is a list of HTTP protocol constraints. All fields are\noptional, if all fields are empty or missing, the rule does not have any\neffect.\n\nAll fields of this type are extended POSIX regex as defined by IEEE Std\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\nmatched against the path of an incoming request. Currently it can contain\ncharacters disallowed from the conventional \"path\" part of a URL as defined\nby RFC 3986.", "properties": { "headerMatches": { "description": "HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match.", "items": { "description": "HeaderMatch extends the HeaderValue for matching requirement of a\nnamed header field against an immediate string or a secret value.\nIf none of the optional fields is present, then the\nheader value is not matched, only presence of the header is enough.", "properties": { "mismatch": { "description": "Mismatch identifies what to do in case there is no match. The default is\nto drop the request. Otherwise the overall rule is still considered as\nmatching, but the mismatches are logged in the access log.", "enum": [ "LOG", "ADD", "DELETE", "REPLACE" ], "type": "string" }, "name": { "description": "Name identifies the header.", "minLength": 1, "type": "string" }, "secret": { "description": "Secret refers to a secret that contains the value to be matched against.\nThe secret must only contain one entry. If the referred secret does not\nexist, and there is no \"Value\" specified, the match will fail.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "value": { "description": "Value matches the exact value of the header. Can be specified either\nalone or together with \"Secret\"; will be used as the header value if the\nsecret can not be found in the latter case.", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "type": "array" }, "headers": { "description": "Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present.", "items": { "type": "string" }, "type": "array" }, "host": { "description": "Host is an extended POSIX regex matched against the host header of a\nrequest. Examples:\n\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\n- foo\\.bar\\.com will only match the host foo.bar.com\n\nIf omitted or empty, the value of the host header is ignored.", "format": "idn-hostname", "type": "string" }, "method": { "description": "Method is an extended POSIX regex matched against the method of a\nrequest, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\nIf omitted or empty, all methods are allowed.", "type": "string" }, "path": { "description": "Path is an extended POSIX regex matched against the path of a\nrequest. Currently it can contain characters disallowed from the\nconventional \"path\" part of a URL as defined by RFC 3986.\n\nIf omitted or empty, all paths are all allowed.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "kafka": { "description": "Kafka-specific rules.\nDeprecated: This beta feature is deprecated and will be removed in a future release.", "items": { "description": "PortRule is a list of Kafka protocol constraints. All fields are\noptional, if all fields are empty or missing, the rule will match all\nKafka messages.", "properties": { "apiKey": { "description": "APIKey is a case-insensitive string matched against the key of a\nrequest, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al\nReference: https://kafka.apache.org/protocol#protocol_api_keys\n\nIf omitted or empty, and if Role is not specified, then all keys are allowed.", "type": "string" }, "apiVersion": { "description": "APIVersion is the version matched against the api version of the\nKafka message. If set, it has to be a string representing a positive\ninteger.\n\nIf omitted or empty, all versions are allowed.", "type": "string" }, "clientID": { "description": "ClientID is the client identifier as provided in the request.\n\nFrom Kafka protocol documentation:\nThis is a user supplied identifier for the client application. The\nuser can use any identifier they like and it will be used when\nlogging errors, monitoring aggregates, etc. For example, one might\nwant to monitor not just the requests per second overall, but the\nnumber coming from each client application (each of which could\nreside on multiple servers). This id acts as a logical grouping\nacross all requests from a particular client.\n\nIf omitted or empty, all client identifiers are allowed.", "type": "string" }, "role": { "description": "Role is a case-insensitive string and describes a group of API keys\nnecessary to perform certain higher-level Kafka operations such as \"produce\"\nor \"consume\". A Role automatically expands into all APIKeys required\nto perform the specified higher-level operation.\n\nThe following values are supported:\n - \"produce\": Allow producing to the topics specified in the rule\n - \"consume\": Allow consuming from the topics specified in the rule\n\nThis field is incompatible with the APIKey field, i.e APIKey and Role\ncannot both be specified in the same rule.\n\nIf omitted or empty, and if APIKey is not specified, then all keys are\nallowed.", "enum": [ "produce", "consume" ], "type": "string" }, "topic": { "description": "Topic is the topic name contained in the message. If a Kafka request\ncontains multiple topics, then all topics must be allowed or the\nmessage will be rejected.\n\nThis constraint is ignored if the matched request message type\ndoesn't contain any topic. Maximum size of Topic can be 249\ncharacters as per recent Kafka spec and allowed characters are\na-z, A-Z, 0-9, -, . and _.\n\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\nversion the length was changed from 255 to 249. For compatibility\nreasons we are using 255.\n\nIf omitted or empty, all topics are allowed.", "maxLength": 255, "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "l7": { "description": "Key-value pair rules.", "items": { "additionalProperties": { "type": "string" }, "description": "PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\nprotocol constraints. All fields are optional, if all fields are empty or\nmissing, the rule does not have any effect.", "type": "object" }, "type": "array" }, "l7proto": { "description": "Name of the L7 protocol for which the Key-value pair rules apply.", "type": "string" } }, "type": "object", "additionalProperties": false }, "serverNames": { "description": "ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake.", "items": { "description": "ServerName allows using prefix only wildcards to match DNS names.\n\n- \"*\" matches 0 or more DNS valid characters, and may only occur at the\nbeginning of the pattern. As a special case a \"*\" as the leftmost character,\nwithout a following \".\" matches all subdomains as well as the name to the right.\n\nExamples:\n - `*.cilium.io` matches exactly one subdomain of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not.\n - `**.cilium.io` matches more than one subdomain of cilium, e.g. sub1.sub2.cilium.io and sub.cilium.io match, cilium.io do not.", "maxLength": 255, "pattern": "^(\\*?\\*\\.)?([-a-zA-Z0-9_]+\\.?)+$", "type": "string" }, "minItems": 1, "type": "array", "x-kubernetes-list-type": "set" }, "terminatingTLS": { "description": "TerminatingTLS is the TLS context for the connection terminated by\nthe L7 proxy. For egress policy this specifies the server-side TLS\nparameters to be applied on the connections originated from the local\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\nthe server-side TLS parameters to be applied on the connections\noriginated from a remote source and terminated by the L7 proxy.", "properties": { "certificate": { "description": "Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist.", "type": "string" }, "privateKey": { "description": "PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist.", "type": "string" }, "secret": { "description": "Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate.", "properties": { "name": { "description": "Name is the name of the secret.", "type": "string" }, "namespace": { "description": "Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\").", "type": "string" } }, "required": [ "name" ], "type": "object", "additionalProperties": false }, "trustedCA": { "description": "TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist.", "type": "string" } }, "required": [ "secret" ], "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "ingressDeny": { "description": "IngressDeny is a list of IngressDenyRule which are enforced at ingress.\nAny rule inserted here will be denied regardless of the allowed ingress\nrules in the 'ingress' field.\nIf omitted or empty, this rule does not apply at ingress.", "items": { "description": "IngressDenyRule contains all rule types which can be applied at ingress,\ni.e. network traffic that originates outside of the endpoint and\nis entering the endpoint selected by the endpointSelector.\n\n - All members of this structure are optional. If omitted or empty, the\n member will have no effect on the rule.\n\n - If multiple members are set, all of them need to match in order for\n the rule to take effect.\n\n - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually\n exclusive. Only one of these members may be present within an individual\n rule.", "properties": { "fromCIDR": { "description": "FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo *not* originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" }, "fromCIDRSet": { "description": "FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.", "items": { "description": "CIDRRule is a rule that specifies a CIDR prefix to/from which outside\ncommunication is allowed, along with an optional list of subnets within that\nCIDR prefix to/from which outside communication is not allowed.", "oneOf": [ { "properties": { "cidr": {} }, "required": [ "cidr" ] }, { "properties": { "cidrGroupRef": {} }, "required": [ "cidrGroupRef" ] }, { "properties": { "cidrGroupSelector": {} }, "required": [ "cidrGroupSelector" ] } ], "properties": { "cidr": { "description": "CIDR is a CIDR prefix / IP Block.", "format": "cidr", "type": "string" }, "cidrGroupRef": { "description": "CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from.", "maxLength": 253, "pattern": "^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$", "type": "string" }, "cidrGroupSelector": { "description": "CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "except": { "description": "ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules.", "items": { "description": "CIDR specifies a block of IP addresses.\nExample: 192.0.2.1/32", "format": "cidr", "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "fromEndpoints": { "description": "FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\".\n\nNote that while an empty non-nil FromEndpoints does not select anything,\nnil FromEndpoints is implicitly treated as a wildcard selector if ToPorts\nare also specified.\nTo select everything, use one EndpointSelector without any match requirements.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "fromEntities": { "description": "FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\n`world`, `cluster`, `host`, `remote-node`, `kube-apiserver`, `ingress`, `init`,\n`health`, `unmanaged`, `none` and `all`.", "items": { "description": "Entity specifies the class of receiver/sender endpoints that do not have\nindividual identities. Entities are used to describe \"outside of cluster\",\n\"host\", etc.", "enum": [ "all", "world", "cluster", "host", "init", "ingress", "unmanaged", "remote-node", "health", "none", "kube-apiserver" ], "type": "string" }, "type": "array" }, "fromGroups": { "description": "FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'", "items": { "description": "Groups structure to store all kinds of new integrations that needs a new\nderivative policy.", "properties": { "aws": { "description": "AWSGroup is an structure that can be used to whitelisting information from AWS integration", "properties": { "labels": { "additionalProperties": { "type": "string" }, "type": "object" }, "region": { "type": "string" }, "securityGroupsIds": { "items": { "type": "string" }, "type": "array" }, "securityGroupsNames": { "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "fromNodes": { "description": "FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.", "items": { "description": "EndpointSelector is a wrapper for k8s LabelSelector.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false }, "type": "array" }, "fromRequires": { "description": "Deprecated.", "items": { "type": "string" }, "maxItems": 0, "type": "array" }, "icmps": { "description": "ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\ntype 8 ICMP connections.", "items": { "description": "ICMPRule is a list of ICMP fields.", "properties": { "fields": { "description": "Fields is a list of ICMP fields.", "items": { "description": "ICMPField is a ICMP field.", "properties": { "family": { "default": "IPv4", "description": "Family is a IP address version.\nCurrently, we support `IPv4` and `IPv6`.\n`IPv4` is set as default.", "enum": [ "IPv4", "IPv6" ], "type": "string" }, "type": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "description": "Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply", "pattern": "^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$", "x-kubernetes-int-or-string": true } }, "required": [ "type" ], "type": "object", "additionalProperties": false }, "maxItems": 40, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "toPorts": { "description": "ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\nconnections on port 80/tcp.", "items": { "description": "PortDenyRule is a list of ports/protocol that should be used for deny\npolicies. This structure lacks the L7Rules since it's not supported in deny\npolicies.", "properties": { "ports": { "description": "Ports is a list of L4 port/protocol", "items": { "description": "PortProtocol specifies an L4 port with an optional transport protocol", "properties": { "endPort": { "description": "EndPort can only be an L4 port number.", "format": "int32", "maximum": 65535, "minimum": 0, "type": "integer" }, "port": { "description": "Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\".", "pattern": "^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$", "type": "string" }, "protocol": { "description": "Protocol is the L4 protocol. If \"ANY\", omitted or empty, any protocols\nwith transport ports (TCP, UDP, SCTP) match.\n\nAccepted values: \"TCP\", \"UDP\", \"SCTP\", \"VRRP\", \"IGMP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this.", "enum": [ "TCP", "UDP", "SCTP", "VRRP", "IGMP", "ANY" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "labels": { "description": "Labels is a list of optional strings which can be used to\nre-identify the rule or to store metadata. It is possible to lookup\nor delete strings based on labels. Labels are not required to be\nunique, multiple rules can have overlapping or identical labels.", "items": { "description": "Label is the Cilium's representation of a container label.", "properties": { "key": { "type": "string" }, "source": { "description": "Source can be one of the above values (e.g.: LabelSourceContainer).", "type": "string" }, "value": { "type": "string" } }, "required": [ "key" ], "type": "object", "additionalProperties": false }, "type": "array" }, "log": { "description": "Log specifies custom policy-specific Hubble logging configuration.", "properties": { "value": { "description": "Value is a free-form string that is included in Hubble flows\nthat match this policy. The string is limited to 32 printable characters.", "maxLength": 32, "pattern": "^\\PC*$", "type": "string" } }, "type": "object", "additionalProperties": false }, "nodeSelector": { "description": "NodeSelector selects all nodes which should be subject to this rule.\nEndpointSelector and NodeSelector cannot be both empty and are mutually\nexclusive. Can only be used in CiliumClusterwideNetworkPolicies.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that\nrelates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist.", "enum": [ "In", "NotIn", "Exists", "DoesNotExist" ], "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch.", "items": { "type": "string" }, "type": "array", "x-kubernetes-list-type": "atomic" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-type": "atomic" }, "matchLabels": { "additionalProperties": { "description": "MatchLabelsValue represents the value from the MatchLabels {key,value} pair.", "maxLength": 63, "pattern": "^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$", "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "x-kubernetes-map-type": "atomic", "additionalProperties": false } }, "type": "object", "additionalProperties": false }, "type": "array" }, "status": { "description": "Status is the status of the Cilium policy rule", "properties": { "conditions": { "items": { "properties": { "lastTransitionTime": { "description": "The last time the condition transitioned from one status to another.", "format": "date-time", "type": "string" }, "message": { "description": "A human readable message indicating details about the transition.", "type": "string" }, "reason": { "description": "The reason for the condition's last transition.", "type": "string" }, "status": { "description": "The status of the condition, one of True, False, or Unknown", "type": "string" }, "type": { "description": "The type of the policy condition", "type": "string" } }, "required": [ "status", "type" ], "type": "object", "additionalProperties": false }, "type": "array", "x-kubernetes-list-map-keys": [ "type" ], "x-kubernetes-list-type": "map" }, "derivativePolicies": { "additionalProperties": { "description": "CiliumNetworkPolicyNodeStatus is the status of a Cilium policy rule for a\nspecific node.", "properties": { "annotations": { "additionalProperties": { "type": "string" }, "description": "Annotations corresponds to the Annotations in the ObjectMeta of the CNP\nthat have been realized on the node for CNP. That is, if a CNP has been\nimported and has been assigned annotation X=Y by the user,\nAnnotations in CiliumNetworkPolicyNodeStatus will be X=Y once the\nCNP that was imported corresponding to Annotation X=Y has been realized on\nthe node.", "type": "object" }, "enforcing": { "description": "Enforcing is set to true once all endpoints present at the time the\npolicy has been imported are enforcing this policy.", "type": "boolean" }, "error": { "description": "Error describes any error that occurred when parsing or importing the\npolicy, or realizing the policy for the endpoints to which it applies\non the node.", "type": "string" }, "lastUpdated": { "description": "LastUpdated contains the last time this status was updated", "format": "date-time", "type": "string" }, "localPolicyRevision": { "description": "Revision is the policy revision of the repository which first implemented\nthis policy.", "format": "int64", "type": "integer" }, "ok": { "description": "OK is true when the policy has been parsed and imported successfully\ninto the in-memory policy repository on the node.", "type": "boolean" } }, "type": "object", "additionalProperties": false }, "description": "DerivativePolicies is the status of all policies derived from the Cilium\npolicy", "type": "object" } }, "type": "object", "additionalProperties": false } }, "required": [ "metadata" ], "type": "object" }