diff --git a/config/calico_versions.yml b/config/calico_versions.yml index 239e4998e2..6879d3d53f 100644 --- a/config/calico_versions.yml +++ b/config/calico_versions.yml @@ -1,49 +1,49 @@ # Components defined here are required to be kept in sync with hack/gen-versions/calico.go.tpl -title: master +title: v3.31.3 components: libcalico-go: - version: master + version: v3.31.3 typha: - version: master + version: v3.31.3 node: - version: master + version: v3.31.3 cni: - version: master + version: v3.31.3 node-windows: - version: master + version: v3.31.3 cni-windows: - version: master + version: v3.31.3 kube-controllers: - version: master + version: v3.31.3 goldmane: - version: master + version: v3.31.3 flexvol: - version: master + version: v3.31.3 apiserver: - version: master + version: v3.31.3 csi: - version: master + version: v3.31.3 csi-node-driver-registrar: - version: master + version: v3.31.3 key-cert-provisioner: - version: master + version: v3.31.3 whisker: - version: master + version: v3.31.3 whisker-backend: - version: master + version: v3.31.3 envoy-gateway: - version: master + version: v3.31.3 envoy-proxy: - version: master + version: v3.31.3 envoy-ratelimit: - version: master + version: v3.31.3 guardian: - version: master + version: v3.31.3 istio-pilot: - version: master + version: v3.31.3 istio-install-cni: - version: master + version: v3.31.3 istio-ztunnel: - version: master + version: v3.31.3 istio-proxyv2: - version: master + version: v3.31.3 diff --git a/pkg/components/calico.go b/pkg/components/calico.go index 597ebaadb3..c059a75959 100644 --- a/pkg/components/calico.go +++ b/pkg/components/calico.go @@ -18,10 +18,10 @@ package components var ( - CalicoRelease string = "master" + CalicoRelease string = "v3.31.3" ComponentCalicoCNI = Component{ - Version: "master", + Version: "v3.31.3", Image: "cni", Registry: "", imagePath: "", @@ -29,7 +29,7 @@ var ( } ComponentCalicoCNIFIPS = Component{ - Version: "master-fips", + Version: "v3.31.3-fips", Image: "cni", Registry: "", imagePath: "", @@ -37,7 +37,7 @@ var ( } ComponentCalicoCNIWindows = Component{ - Version: "master", + Version: "v3.31.3", Image: "cni-windows", Registry: "", imagePath: "", @@ -45,7 +45,7 @@ var ( } ComponentCalicoCSRInitContainer = Component{ - Version: "master", + Version: "v3.31.3", Image: "key-cert-provisioner", Registry: "", imagePath: "", @@ -53,7 +53,7 @@ var ( } ComponentCalicoKubeControllers = Component{ - Version: "master", + Version: "v3.31.3", Image: "kube-controllers", Registry: "", imagePath: "", @@ -61,7 +61,7 @@ var ( } ComponentCalicoKubeControllersFIPS = Component{ - Version: "master-fips", + Version: "v3.31.3-fips", Image: "kube-controllers", Registry: "", imagePath: "", @@ -69,7 +69,7 @@ var ( } ComponentCalicoNode = Component{ - Version: "master", + Version: "v3.31.3", Image: "node", Registry: "", imagePath: "", @@ -77,7 +77,7 @@ var ( } ComponentCalicoNodeFIPS = Component{ - Version: "master-fips", + Version: "v3.31.3-fips", Image: "node", Registry: "", imagePath: "", @@ -85,7 +85,7 @@ var ( } ComponentCalicoNodeWindows = Component{ - Version: "master", + Version: "v3.31.3", Image: "node-windows", Registry: "", imagePath: "", @@ -93,7 +93,7 @@ var ( } ComponentCalicoTypha = Component{ - Version: "master", + Version: "v3.31.3", Image: "typha", Registry: "", imagePath: "", @@ -101,7 +101,7 @@ var ( } ComponentCalicoTyphaFIPS = Component{ - Version: "master-fips", + Version: "v3.31.3-fips", Image: "typha", Registry: "", imagePath: "", @@ -109,7 +109,7 @@ var ( } ComponentCalicoFlexVolume = Component{ - Version: "master", + Version: "v3.31.3", Image: "pod2daemon-flexvol", Registry: "", imagePath: "", @@ -117,7 +117,7 @@ var ( } ComponentCalicoAPIServer = Component{ - Version: "master", + Version: "v3.31.3", Image: "apiserver", Registry: "", imagePath: "", @@ -125,7 +125,7 @@ var ( } ComponentCalicoAPIServerFIPS = Component{ - Version: "master-fips", + Version: "v3.31.3-fips", Image: "apiserver", Registry: "", imagePath: "", @@ -133,7 +133,7 @@ var ( } ComponentCalicoCSI = Component{ - Version: "master", + Version: "v3.31.3", Image: "csi", Registry: "", imagePath: "", @@ -141,7 +141,7 @@ var ( } ComponentCalicoCSIFIPS = Component{ - Version: "master-fips", + Version: "v3.31.3-fips", Image: "csi", Registry: "", imagePath: "", @@ -149,7 +149,7 @@ var ( } ComponentCalicoCSIRegistrar = Component{ - Version: "master", + Version: "v3.31.3", Image: "node-driver-registrar", Registry: "", imagePath: "", @@ -157,7 +157,7 @@ var ( } ComponentCalicoCSIRegistrarFIPS = Component{ - Version: "master-fips", + Version: "v3.31.3-fips", Image: "node-driver-registrar", Registry: "", imagePath: "", @@ -165,7 +165,7 @@ var ( } ComponentCalicoGoldmane = Component{ - Version: "master", + Version: "v3.31.3", Image: "goldmane", Registry: "", imagePath: "", @@ -173,7 +173,7 @@ var ( } ComponentCalicoWhisker = Component{ - Version: "master", + Version: "v3.31.3", Image: "whisker", Registry: "", imagePath: "", @@ -181,7 +181,7 @@ var ( } ComponentCalicoWhiskerBackend = Component{ - Version: "master", + Version: "v3.31.3", Image: "whisker-backend", Registry: "", imagePath: "", @@ -189,7 +189,7 @@ var ( } ComponentCalicoEnvoyGateway = Component{ - Version: "master", + Version: "v3.31.3", Image: "envoy-gateway", Registry: "", imagePath: "", @@ -197,7 +197,7 @@ var ( } ComponentCalicoEnvoyProxy = Component{ - Version: "master", + Version: "v3.31.3", Image: "envoy-proxy", Registry: "", imagePath: "", @@ -205,7 +205,7 @@ var ( } ComponentCalicoEnvoyRatelimit = Component{ - Version: "master", + Version: "v3.31.3", Image: "envoy-ratelimit", Registry: "", imagePath: "", @@ -213,7 +213,7 @@ var ( } ComponentCalicoGuardian = Component{ - Version: "master", + Version: "v3.31.3", Image: "guardian", Registry: "", imagePath: "", diff --git a/pkg/controller/istio/istio_controller_test.go b/pkg/controller/istio/istio_controller_test.go index 0641efdb90..d738c5826a 100644 --- a/pkg/controller/istio/istio_controller_test.go +++ b/pkg/controller/istio/istio_controller_test.go @@ -700,7 +700,7 @@ var _ = Describe("Istio controller tests", func() { // Create ImageSet with all required Istio images imageSet := &operatorv1.ImageSet{ ObjectMeta: metav1.ObjectMeta{ - Name: "calico-master", + Name: "calico-v3.31.3", }, Spec: operatorv1.ImageSetSpec{ Images: []operatorv1.Image{ diff --git a/pkg/crds/calico/crd.projectcalico.org_bgpconfigurations.yaml b/pkg/crds/calico/crd.projectcalico.org_bgpconfigurations.yaml index b01b07be67..a4d3890d8c 100644 --- a/pkg/crds/calico/crd.projectcalico.org_bgpconfigurations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_bgpconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: bgpconfigurations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -30,9 +30,6 @@ spec: format: int32 type: integer bindMode: - enum: - - None - - NodeIP type: string communities: items: @@ -43,14 +40,11 @@ spec: pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ type: string type: object - x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set ignoredInterfaces: items: type: string type: array - x-kubernetes-list-type: set listenPort: maximum: 65535 minimum: 1 @@ -60,8 +54,6 @@ spec: localWorkloadPeeringIPV6: type: string logSeverityScreen: - default: Info - pattern: ^(?i)(Trace|Debug|Info|Warning|Error|Fatal)?$ type: string nodeMeshMaxRestartTime: type: string @@ -87,36 +79,27 @@ spec: items: properties: cidr: - format: cidr type: string communities: items: type: string type: array type: object - x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set serviceClusterIPs: items: properties: cidr: - format: cidr type: string type: object - x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set serviceExternalIPs: items: properties: cidr: - format: cidr type: string type: object - x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set serviceLoadBalancerAggregation: default: Enabled enum: @@ -127,12 +110,9 @@ spec: items: properties: cidr: - format: cidr type: string type: object - x-kubernetes-map-type: atomic type: array - x-kubernetes-list-type: set type: object type: object served: true diff --git a/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml b/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml index 3eb7eb8796..17d5fe3c1a 100644 --- a/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_bgpfilters.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: bgpfilters.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -30,21 +30,12 @@ spec: items: properties: action: - enum: - - Accept - - Reject type: string cidr: - format: cidr type: string interface: type: string matchOperator: - enum: - - Equal - - NotEqual - - In - - NotIn type: string prefixLength: properties: @@ -59,35 +50,22 @@ spec: minimum: 0 type: integer type: object - x-kubernetes-map-type: atomic source: - enum: - - RemotePeers type: string required: - action type: object - x-kubernetes-map-type: atomic type: array exportV6: items: properties: action: - enum: - - Accept - - Reject type: string cidr: - format: cidr type: string interface: type: string matchOperator: - enum: - - Equal - - NotEqual - - In - - NotIn type: string prefixLength: properties: @@ -102,35 +80,22 @@ spec: minimum: 0 type: integer type: object - x-kubernetes-map-type: atomic source: - enum: - - RemotePeers type: string required: - action type: object - x-kubernetes-map-type: atomic type: array importV4: items: properties: action: - enum: - - Accept - - Reject type: string cidr: - format: cidr type: string interface: type: string matchOperator: - enum: - - Equal - - NotEqual - - In - - NotIn type: string prefixLength: properties: @@ -145,35 +110,22 @@ spec: minimum: 0 type: integer type: object - x-kubernetes-map-type: atomic source: - enum: - - RemotePeers type: string required: - action type: object - x-kubernetes-map-type: atomic type: array importV6: items: properties: action: - enum: - - Accept - - Reject type: string cidr: - format: cidr type: string interface: type: string matchOperator: - enum: - - Equal - - NotEqual - - In - - NotIn type: string prefixLength: properties: @@ -188,15 +140,11 @@ spec: minimum: 0 type: integer type: object - x-kubernetes-map-type: atomic source: - enum: - - RemotePeers type: string required: - action type: object - x-kubernetes-map-type: atomic type: array type: object type: object diff --git a/pkg/crds/calico/crd.projectcalico.org_bgppeers.yaml b/pkg/crds/calico/crd.projectcalico.org_bgppeers.yaml index ce6220f994..87969c7ad5 100644 --- a/pkg/crds/calico/crd.projectcalico.org_bgppeers.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_bgppeers.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: bgppeers.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -35,8 +35,6 @@ spec: type: array keepOriginalNextHop: type: boolean - keepaliveTime: - type: string localASNumber: format: int32 type: integer @@ -45,10 +43,15 @@ spec: maxRestartTime: type: string nextHopMode: - enum: - - Auto - - Self - - Keep + allOf: + - enum: + - Auto + - Self + - Keep + - enum: + - Auto + - Self + - Keep type: string node: type: string @@ -80,18 +83,11 @@ spec: reachableBy: type: string reversePeering: - allOf: - - enum: - - Auto - - Manual - - enum: - - Auto - - Manual + enum: + - Auto + - Manual type: string sourceAddress: - enum: - - UseNodeIP - - None type: string ttlSecurity: type: integer diff --git a/pkg/crds/calico/crd.projectcalico.org_blockaffinities.yaml b/pkg/crds/calico/crd.projectcalico.org_blockaffinities.yaml index c18b570977..635f6b6d69 100644 --- a/pkg/crds/calico/crd.projectcalico.org_blockaffinities.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_blockaffinities.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: blockaffinities.crd.projectcalico.org spec: group: crd.projectcalico.org diff --git a/pkg/crds/calico/crd.projectcalico.org_caliconodestatuses.yaml b/pkg/crds/calico/crd.projectcalico.org_caliconodestatuses.yaml index c9e04ba6e3..55ef1ef509 100644 --- a/pkg/crds/calico/crd.projectcalico.org_caliconodestatuses.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_caliconodestatuses.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: caliconodestatuses.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -28,10 +28,6 @@ spec: properties: classes: items: - enum: - - Agent - - BGP - - Routes type: string type: array node: @@ -53,9 +49,6 @@ spec: routerID: type: string state: - enum: - - Ready - - NotReady type: string version: type: string @@ -69,9 +62,6 @@ spec: routerID: type: string state: - enum: - - Ready - - NotReady type: string version: type: string @@ -95,20 +85,8 @@ spec: since: type: string state: - enum: - - Idle - - Connect - - Active - - OpenSent - - OpenConfirm - - Established - - Close type: string type: - enum: - - NodeMesh - - NodePeer - - GlobalPeer type: string type: object type: array @@ -120,20 +98,8 @@ spec: since: type: string state: - enum: - - Idle - - Connect - - Active - - OpenSent - - OpenConfirm - - Established - - Close type: string type: - enum: - - NodeMesh - - NodePeer - - GlobalPeer type: string type: object type: array @@ -163,18 +129,9 @@ spec: peerIP: type: string sourceType: - enum: - - Kernel - - Static - - Direct - - NodeMesh - - BGPPeer type: string type: object type: - enum: - - FIB - - RIB type: string type: object type: array @@ -192,18 +149,9 @@ spec: peerIP: type: string sourceType: - enum: - - Kernel - - Static - - Direct - - NodeMesh - - BGPPeer type: string type: object type: - enum: - - FIB - - RIB type: string type: object type: array diff --git a/pkg/crds/calico/crd.projectcalico.org_clusterinformations.yaml b/pkg/crds/calico/crd.projectcalico.org_clusterinformations.yaml index 9f802f1320..4a028495d2 100644 --- a/pkg/crds/calico/crd.projectcalico.org_clusterinformations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_clusterinformations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: clusterinformations.crd.projectcalico.org spec: group: crd.projectcalico.org diff --git a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml index f6efec65c5..0807b9e42a 100644 --- a/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_felixconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: felixconfigurations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -297,6 +297,12 @@ spec: if it detects the current value is 2 (strict mode that hurts performance). When set to "Strict", Felix will not modify the JIT hardening setting. [Default: Auto] type: string + bpfKubeProxyEndpointSlicesEnabled: + description: |- + BPFKubeProxyEndpointSlicesEnabled is deprecated and has no effect. BPF + kube-proxy always accepts endpoint slices. This option will be removed in + the next release. + type: boolean bpfKubeProxyHealthzPort: description: |- BPFKubeProxyHealthzPort, in BPF mode, controls the port that Felix's embedded kube-proxy health check server binds to. @@ -340,23 +346,6 @@ spec: [Default: Off]. pattern: ^(?i)(Off|Info|Debug)?$ type: string - bpfMaglevMaxEndpointsPerService: - description: |- - BPFMaglevMaxEndpointsPerService is the maximum number of endpoints - expected to be part of a single Maglev-enabled service. - - Influences the size of the per-service Maglev lookup-tables generated by Felix - and thus the amount of memory reserved. - - [Default: 100] - type: integer - bpfMaglevMaxServices: - description: |- - BPFMaglevMaxServices is the maximum number of expected Maglev-enabled - services that Felix will allocate lookup-tables for. - - [Default: 100] - type: integer bpfMapSizeConntrack: description: |- BPFMapSizeConntrack sets the size for the conntrack map. This map must be large enough to hold @@ -445,14 +434,17 @@ spec: type: string bpfRedirectToPeer: description: |- - BPFRedirectToPeer controls whether traffic may be forwarded directly to the peer side of a workload’s device. - Note that the legacy "L2Only" option is now deprecated and if set it is treated like "Enabled. - Setting this option to "Enabled" allows direct redirection (including from L3 host devices such as IPIP tunnels or WireGuard), - which can improve redirection performance but causes the redirected packets to bypass the host‑side ingress path. - As a result, packet‑capture tools on the host side of the workload device (for example, tcpdump) will not see that traffic. [Default: Enabled] + BPFRedirectToPeer controls which whether it is allowed to forward straight to the + peer side of the workload devices. It is allowed for any host L2 devices by default + (L2Only), but it breaks TCP dump on the host side of workload device as it bypasses + it on ingress. Value of Enabled also allows redirection from L3 host devices like + IPIP tunnel or Wireguard directly to the peer side of the workload's device. This + makes redirection faster, however, it breaks tools like tcpdump on the peer side. + Use Enabled with caution. [Default: L2Only] enum: - Enabled - Disabled + - L2Only type: string cgroupV2Path: description: @@ -803,10 +795,6 @@ spec: Warning: changing this on a running system can leave "orphaned" rules in the "other" backend. These should be cleaned up to avoid confusing interactions. - enum: - - Legacy - - NFT - - Auto pattern: ^(?i)(Auto|Legacy|NFT)?$ type: string iptablesFilterAllowAction: @@ -822,10 +810,26 @@ spec: with an iptables "DROP" action. If you want to use "REJECT" action instead you can configure it in here. pattern: ^(?i)(Drop|Reject)?$ type: string + iptablesLockFilePath: + description: |- + IptablesLockFilePath is the location of the iptables lock file. You may need to change this + if the lock file is not in its standard location (for example if you have mapped it into Felix's + container at a different path). [Default: /run/xtables.lock] + type: string iptablesLockProbeInterval: description: |- - IptablesLockProbeInterval configures the interval between attempts to claim - the xtables lock. Shorter intervals are more responsive but use more CPU. [Default: 50ms] + IptablesLockProbeInterval when IptablesLockTimeout is enabled: the time that Felix will wait between + attempts to acquire the iptables lock if it is not available. Lower values make Felix more + responsive when the lock is contended, but use more CPU. [Default: 50ms] + pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ + type: string + iptablesLockTimeout: + description: |- + IptablesLockTimeout is the time that Felix itself will wait for the iptables lock (rather than delegating the + lock handling to the `iptables` command). + + Deprecated: `iptables-restore` v1.8+ always takes the lock, so enabling this feature results in deadlock. + [Default: 0s disabled] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string iptablesMangleAllowAction: @@ -885,19 +889,6 @@ spec: pattern: ^.* x-kubernetes-int-or-string: true type: array - logActionRateLimit: - description: |- - LogActionRateLimit sets the rate of hitting a Log action. The value must be in the format "N/unit", - where N is a number and unit is one of: second, minute, hour, or day. For example: "10/second" or "100/hour". - pattern: ^[1-9]\d{0,3}/(?:second|minute|hour|day)$ - type: string - logActionRateLimitBurst: - description: - LogActionRateLimitBurst sets the rate limit burst of - hitting a Log action when LogActionRateLimit is enabled. - maximum: 9999 - minimum: 0 - type: integer logDebugFilenameRegex: description: |- LogDebugFilenameRegex controls which source code files have their Debug log output included in the logs. @@ -910,17 +901,9 @@ spec: none to disable file logging. [Default: /var/log/calico/felix.log]" type: string logPrefix: - description: |- - LogPrefix is the log prefix that Felix uses when rendering LOG rules. It is possible to use the following specifiers - to include extra information in the log prefix. - - %t: Tier name. - - %k: Kind (short names). - - %n: Policy or profile name. - - %p: Policy or profile name (namespace/name for namespaced kinds or just name for non namespaced kinds). - Calico includes ": " characters at the end of the generated log prefix. - Note that iptables shows up to 29 characters for the log prefix and nftables up to 127 characters. Extra characters are truncated. - [Default: calico-packet] - pattern: "^([a-zA-Z0-9%: /_-])*$" + description: + "LogPrefix is the log prefix that Felix uses when rendering + LOG rules. [Default: calico-packet]" type: string logSeverityFile: description: @@ -1024,10 +1007,9 @@ spec: format: int32 type: integer nftablesMode: - default: Auto description: "NFTablesMode configures nftables support in Felix. [Default: - Auto]" + Disabled]" enum: - Disabled - Enabled @@ -1063,21 +1045,6 @@ spec: PrometheusGoMetricsEnabled disables Go runtime metrics collection, which the Prometheus client does by default, when set to false. This reduces the number of metrics reported, reducing Prometheus load. [Default: true] type: boolean - prometheusMetricsCAFile: - description: |- - PrometheusMetricsCAFile defines the absolute path to the TLS CA certificate file used for securing the /metrics endpoint. - This certificate must be valid and accessible by the calico-node process. - type: string - prometheusMetricsCertFile: - description: |- - PrometheusMetricsCertFile defines the absolute path to the TLS certificate file used for securing the /metrics endpoint. - This certificate must be valid and accessible by the calico-node process. - type: string - prometheusMetricsClientAuth: - description: |- - PrometheusMetricsClientAuth specifies the client authentication type for the /metrics endpoint. - This determines how the server validates client certificates. Default is "RequireAndVerifyClientCert". - type: string prometheusMetricsEnabled: description: "PrometheusMetricsEnabled enables the Prometheus metrics @@ -1088,11 +1055,6 @@ spec: "PrometheusMetricsHost is the host that the Prometheus metrics server should bind to. [Default: empty]" type: string - prometheusMetricsKeyFile: - description: |- - PrometheusMetricsKeyFile defines the absolute path to the private key file corresponding to the TLS certificate - used for securing the /metrics endpoint. The private key must be valid and accessible by the calico-node process. - type: string prometheusMetricsPort: description: "PrometheusMetricsPort is the TCP port that the Prometheus diff --git a/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml index 5b6335d920..c84f2b4ac6 100644 --- a/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_globalnetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: globalnetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -34,11 +34,6 @@ spec: items: properties: action: - enum: - - Allow - - Deny - - Log - - Pass type: string destination: properties: @@ -48,7 +43,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -79,7 +73,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -110,18 +103,11 @@ spec: icmp: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object ipVersion: - enum: - - 4 - - 6 type: integer metadata: properties: @@ -133,12 +119,8 @@ spec: notICMP: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object notProtocol: @@ -161,7 +143,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -192,7 +173,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -212,11 +192,6 @@ spec: items: properties: action: - enum: - - Allow - - Deny - - Log - - Pass type: string destination: properties: @@ -226,7 +201,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -257,7 +231,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -288,18 +261,11 @@ spec: icmp: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object ipVersion: - enum: - - 4 - - 6 type: integer metadata: properties: @@ -311,12 +277,8 @@ spec: notICMP: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object notProtocol: @@ -339,7 +301,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -370,7 +331,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -392,8 +352,6 @@ spec: type: number performanceHints: items: - enum: - - AssumeNeededOnEveryNode type: string type: array preDNAT: @@ -403,18 +361,11 @@ spec: serviceAccountSelector: type: string tier: - default: default type: string types: items: - enum: - - Ingress - - Egress type: string - maxItems: 2 - minItems: 1 type: array - x-kubernetes-list-type: set type: object type: object served: true diff --git a/pkg/crds/calico/crd.projectcalico.org_globalnetworksets.yaml b/pkg/crds/calico/crd.projectcalico.org_globalnetworksets.yaml index 615c08528b..c44ce162a1 100644 --- a/pkg/crds/calico/crd.projectcalico.org_globalnetworksets.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_globalnetworksets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: globalnetworksets.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -30,7 +30,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set type: object type: object served: true diff --git a/pkg/crds/calico/crd.projectcalico.org_hostendpoints.yaml b/pkg/crds/calico/crd.projectcalico.org_hostendpoints.yaml index bd72742527..e2bd246fc6 100644 --- a/pkg/crds/calico/crd.projectcalico.org_hostendpoints.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_hostendpoints.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: hostendpoints.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -30,7 +30,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set interfaceName: type: string node: @@ -41,8 +40,6 @@ spec: name: type: string port: - maximum: 65535 - minimum: 0 type: integer protocol: anyOf: @@ -60,7 +57,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set type: object type: object served: true diff --git a/pkg/crds/calico/crd.projectcalico.org_ipamblocks.yaml b/pkg/crds/calico/crd.projectcalico.org_ipamblocks.yaml index 051bc67cfc..3c3a54b4a3 100644 --- a/pkg/crds/calico/crd.projectcalico.org_ipamblocks.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_ipamblocks.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: ipamblocks.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -28,9 +28,6 @@ spec: properties: affinity: type: string - affinityClaimTime: - format: date-time - type: string allocations: items: type: integer diff --git a/pkg/crds/calico/crd.projectcalico.org_ipamconfigs.yaml b/pkg/crds/calico/crd.projectcalico.org_ipamconfigs.yaml index b7e9260b9c..beabfe805a 100644 --- a/pkg/crds/calico/crd.projectcalico.org_ipamconfigs.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_ipamconfigs.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: ipamconfigs.crd.projectcalico.org spec: group: crd.projectcalico.org diff --git a/pkg/crds/calico/crd.projectcalico.org_ipamhandles.yaml b/pkg/crds/calico/crd.projectcalico.org_ipamhandles.yaml index d2305fe418..a1b7853a86 100644 --- a/pkg/crds/calico/crd.projectcalico.org_ipamhandles.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_ipamhandles.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: ipamhandles.crd.projectcalico.org spec: group: crd.projectcalico.org diff --git a/pkg/crds/calico/crd.projectcalico.org_ippools.yaml b/pkg/crds/calico/crd.projectcalico.org_ippools.yaml index afe3963be8..afa06e7a79 100644 --- a/pkg/crds/calico/crd.projectcalico.org_ippools.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_ippools.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: ippools.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -28,47 +28,39 @@ spec: properties: allowedUses: items: - enum: - - Workload - - Tunnel - - LoadBalancer type: string type: array - x-kubernetes-list-type: set assignmentMode: - default: Automatic enum: - Automatic - Manual type: string blockSize: - maximum: 128 - minimum: 0 type: integer cidr: - format: cidr type: string disableBGPExport: type: boolean disabled: type: boolean + ipip: + properties: + enabled: + type: boolean + mode: + type: string + type: object ipipMode: - enum: - - Never - - Always - - CrossSubnet type: string namespaceSelector: type: string + nat-outgoing: + type: boolean natOutgoing: type: boolean nodeSelector: type: string vxlanMode: - enum: - - Never - - Always - - CrossSubnet type: string required: - cidr diff --git a/pkg/crds/calico/crd.projectcalico.org_ipreservations.yaml b/pkg/crds/calico/crd.projectcalico.org_ipreservations.yaml index 251ba2b7be..213a92be5b 100644 --- a/pkg/crds/calico/crd.projectcalico.org_ipreservations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_ipreservations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: ipreservations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -27,11 +27,9 @@ spec: spec: properties: reservedCIDRs: - format: cidr items: type: string type: array - x-kubernetes-list-type: set type: object type: object served: true diff --git a/pkg/crds/calico/crd.projectcalico.org_kubecontrollersconfigurations.yaml b/pkg/crds/calico/crd.projectcalico.org_kubecontrollersconfigurations.yaml index 17bb1b4133..fe014ddd3c 100644 --- a/pkg/crds/calico/crd.projectcalico.org_kubecontrollersconfigurations.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_kubecontrollersconfigurations.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: kubecontrollersconfigurations.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -32,9 +32,6 @@ spec: properties: assignIPs: default: AllServices - enum: - - AllServices - - RequestedServicesOnly type: string type: object namespace: @@ -47,9 +44,6 @@ spec: hostEndpoint: properties: autoCreate: - enum: - - Enabled - - Disabled type: string createDefaultHostEndpoint: type: string @@ -63,7 +57,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set interfacePattern: type: string labels: @@ -80,9 +73,6 @@ spec: reconcilerPeriod: type: string syncLabels: - enum: - - Enabled - - Disabled type: string type: object policy: @@ -90,15 +80,6 @@ spec: reconcilerPeriod: type: string type: object - policyMigration: - properties: - enabled: - default: Enabled - enum: - - Disabled - - Enabled - type: string - type: object serviceAccount: properties: reconcilerPeriod: @@ -112,30 +93,14 @@ spec: type: object debugProfilePort: format: int32 - maximum: 65535 - minimum: 0 type: integer etcdV3CompactionPeriod: type: string healthChecks: - default: Enabled - enum: - - Enabled - - Disabled type: string logSeverityScreen: - enum: - - None - - Debug - - Info - - Warning - - Error - - Fatal - - Panic type: string prometheusMetricsPort: - maximum: 65535 - minimum: 0 type: integer required: - controllers @@ -154,9 +119,6 @@ spec: properties: assignIPs: default: AllServices - enum: - - AllServices - - RequestedServicesOnly type: string type: object namespace: @@ -169,9 +131,6 @@ spec: hostEndpoint: properties: autoCreate: - enum: - - Enabled - - Disabled type: string createDefaultHostEndpoint: type: string @@ -185,7 +144,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set interfacePattern: type: string labels: @@ -202,9 +160,6 @@ spec: reconcilerPeriod: type: string syncLabels: - enum: - - Enabled - - Disabled type: string type: object policy: @@ -212,15 +167,6 @@ spec: reconcilerPeriod: type: string type: object - policyMigration: - properties: - enabled: - default: Enabled - enum: - - Disabled - - Enabled - type: string - type: object serviceAccount: properties: reconcilerPeriod: @@ -234,30 +180,14 @@ spec: type: object debugProfilePort: format: int32 - maximum: 65535 - minimum: 0 type: integer etcdV3CompactionPeriod: type: string healthChecks: - default: Enabled - enum: - - Enabled - - Disabled type: string logSeverityScreen: - enum: - - None - - Debug - - Info - - Warning - - Error - - Fatal - - Panic type: string prometheusMetricsPort: - maximum: 65535 - minimum: 0 type: integer required: - controllers diff --git a/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml index 3b13ce4183..31ebbac74d 100644 --- a/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_networkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: networkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -30,11 +30,6 @@ spec: items: properties: action: - enum: - - Allow - - Deny - - Log - - Pass type: string destination: properties: @@ -44,7 +39,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -75,7 +69,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -106,18 +99,11 @@ spec: icmp: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object ipVersion: - enum: - - 4 - - 6 type: integer metadata: properties: @@ -129,12 +115,8 @@ spec: notICMP: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object notProtocol: @@ -157,7 +139,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -188,7 +169,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -208,11 +188,6 @@ spec: items: properties: action: - enum: - - Allow - - Deny - - Log - - Pass type: string destination: properties: @@ -222,7 +197,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -253,7 +227,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -284,18 +257,11 @@ spec: icmp: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object ipVersion: - enum: - - 4 - - 6 type: integer metadata: properties: @@ -307,12 +273,8 @@ spec: notICMP: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object notProtocol: @@ -335,7 +297,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -366,7 +327,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -386,8 +346,6 @@ spec: type: number performanceHints: items: - enum: - - AssumeNeededOnEveryNode type: string type: array selector: @@ -395,18 +353,11 @@ spec: serviceAccountSelector: type: string tier: - default: default type: string types: items: - enum: - - Ingress - - Egress type: string - maxItems: 2 - minItems: 1 type: array - x-kubernetes-list-type: set type: object type: object served: true diff --git a/pkg/crds/calico/crd.projectcalico.org_networksets.yaml b/pkg/crds/calico/crd.projectcalico.org_networksets.yaml index 7e43fbd8f0..60553b9d42 100644 --- a/pkg/crds/calico/crd.projectcalico.org_networksets.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_networksets.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: networksets.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -30,7 +30,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set type: object type: object served: true diff --git a/pkg/crds/calico/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml index 8230107393..fc9e5a2503 100644 --- a/pkg/crds/calico/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_stagedglobalnetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: stagedglobalnetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -34,11 +34,6 @@ spec: items: properties: action: - enum: - - Allow - - Deny - - Log - - Pass type: string destination: properties: @@ -48,7 +43,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -79,7 +73,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -110,18 +103,11 @@ spec: icmp: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object ipVersion: - enum: - - 4 - - 6 type: integer metadata: properties: @@ -133,12 +119,8 @@ spec: notICMP: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object notProtocol: @@ -161,7 +143,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -192,7 +173,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -212,11 +192,6 @@ spec: items: properties: action: - enum: - - Allow - - Deny - - Log - - Pass type: string destination: properties: @@ -226,7 +201,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -257,7 +231,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -288,18 +261,11 @@ spec: icmp: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object ipVersion: - enum: - - 4 - - 6 type: integer metadata: properties: @@ -311,12 +277,8 @@ spec: notICMP: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object notProtocol: @@ -339,7 +301,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -370,7 +331,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -392,8 +352,6 @@ spec: type: number performanceHints: items: - enum: - - AssumeNeededOnEveryNode type: string type: array preDNAT: @@ -403,25 +361,13 @@ spec: serviceAccountSelector: type: string stagedAction: - enum: - - Set - - Delete - - Learn - - Ignore type: string tier: - default: default type: string types: items: - enum: - - Ingress - - Egress type: string - maxItems: 2 - minItems: 1 type: array - x-kubernetes-list-type: set type: object type: object served: true diff --git a/pkg/crds/calico/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml index 242e6cd2cb..d76c0b2c98 100644 --- a/pkg/crds/calico/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_stagedkubernetesnetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: stagedkubernetesnetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -237,16 +237,8 @@ spec: policyTypes: items: type: string - maxItems: 2 - minItems: 1 type: array - x-kubernetes-list-type: set stagedAction: - enum: - - Set - - Delete - - Learn - - Ignore type: string type: object type: object diff --git a/pkg/crds/calico/crd.projectcalico.org_stagednetworkpolicies.yaml b/pkg/crds/calico/crd.projectcalico.org_stagednetworkpolicies.yaml index 99c60f94f6..5ea0b6dff7 100644 --- a/pkg/crds/calico/crd.projectcalico.org_stagednetworkpolicies.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_stagednetworkpolicies.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: stagednetworkpolicies.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -30,11 +30,6 @@ spec: items: properties: action: - enum: - - Allow - - Deny - - Log - - Pass type: string destination: properties: @@ -44,7 +39,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -75,7 +69,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -106,18 +99,11 @@ spec: icmp: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object ipVersion: - enum: - - 4 - - 6 type: integer metadata: properties: @@ -129,12 +115,8 @@ spec: notICMP: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object notProtocol: @@ -157,7 +139,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -188,7 +169,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -208,11 +188,6 @@ spec: items: properties: action: - enum: - - Allow - - Deny - - Log - - Pass type: string destination: properties: @@ -222,7 +197,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -253,7 +227,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -284,18 +257,11 @@ spec: icmp: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object ipVersion: - enum: - - 4 - - 6 type: integer metadata: properties: @@ -307,12 +273,8 @@ spec: notICMP: properties: code: - maximum: 255 - minimum: 0 type: integer type: - maximum: 255 - minimum: 0 type: integer type: object notProtocol: @@ -335,7 +297,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set notNets: items: type: string @@ -366,7 +327,6 @@ spec: items: type: string type: array - x-kubernetes-list-type: set selector: type: string type: object @@ -386,8 +346,6 @@ spec: type: number performanceHints: items: - enum: - - AssumeNeededOnEveryNode type: string type: array selector: @@ -395,25 +353,13 @@ spec: serviceAccountSelector: type: string stagedAction: - enum: - - Set - - Delete - - Learn - - Ignore type: string tier: - default: default type: string types: items: - enum: - - Ingress - - Egress type: string - maxItems: 2 - minItems: 1 type: array - x-kubernetes-list-type: set type: object type: object served: true diff --git a/pkg/crds/calico/crd.projectcalico.org_tiers.yaml b/pkg/crds/calico/crd.projectcalico.org_tiers.yaml index e74d9238a3..dfd5324798 100644 --- a/pkg/crds/calico/crd.projectcalico.org_tiers.yaml +++ b/pkg/crds/calico/crd.projectcalico.org_tiers.yaml @@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - controller-gen.kubebuilder.io/version: v0.18.0 + controller-gen.kubebuilder.io/version: v0.17.3 name: tiers.crd.projectcalico.org spec: group: crd.projectcalico.org @@ -27,35 +27,13 @@ spec: spec: properties: defaultAction: - allOf: - - enum: - - Allow - - Deny - - Log - - Pass - - enum: - - Pass - - Deny + enum: + - Pass + - Deny type: string order: type: number type: object - required: - - metadata - - spec type: object - x-kubernetes-validations: - - message: The 'kube-admin' tier must have default action 'Pass' - rule: - "self.metadata.name == 'kube-admin' ? self.spec.defaultAction == - 'Pass' : true" - - message: The 'kube-baseline' tier must have default action 'Pass' - rule: - "self.metadata.name == 'kube-baseline' ? self.spec.defaultAction - == 'Pass' : true" - - message: The 'default' tier must have default action 'Deny' - rule: - "self.metadata.name == 'default' ? self.spec.defaultAction == 'Deny' - : true" served: true storage: true diff --git a/pkg/crds/calico/policy.networking.k8s.io_clusternetworkpolicies.yaml b/pkg/crds/calico/policy.networking.k8s.io_adminnetworkpolicies.yaml similarity index 58% rename from pkg/crds/calico/policy.networking.k8s.io_clusternetworkpolicies.yaml rename to pkg/crds/calico/policy.networking.k8s.io_adminnetworkpolicies.yaml index cced723679..3fd0b0f5a9 100644 --- a/pkg/crds/calico/policy.networking.k8s.io_clusternetworkpolicies.yaml +++ b/pkg/crds/calico/policy.networking.k8s.io_adminnetworkpolicies.yaml @@ -2,35 +2,35 @@ apiVersion: apiextensions.k8s.io/v1 kind: CustomResourceDefinition metadata: annotations: - api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/300 - policy.networking.k8s.io/bundle-version: v0.1.7 - policy.networking.k8s.io/channel: standard - name: clusternetworkpolicies.policy.networking.k8s.io + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/30 + policy.networking.k8s.io/bundle-version: v0.1.1 + policy.networking.k8s.io/channel: experimental + creationTimestamp: null + name: adminnetworkpolicies.policy.networking.k8s.io spec: group: policy.networking.k8s.io names: - kind: ClusterNetworkPolicy - listKind: ClusterNetworkPolicyList - plural: clusternetworkpolicies + kind: AdminNetworkPolicy + listKind: AdminNetworkPolicyList + plural: adminnetworkpolicies shortNames: - - cnp - singular: clusternetworkpolicy + - anp + singular: adminnetworkpolicy scope: Cluster versions: - additionalPrinterColumns: - - jsonPath: .spec.tier - name: Tier - type: string - jsonPath: .spec.priority name: Priority type: string - jsonPath: .metadata.creationTimestamp name: Age type: date - name: v1alpha2 + name: v1alpha1 schema: openAPIV3Schema: - description: ClusterNetworkPolicy is a cluster-wide network policy resource. + description: |- + AdminNetworkPolicy is a cluster level resource that is part of the + AdminNetworkPolicy API. properties: apiVersion: description: |- @@ -50,233 +50,172 @@ spec: metadata: type: object spec: - description: Spec defines the desired behavior of ClusterNetworkPolicy. + description: Specification of the desired behavior of AdminNetworkPolicy. properties: egress: description: |- Egress is the list of Egress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each ANP instance. + The relative precedence of egress rules within a single ANP object (all of + which share the priority) will be determined by the order in which the rule + is written. Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + ANPs with no egress rules do not affect egress traffic. - A maximum of 25 rules is allowed in this block. - The relative precedence of egress rules within a single CNP object - (all of which share the priority) will be determined by the order - in which the rule is written. - Thus, a rule that appears at the top of the egress rules - would take the highest precedence. - CNPs with no egress rules do not affect egress traffic. + Support: Core items: description: |- - ClusterNetworkPolicyEgressRule describes an action to take on a particular - set of traffic originating from pods selected by a ClusterNetworkPolicy's + AdminNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a AdminNetworkPolicy's Subject field. - properties: action: description: |- - Action specifies the effect this rule will have on matching - traffic. Currently the following actions are supported: - - - Accept: Accepts the selected traffic, allowing it to - egress. No further ClusterNetworkPolicy or NetworkPolicy - rules will be processed. + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) + Deny: denies the selected traffic + Pass: instructs the selected traffic to skip any remaining ANP rules, and + then pass execution to any NetworkPolicies that select the pod. + If the pod is not selected by any NetworkPolicies then execution + is passed to any BaselineAdminNetworkPolicies that select the pod. - - Deny: Drops the selected traffic. No further - ClusterNetworkPolicy or NetworkPolicy rules will be - processed. - - Pass: Skips all further ClusterNetworkPolicy rules in the - current tier for the selected traffic, and passes - evaluation to the next tier. + Support: Core enum: - - Accept + - Allow - Deny - Pass type: string name: description: |- - Name is an identifier for this rule, that may be no more than - 100 characters in length. This field should be used by the implementation - to help improve observability, readability and error-reporting - for any applied policies. + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + AdminNetworkPolicies. + + + Support: Core maxLength: 100 type: string - protocols: + ports: description: |- - Protocols allows for more fine-grain matching of traffic on - protocol-specific attributes such as the port. If - unspecified, protocol-specific attributes will not be used - to match traffic. + Ports allows for matching traffic based on port and protocols. + This field is a list of destination ports for the outgoing egress traffic. + If Ports is not set then the rule does not filter traffic via port. + + + Support: Core items: description: |- - ClusterNetworkPolicyProtocol describes additional protocol-specific match rules. + AdminNetworkPolicyPort describes how to select network ports on pod(s). Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: - destinationNamedPort: + namedPort: description: |- - DestinationNamedPort selects a destination port on a pod based on the - ContainerPort name. You can't use this in a rule that targets resources - without named ports (e.g. Nodes or Networks). + NamedPort selects a port on a pod(s) based on name. + + + Support: Extended + + + type: string - sctp: - description: SCTP specific protocol matches. - minProperties: 1 - properties: - destinationPort: - description: DestinationPort for the match. - maxProperties: 1 - minProperties: 1 - properties: - number: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - range: - description: - Range defines a contiguous range - of ports. - properties: - end: - description: |- - end specifies the last port in the range. It must be - greater than start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - start: - description: |- - start defines a network port that is the start of a port - range, the Start value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - x-kubernetes-validations: - - message: Start port must be less than End port - rule: self.start < self.end - type: object - type: object - tcp: - description: TCP specific protocol matches. - minProperties: 1 + portNumber: + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core properties: - destinationPort: - description: DestinationPort for the match. - maxProperties: 1 - minProperties: 1 - properties: - number: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - range: - description: - Range defines a contiguous range - of ports. - properties: - end: - description: |- - end specifies the last port in the range. It must be - greater than start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - start: - description: |- - start defines a network port that is the start of a port - range, the Start value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - x-kubernetes-validations: - - message: Start port must be less than End port - rule: self.start < self.end - type: object + port: + description: |- + Number defines a network port value. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + required: + - port + - protocol type: object - udp: - description: UDP specific protocol matches. - minProperties: 1 + portRange: + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core properties: - destinationPort: - description: DestinationPort for the match. - maxProperties: 1 - minProperties: 1 - properties: - number: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - range: - description: - Range defines a contiguous range - of ports. - properties: - end: - description: |- - end specifies the last port in the range. It must be - greater than start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - start: - description: |- - start defines a network port that is the start of a port - range, the Start value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - x-kubernetes-validations: - - message: Start port must be less than End port - rule: self.start < self.end - type: object + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start type: object type: object - maxItems: 25 - minItems: 1 + maxItems: 100 type: array to: description: |- - To is the list of destinations whose traffic this rule applies to. If any - element matches the destination of outgoing traffic then the specified - action is applied. This field must be defined and contain at least one - item. - items: - description: |- - ClusterNetworkPolicyEgressPeer defines a peer to allow traffic to. + To is the List of destinations whose traffic this rule applies to. + If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + traffic then the specified action is applied. + This field must be defined and contain at least one item. - Exactly one of the fields must be set for a given peer and this is enforced - by the validation rules on the CRD. If an implementation sees no fields are - set then it can infer that the deployed CRD is of an incompatible version - with an unknown field. In that case it should fail closed. - For "Accept" rules, "fail closed" means: "treat the rule as matching no - traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule - as a 'Deny all' rule". + Support: Core + items: + description: |- + AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. maxProperties: 1 minProperties: 1 properties: @@ -284,6 +223,9 @@ spec: description: |- Namespaces defines a way to select all pods within a set of Namespaces. Note that host-networked pods are not included in this type of peer. + + + Support: Core properties: matchExpressions: description: @@ -313,13 +255,11 @@ spec: items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -336,37 +276,107 @@ spec: This is intended for representing entities that live outside the cluster, which can't be selected by pods, namespaces and nodes peers, but note that cluster-internal traffic will be checked against the rule as - well. So if you Accept or Deny traffic to `"0.0.0.0/0"`, that will allow + well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow or deny all IPv4 pod-to-pod traffic as well. If you don't want that, add a rule that Passes all pod traffic before the Networks rule. + Each item in Networks should be provided in the CIDR format and should be IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". - Networks can have up to 25 CIDRs specified. + + Networks can have upto 25 CIDRs specified. + + + Support: Extended + + + items: description: |- - CIDR is an IP address range in CIDR notation - (for example, "10.0.0.0/8" or "fd00::/8"). + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). + This string must be validated by implementations using net.ParseCIDR + TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. maxLength: 43 type: string x-kubernetes-validations: - - message: Invalid CIDR format provided - rule: isCIDR(self) + - message: + CIDR must be either an IPv4 or IPv6 address. + IPv4 address embedded in IPv6 addresses are not + supported + rule: self.contains(':') != self.contains('.') maxItems: 25 minItems: 1 type: array x-kubernetes-list-type: set + nodes: + description: |- + Nodes defines a way to select a set of nodes in + the cluster. This field follows standard label selector + semantics; if present but empty, it selects all Nodes. + + + Support: Extended + + + + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic pods: description: |- Pods defines a way to select a set of pods in a set of namespaces. Note that host-networked pods are not included in this type of peer. + + + Support: Core properties: namespaceSelector: description: |- - NamespaceSelector follows standard label selector - semantics; if empty, it selects all Namespaces. + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: matchExpressions: description: @@ -397,13 +407,11 @@ spec: items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -416,8 +424,8 @@ spec: x-kubernetes-map-type: atomic podSelector: description: |- - PodSelector is used to explicitly select pods within a namespace; - if empty, it selects all Pods. + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. properties: matchExpressions: description: @@ -448,13 +456,11 @@ spec: items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -466,80 +472,77 @@ spec: type: object x-kubernetes-map-type: atomic required: + - namespaceSelector - podSelector type: object type: object - maxItems: 25 + maxItems: 100 minItems: 1 type: array required: - action - to type: object - maxItems: 25 + x-kubernetes-validations: + - message: + networks/nodes peer cannot be set with namedPorts since + there are no namedPorts for networks/nodes + rule: + "!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) + && has(self.ports) && self.ports.exists(port, has(port.namedPort)))" + maxItems: 100 type: array ingress: description: |- Ingress is the list of Ingress rules to be applied to the selected pods. + A total of 100 rules will be allowed in each ANP instance. + The relative precedence of ingress rules within a single ANP object (all of + which share the priority) will be determined by the order in which the rule + is written. Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + ANPs with no ingress rules do not affect ingress traffic. - A maximum of 25 rules is allowed in this block. - The relative precedence of ingress rules within a single CNP object - (all of which share the priority) will be determined by the order - in which the rule is written. - Thus, a rule that appears at the top of the ingress rules - would take the highest precedence. - CNPs with no ingress rules do not affect ingress traffic. + Support: Core items: description: |- - ClusterNetworkPolicyIngressRule describes an action to take on a particular - set of traffic destined for pods selected by a ClusterNetworkPolicy's + AdminNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by an AdminNetworkPolicy's Subject field. properties: action: description: |- - Action specifies the effect this rule will have on matching - traffic. Currently the following actions are supported: - - - Accept: Accepts the selected traffic, allowing it into - the destination. No further ClusterNetworkPolicy or - NetworkPolicy rules will be processed. - - Note: while Accept ensures traffic is accepted by - Kubernetes network policy, it is still possible that the - packet is blocked in other ways: custom nftable rules, - high-layers e.g. service mesh. + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic (even if it would otherwise have been denied by NetworkPolicy) + Deny: denies the selected traffic + Pass: instructs the selected traffic to skip any remaining ANP rules, and + then pass execution to any NetworkPolicies that select the pod. + If the pod is not selected by any NetworkPolicies then execution + is passed to any BaselineAdminNetworkPolicies that select the pod. - - Deny: Drops the selected traffic. No further - ClusterNetworkPolicy or NetworkPolicy rules will be - processed. - - Pass: Skips all further ClusterNetworkPolicy rules in the - current tier for the selected traffic, and passes - evaluation to the next tier. + Support: Core enum: - - Accept + - Allow - Deny - Pass type: string from: description: |- From is the list of sources whose traffic this rule applies to. - If any element matches the source of incoming + If any AdminNetworkPolicyIngressPeer matches the source of incoming traffic then the specified action is applied. This field must be defined and contain at least one item. - items: - description: |- - ClusterNetworkPolicyIngressPeer defines a peer to allow traffic from. - Exactly one of the fields must be set for a given peer and this is enforced - by the validation rules on the CRD. If an implementation sees no fields are - set then it can infer that the deployed CRD is of an incompatible version - with an unknown field. In that case it should fail closed. - For "Accept" rules, "fail closed" means: "treat the rule as matching no - traffic". For "Deny" and "Pass" rules, "fail closed" means: "treat the rule - as a 'Deny all' rule". + Support: Core + items: + description: |- + AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. maxProperties: 1 minProperties: 1 properties: @@ -547,6 +550,9 @@ spec: description: |- Namespaces defines a way to select all pods within a set of Namespaces. Note that host-networked pods are not included in this type of peer. + + + Support: Core properties: matchExpressions: description: @@ -576,13 +582,11 @@ spec: items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -598,11 +602,14 @@ spec: Pods defines a way to select a set of pods in a set of namespaces. Note that host-networked pods are not included in this type of peer. + + + Support: Core properties: namespaceSelector: description: |- - NamespaceSelector follows standard label selector - semantics; if empty, it selects all Namespaces. + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: matchExpressions: description: @@ -633,13 +640,11 @@ spec: items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -652,8 +657,8 @@ spec: x-kubernetes-map-type: atomic podSelector: description: |- - PodSelector is used to explicitly select pods within a namespace; - if empty, it selects all Pods. + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. properties: matchExpressions: description: @@ -684,13 +689,11 @@ spec: items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -702,206 +705,154 @@ spec: type: object x-kubernetes-map-type: atomic required: + - namespaceSelector - podSelector type: object type: object - maxItems: 25 + maxItems: 100 minItems: 1 type: array name: description: |- - Name is an identifier for this rule, that may be no more than - 100 characters in length. This field should be used by the implementation - to help improve observability, readability and error-reporting - for any applied policies. + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + AdminNetworkPolicies. + + + Support: Core maxLength: 100 type: string - protocols: + ports: description: |- - Protocols allows for more fine-grain matching of traffic on - protocol-specific attributes such as the port. If - unspecified, protocol-specific attributes will not be used - to match traffic. + Ports allows for matching traffic based on port and protocols. + This field is a list of ports which should be matched on + the pods selected for this policy i.e the subject of the policy. + So it matches on the destination port for the ingress traffic. + If Ports is not set then the rule does not filter traffic via port. + + + Support: Core items: description: |- - ClusterNetworkPolicyProtocol describes additional protocol-specific match rules. + AdminNetworkPolicyPort describes how to select network ports on pod(s). Exactly one field must be set. maxProperties: 1 minProperties: 1 properties: - destinationNamedPort: + namedPort: description: |- - DestinationNamedPort selects a destination port on a pod based on the - ContainerPort name. You can't use this in a rule that targets resources - without named ports (e.g. Nodes or Networks). + NamedPort selects a port on a pod(s) based on name. + + + Support: Extended + + + type: string - sctp: - description: SCTP specific protocol matches. - minProperties: 1 - properties: - destinationPort: - description: DestinationPort for the match. - maxProperties: 1 - minProperties: 1 - properties: - number: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - range: - description: - Range defines a contiguous range - of ports. - properties: - end: - description: |- - end specifies the last port in the range. It must be - greater than start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - start: - description: |- - start defines a network port that is the start of a port - range, the Start value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - x-kubernetes-validations: - - message: Start port must be less than End port - rule: self.start < self.end - type: object - type: object - tcp: - description: TCP specific protocol matches. - minProperties: 1 + portNumber: + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core properties: - destinationPort: - description: DestinationPort for the match. - maxProperties: 1 - minProperties: 1 - properties: - number: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - range: - description: - Range defines a contiguous range - of ports. - properties: - end: - description: |- - end specifies the last port in the range. It must be - greater than start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - start: - description: |- - start defines a network port that is the start of a port - range, the Start value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - x-kubernetes-validations: - - message: Start port must be less than End port - rule: self.start < self.end - type: object + port: + description: |- + Number defines a network port value. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + required: + - port + - protocol type: object - udp: - description: UDP specific protocol matches. - minProperties: 1 + portRange: + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core properties: - destinationPort: - description: DestinationPort for the match. - maxProperties: 1 - minProperties: 1 - properties: - number: - description: Number defines a network port value. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - range: - description: - Range defines a contiguous range - of ports. - properties: - end: - description: |- - end specifies the last port in the range. It must be - greater than start. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - start: - description: |- - start defines a network port that is the start of a port - range, the Start value must be less than End. - format: int32 - maximum: 65535 - minimum: 1 - type: integer - required: - - end - - start - type: object - x-kubernetes-validations: - - message: Start port must be less than End port - rule: self.start < self.end - type: object + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start type: object type: object - maxItems: 25 - minItems: 1 + maxItems: 100 type: array required: - action - from type: object - maxItems: 25 + maxItems: 100 type: array priority: description: |- - Priority is a value from 0 to 1000 indicating the precedence of - the policy within its tier. Policies with lower priority values have - higher precedence, and are checked before policies with higher priority - values in the same tier. All Admin tier rules have higher precedence than - NetworkPolicy or Baseline tier rules. - If two (or more) policies in the same tier with the same priority - could match a connection, then the implementation can apply any of the - matching policies to the connection, and there is no way for the user to - reliably determine which one it will choose. Administrators must be - careful about assigning the priorities for policies with rules that will - match many connections, and ensure that policies have unique priority - values in cases where ambiguity would be unacceptable. + Priority is a value from 0 to 1000. Rules with lower priority values have + higher precedence, and are checked before rules with higher priority values. + All AdminNetworkPolicy rules have higher precedence than NetworkPolicy or + BaselineAdminNetworkPolicy rules + The behavior is undefined if two ANP objects have same priority. + + + Support: Core format: int32 maximum: 1000 minimum: 0 type: integer subject: - description: - Subject defines the pods to which this ClusterNetworkPolicy - applies. + description: |- + Subject defines the pods to which this AdminNetworkPolicy applies. + Note that host-networked pods are not included in subject selection. + + + Support: Core maxProperties: 1 minProperties: 1 properties: @@ -936,13 +887,11 @@ spec: items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -960,8 +909,8 @@ spec: properties: namespaceSelector: description: |- - NamespaceSelector follows standard label selector - semantics; if empty, it selects all Namespaces. + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. properties: matchExpressions: description: @@ -991,13 +940,11 @@ spec: items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -1010,8 +957,8 @@ spec: x-kubernetes-map-type: atomic podSelector: description: |- - PodSelector is used to explicitly select pods within a namespace; - if empty, it selects all Pods. + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. properties: matchExpressions: description: @@ -1041,13 +988,11 @@ spec: items: type: string type: array - x-kubernetes-list-type: atomic required: - key - operator type: object type: array - x-kubernetes-list-type: atomic matchLabels: additionalProperties: type: string @@ -1059,48 +1004,13 @@ spec: type: object x-kubernetes-map-type: atomic required: + - namespaceSelector - podSelector type: object type: object - tier: - description: |- - Tier is used as the top-level grouping for network policy prioritization. - - Policy tiers are evaluated in the following order: - * Admin tier - * NetworkPolicy tier - * Baseline tier - - ClusterNetworkPolicy can use 2 of these tiers: Admin and Baseline. - - The Admin tier takes precedence over all other policies. Policies - defined in this tier are used to set cluster-wide security rules - that cannot be overridden in the other tiers. If Admin tier has - made a final decision (Accept or Deny) on a connection, then no - further evaluation is done. - - NetworkPolicy tier is the tier for the namespaced v1.NetworkPolicy. - These policies are intended for the application developer to describe - the security policy associated with their deployments inside their - namespace. v1.NetworkPolicy always makes a final decision for selected - pods. Further evaluation only happens for Pods not selected by a - v1.NetworkPolicy. - - Baseline tier is a cluster-wide policy that can be overridden by the - v1.NetworkPolicy. If Baseline tier has made a final decision (Accept or - Deny) on a connection, then no further evaluation is done. - - If a given connection wasn't allowed or denied by any of the tiers, - the default kubernetes policy is applied, which says that - all pods can communicate with each other. - enum: - - Admin - - Baseline - type: string required: - priority - subject - - tier type: object status: description: Status is the status to be reported by the implementation. @@ -1108,8 +1018,16 @@ spec: conditions: items: description: - Condition contains details for one aspect of the current - state of this API Resource. + "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" properties: lastTransitionTime: description: |- @@ -1150,7 +1068,12 @@ spec: - Unknown type: string type: - description: type of condition in CamelCase or in foo.example.com/CamelCase. + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) maxLength: 316 pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ type: string diff --git a/pkg/crds/calico/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml b/pkg/crds/calico/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml new file mode 100644 index 0000000000..fddc29a85f --- /dev/null +++ b/pkg/crds/calico/policy.networking.k8s.io_baselineadminnetworkpolicies.yaml @@ -0,0 +1,1083 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + api-approved.kubernetes.io: https://github.com/kubernetes-sigs/network-policy-api/pull/30 + policy.networking.k8s.io/bundle-version: v0.1.1 + policy.networking.k8s.io/channel: experimental + creationTimestamp: null + name: baselineadminnetworkpolicies.policy.networking.k8s.io +spec: + group: policy.networking.k8s.io + names: + kind: BaselineAdminNetworkPolicy + listKind: BaselineAdminNetworkPolicyList + plural: baselineadminnetworkpolicies + shortNames: + - banp + singular: baselineadminnetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1alpha1 + schema: + openAPIV3Schema: + description: |- + BaselineAdminNetworkPolicy is a cluster level resource that is part of the + AdminNetworkPolicy API. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: Specification of the desired behavior of BaselineAdminNetworkPolicy. + properties: + egress: + description: |- + Egress is the list of Egress rules to be applied to the selected pods if + they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. + A total of 100 Egress rules will be allowed in each BANP instance. + The relative precedence of egress rules within a single BANP object + will be determined by the order in which the rule is written. + Thus, a rule that appears at the top of the egress rules + would take the highest precedence. + BANPs with no egress rules do not affect egress traffic. + + + Support: Core + items: + description: |- + BaselineAdminNetworkPolicyEgressRule describes an action to take on a particular + set of traffic originating from pods selected by a BaselineAdminNetworkPolicy's + Subject field. + + properties: + action: + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic + Deny: denies the selected traffic + + + Support: Core + enum: + - Allow + - Deny + type: string + name: + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + BaselineAdminNetworkPolicies. + + + Support: Core + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of destination ports for the outgoing egress traffic. + If Ports is not set then the rule does not filter traffic via port. + items: + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + namedPort: + description: |- + NamedPort selects a port on a pod(s) based on name. + + + Support: Extended + + + + type: string + portNumber: + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core + properties: + port: + description: |- + Number defines a network port value. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + type: object + maxItems: 100 + type: array + to: + description: |- + To is the list of destinations whose traffic this rule applies to. + If any AdminNetworkPolicyEgressPeer matches the destination of outgoing + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core + items: + description: |- + AdminNetworkPolicyEgressPeer defines a peer to allow traffic to. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + networks: + description: |- + Networks defines a way to select peers via CIDR blocks. + This is intended for representing entities that live outside the cluster, + which can't be selected by pods, namespaces and nodes peers, but note + that cluster-internal traffic will be checked against the rule as + well. So if you Allow or Deny traffic to `"0.0.0.0/0"`, that will allow + or deny all IPv4 pod-to-pod traffic as well. If you don't want that, + add a rule that Passes all pod traffic before the Networks rule. + + + Each item in Networks should be provided in the CIDR format and should be + IPv4 or IPv6, for example "10.0.0.0/8" or "fd00::/8". + + + Networks can have upto 25 CIDRs specified. + + + Support: Extended + + + + items: + description: |- + CIDR is an IP address range in CIDR notation (for example, "10.0.0.0/8" or "fd00::/8"). + This string must be validated by implementations using net.ParseCIDR + TODO: Introduce CEL CIDR validation regex isCIDR() in Kube 1.31 when it is available. + maxLength: 43 + type: string + x-kubernetes-validations: + - message: + CIDR must be either an IPv4 or IPv6 address. + IPv4 address embedded in IPv6 addresses are not + supported + rule: self.contains(':') != self.contains('.') + maxItems: 25 + minItems: 1 + type: array + x-kubernetes-list-type: set + nodes: + description: |- + Nodes defines a way to select a set of nodes in + the cluster. This field follows standard label selector + semantics; if present but empty, it selects all Nodes. + + + Support: Extended + + + + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + required: + - action + - to + type: object + x-kubernetes-validations: + - message: + networks/nodes peer cannot be set with namedPorts since + there are no namedPorts for networks/nodes + rule: + "!(self.to.exists(peer, has(peer.networks) || has(peer.nodes)) + && has(self.ports) && self.ports.exists(port, has(port.namedPort)))" + maxItems: 100 + type: array + ingress: + description: |- + Ingress is the list of Ingress rules to be applied to the selected pods + if they are not matched by any AdminNetworkPolicy or NetworkPolicy rules. + A total of 100 Ingress rules will be allowed in each BANP instance. + The relative precedence of ingress rules within a single BANP object + will be determined by the order in which the rule is written. + Thus, a rule that appears at the top of the ingress rules + would take the highest precedence. + BANPs with no ingress rules do not affect ingress traffic. + + + Support: Core + items: + description: |- + BaselineAdminNetworkPolicyIngressRule describes an action to take on a particular + set of traffic destined for pods selected by a BaselineAdminNetworkPolicy's + Subject field. + properties: + action: + description: |- + Action specifies the effect this rule will have on matching traffic. + Currently the following actions are supported: + Allow: allows the selected traffic + Deny: denies the selected traffic + + + Support: Core + enum: + - Allow + - Deny + type: string + from: + description: |- + From is the list of sources whose traffic this rule applies to. + If any AdminNetworkPolicyIngressPeer matches the source of incoming + traffic then the specified action is applied. + This field must be defined and contain at least one item. + + + Support: Core + items: + description: |- + AdminNetworkPolicyIngressPeer defines an in-cluster peer to allow traffic from. + Exactly one of the selector pointers must be set for a given peer. If a + consumer observes none of its fields are set, they must assume an unknown + option has been specified and fail closed. + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: |- + Namespaces defines a way to select all pods within a set of Namespaces. + Note that host-networked pods are not included in this type of peer. + + + Support: Core + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: |- + Pods defines a way to select a set of pods in + a set of namespaces. Note that host-networked pods + are not included in this type of peer. + + + Support: Core + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + maxItems: 100 + minItems: 1 + type: array + name: + description: |- + Name is an identifier for this rule, that may be no more than 100 characters + in length. This field should be used by the implementation to help + improve observability, readability and error-reporting for any applied + BaselineAdminNetworkPolicies. + + + Support: Core + maxLength: 100 + type: string + ports: + description: |- + Ports allows for matching traffic based on port and protocols. + This field is a list of ports which should be matched on + the pods selected for this policy i.e the subject of the policy. + So it matches on the destination port for the ingress traffic. + If Ports is not set then the rule does not filter traffic via port. + + + Support: Core + items: + description: |- + AdminNetworkPolicyPort describes how to select network ports on pod(s). + Exactly one field must be set. + maxProperties: 1 + minProperties: 1 + properties: + namedPort: + description: |- + NamedPort selects a port on a pod(s) based on name. + + + Support: Extended + + + + type: string + portNumber: + description: |- + Port selects a port on a pod(s) based on number. + + + Support: Core + properties: + port: + description: |- + Number defines a network port value. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + required: + - port + - protocol + type: object + portRange: + description: |- + PortRange selects a port range on a pod(s) based on provided start and end + values. + + + Support: Core + properties: + end: + description: |- + End defines a network port that is the end of a port range, the End value + must be greater than Start. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + protocol: + default: TCP + description: |- + Protocol is the network protocol (TCP, UDP, or SCTP) which traffic must + match. If not specified, this field defaults to TCP. + + + Support: Core + type: string + start: + description: |- + Start defines a network port that is the start of a port range, the Start + value must be less than End. + + + Support: Core + format: int32 + maximum: 65535 + minimum: 1 + type: integer + required: + - end + - start + type: object + type: object + maxItems: 100 + type: array + required: + - action + - from + type: object + maxItems: 100 + type: array + subject: + description: |- + Subject defines the pods to which this BaselineAdminNetworkPolicy applies. + Note that host-networked pods are not included in subject selection. + + + Support: Core + maxProperties: 1 + minProperties: 1 + properties: + namespaces: + description: Namespaces is used to select pods via namespace selectors. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + pods: + description: + Pods is used to select pods via namespace AND pod + selectors. + properties: + namespaceSelector: + description: |- + NamespaceSelector follows standard label selector semantics; if empty, + it selects all Namespaces. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: |- + PodSelector is used to explicitly select pods within a namespace; if empty, + it selects all Pods. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - namespaceSelector + - podSelector + type: object + type: object + required: + - subject + type: object + status: + description: Status is the status to be reported by the implementation. + properties: + conditions: + items: + description: + "Condition contains details for one aspect of the current + state of this API Resource.\n---\nThis struct is intended for + direct use as an array at the field path .status.conditions. For + example,\n\n\n\ttype FooStatus struct{\n\t // Represents the + observations of a foo's current state.\n\t // Known .status.conditions.type + are: \"Available\", \"Progressing\", and \"Degraded\"\n\t // + +patchMergeKey=type\n\t // +patchStrategy=merge\n\t // +listType=map\n\t + \ // +listMapKey=type\n\t Conditions []metav1.Condition `json:\"conditions,omitempty\" + patchStrategy:\"merge\" patchMergeKey:\"type\" protobuf:\"bytes,1,rep,name=conditions\"`\n\n\n\t + \ // other fields\n\t}" + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: |- + type of condition in CamelCase or in foo.example.com/CamelCase. + --- + Many .condition.type values are consistent across resources like Available, but because arbitrary conditions can be + useful (see .node.status.conditions), the ability to deconflict is important. + The regex it matches is (dns1123SubdomainFmt/)?(qualifiedNameFmt) + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + required: + - conditions + type: object + required: + - metadata + - spec + type: object + x-kubernetes-validations: + - message: + Only one baseline admin network policy with metadata.name="default" + can be created in the cluster + rule: self.metadata.name == 'default' + served: true + storage: true + subresources: + status: {} +status: + acceptedNames: + kind: "" + plural: "" + conditions: null + storedVersions: null