networking.gdc.goog/v1
Package v1 contains API Schema definitions for the networking v1 API group.
AuthorizationPolicyRef
AuthorizationPolicyRef is a reference to the generated authorization policy.
Appears in: - OrganizationNetworkPolicyStatus
| Field | Description |
|---|---|
name string |
Name of the referent. |
namespace string |
Namespace of the referent. |
ClusterNodeSelector
ClusterNodeSelector includes information used to locate node(s) inside specified cluster. Either cluster or node or both must be specified.
Appears in: - FlowLogFilter
| Field | Description |
|---|---|
cluster string |
Cluster is the cluster name. When not specified, all clusters will be searched for the wanted node(s). |
node string |
Node is a wildcard pattern used to search node(s) by node name. E.g. "k8s", ".domain.com" |
FlowLog
FlowLog provides a list of flow log filters to be used for finding relevant flows. Flow events matching any of the provided filter rules will be logged.
Appears in: - FlowLogList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
FlowLog |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec FlowLogSpec |
Spec contains the desired configuration for FlowLog. |
status FlowLogStatus |
Status contains the observed state for FlowLog. |
FlowLogFilter
FlowLogFilter defines a collection of filter criteria to be applied at the same time. Each FlowLogFilter contains several optional matching fields. The matching logic per filter follows the rules below: - When a matching field is optional and not specified, it implies no filtering is applied on this field of a flow. E.g. if no Sources is provided, it means all sources are matched. - When multiple fields are specified in one filter, all must match the target flow. E.g. if Sources "srcNS/pod1" and Destinations "dstNS/pod2" are specified at the same time, it matches the flow from pod "srcNS/pod1" to destination "dstNS/pod2". - When a field is a list, specifying it multiple times means matching any of the values. # Example source: - namespacePodSelector: namespace: ns1 pod: pod1 - namespacePodSelector: namespace: ns2 pod: pod2 destination: - namespacePodSelector: namespace: ns1 pod: pod1 - namespacePodSelector: namespace: ns2 pod: pod2 l4Protocols: - tcp - udp The above flow filter matches a flow with (sources in srcNS/pod1_1 or srcNS/pod1_2) and (destinations in dstNS/pod2_1 or dstNS/pod2_2) and L4 protocol is TCP or UDP.
Appears in: - FlowLogSpec
| Field | Description |
|---|---|
source NetworkEndpointFilter |
Source filters flow events by a list of source rules. |
destination NetworkEndpointFilter |
Destination filters flow events by a list of destination rules. |
endpoint NetworkEndpointFilter |
Endpoint filters flow events if the event source or destination matches any given endpoint in this list. If "Endpoint" is set, "Source" and "Destination" must not be specified. When specified, each endpoint corresponds to two filters: one with "Source" set to this endpoint and all other filter fields kept the same; Another with "Destination" set to this endpoint and all other filter fields kept the same; For example: endpoint: - namespacePodSelector: namespace: ns1 pod: pod1 - namespacePodSelector: namespace: ns2 pod: pod2 l4Protocols: - tcp - udp is equivalent to two flow log filters: source: - namespacePodSelector: namespace: ns1 pod: pod1 - namespacePodSelector: namespace: ns2 pod: pod2 l4Protocols: - tcp - udp and destination: - namespacePodSelector: namespace: ns1 pod: pod1 - namespacePodSelector: namespace: ns2 pod: pod2 l4protocols: - tcp - udp |
l4Protocols Protocol array |
L4Protocols filters flow events by L4 protocols defined in [v1.Protocol]. Each protocol must be specified at most once. |
verdicts PolicyVerdict array |
Verdicts filters flow events by verdict classification. |
clusterNodeSelectors ClusterNodeSelector array |
ClusterNodeSelectors is a list of clusters and/or nodes used to match flows. |
FlowLogList
FlowLogList contains a list of FlowLog.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
FlowLogList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items FlowLog array |
Items is a list of flow log entries. |
FlowLogSpec
FlowLogSpec defines the flow log filters to be applied. When multiple filters are present, the flow will be logged if at least one filter matches the flow event.
Appears in: - FlowLog
| Field | Description |
|---|---|
enable boolean |
Enable indicates if this flow log is enabled. When disabled, the backend flow filters will be disabled, and no corresponding logs will be collected. Default to true if not specified. |
filters FlowLogFilter array |
Filters defines a list of filters used for matching flow events. Flow events matching any of the provided filter rules will be logged. |
lifetime Lifetime |
Lifetime defines when this flow logging rule will be disabled. If nil, this flow logging rule will be enabled indefinitely. |
logDetailLevel LogDetailLevel |
LogDetailLevel determines the fields to be logged for matching flow events. If nil, default to logging all fields. |
FlowLogStatus
FlowLogStatus defines the observed state of flow logs.
Appears in: - FlowLog
| Field | Description |
|---|---|
conditions Condition array |
Conditions indicate the current status of flow logs. Known condition types are: - "Reconciled": The flow log is reconciled and provisioned successfully. - "Logging": the flow log is currently reconciled and active (within lifetime). |
clusters PropagationStatus array |
Clusters describes propagation status of this flow log in each cluster where the resource has been propagated. The Propagated condition is set to true in the Conditions if this resource is synced to the cluster, and its ObservedGeneration is set to the generation of the propagated resource in the target cluster. If this resource is successfully pruned from a cluster, the corresponding PropagationStatus should be removed from the list. |
startTime Time |
StartTime indicates the time of the flow log becoming active. StartTime is set by reconciler when it first touches the object, or when the Spec is changed. |
endTime Time |
EndTime indicates the time of the flow log becoming inactive. EndTime is set by reconciler as such: - When the flow has infinity life time (FlowLogSpec.Lifetime is unspecified), EndTime may be empty. - When FlowLogSpec.Lifetime.Expiration is set, its value will be copied to EndTime directly. - When FlowLogSpec.Lifetime.Duration is set, EndTime will be set to (StartTime + FlowLogSpec.Lifetime.Duration). |
Lifetime
Lifetime describes the lifetime of a flow log. One of "expiration" or "duration" must be specified, but not both.
Appears in: - FlowLogSpec
| Field | Description |
|---|---|
expiration Time |
Expiration specifies the time when this filter rule will expire and become inactive. Expiration must be a time in the future. It includes the time required to propagate resources down to child clusters so the value should account for an additional buffer of around 1 minute to ensure that all clusters can begin logging and capture the necessary traffic. |
duration Duration |
Duration specifies how long the flow log will be active, starting from when it is reconciled. It includes the time required to propagate resources down to child clusters so the value should account for an additional buffer of around 1 minute to ensure that all clusters can begin logging and capture the necessary traffic. |
LogDetailLevel
Underlying type: string
LogDetailLevel is a list of predefined combinations of fields to be logged when filtered flow events are captured.
Appears in: - FlowLogSpec
ManagedServiceSubject
ManagedServiceSubject defines a managed service target.
Appears in: - OrganizationNetworkPolicySubject
| Field | Description |
|---|---|
matchTypes string array |
MatchTypes specifies the org managed service types that the policy applies to. |
NamespacePodSelector
NamespacePodSelector includes information used to locate pod(s) inside specified namespace. Either namespace or pod or both must be specified.
Appears in: - NetworkEndpointFilter
| Field | Description |
|---|---|
namespace string |
Namespace selects flow events that match the namespace name. e.g. "kube-system". |
pod string |
Pod selects flow events that match the given pod name prefix, e.g. "xwing", "coredns-". |
NetworkEndpointFilter
NetworkEndpointFilter selects a set of network endpoints based on the filter conditions specified.
Appears in: - FlowLogFilter
| Field | Description |
|---|---|
ipBlocks string array |
IPBlocks selects flow events that match the IP or IP range. Each of the ips can be specified as an exact match (e.g. "1.1.1.1" or "1200:0000:AB00:1234:0000:2552:7777:1313") or as a CIDR range (e.g. "1.1.1.0/24" or "1200:0000:AB00:1234:0000:2552:7777:1313/120"). If not specified, any IP will be matched. |
labels LabelSelector array |
Labels selects flow event that match the label selector. Selectors support the full Kubernetes label selector syntax. |
namespacePodSelectors NamespacePodSelector array |
NamespacePodSelectors is a list of namespaces and/or pods used to match flows. |
ports IntOrString array |
Ports filter flows by L4 port(s). If this field is not provided, this matches all port numbers. Example values: - "80" // single port If present, only traffic on the specified protocol AND port will be matched. |
OrganizationNetworkPolicy
OrganizationNetworkPolicy is the Schema for the organizationnetworkpolicies API.
Appears in: - OrganizationNetworkPolicyList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
OrganizationNetworkPolicy |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec OrganizationNetworkPolicySpec |
Spec contains the desired configuration for OrganizationNetworkPolicy. |
status OrganizationNetworkPolicyStatus |
Status contains the observed state for OrganizationNetworkPolicy. |
OrganizationNetworkPolicyIngressRule
OrganizationNetworkPolicyIngressRule defines a single ingress rule for a OrganizationNetworkPolicy.
Appears in: - OrganizationNetworkPolicySpec
| Field | Description |
|---|---|
from OrganizationNetworkPolicyPeer array |
List of sources which should be able to access the subject of the policy. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the "from" list. At max one item can be specified. |
OrganizationNetworkPolicyList
OrganizationNetworkPolicyList contains a list of OrganizationNetworkPolicy.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
OrganizationNetworkPolicyList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items OrganizationNetworkPolicy array |
OrganizationNetworkPolicyPeer
OrganizationNetworkPolicyPeer describes a peer to allow traffic from.
Appears in: - OrganizationNetworkPolicyIngressRule
| Field | Description |
|---|---|
ipBlock IPBlock |
IPBlock defines policy on a particular IPBlock. If empty, then allows all traffic (0.0.0.0/0). |
OrganizationNetworkPolicySpec
OrganizationNetworkPolicySpec defines the desired state of OrganizationNetworkPolicy. The array of ingress rules for this policy applies to the specified subject/target. When multiple rules are present, or when multiple policies are present, the rules for each are combined additively. In other words, traffic is allowed if it matches at least one rule.
Appears in: - OrganizationNetworkPolicy
| Field | Description |
|---|---|
subject OrganizationNetworkPolicySubject |
Subject specifies the managed services of the organization network policies. |
ingress OrganizationNetworkPolicyIngressRule array |
Ingress define the ingress rule for the traffic. If Ingress is empty or missing, it does not allow any traffic. If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from. |
OrganizationNetworkPolicyStatus
OrganizationNetworkPolicyStatus defines the observed state of OrganizationNetworkPolicy.
Appears in: - OrganizationNetworkPolicy
| Field | Description |
|---|---|
conditions Condition array |
If Ready is True, it means that the OrganizationNetworkPolicy is successfully propagated to the org admin cluster; if Ready is False, it means that OrganizationNetworkPolicy have failed to propagate. |
generatedauthorizationpolicies AuthorizationPolicyRef array |
GeneratedAuthorizationPolicies is the list of authorization policies. that are generated from OrganizationNetworkPolicy. |
OrganizationNetworkPolicySubject
OrganizationNetworkPolicySubject represents the organization service targets. Must choose exactly one of the properties for the target.
Appears in: - OrganizationNetworkPolicySpec
| Field | Description |
|---|---|
subjectType OrganizationNetworkPolicySubjectType |
SubjectType specifies the type of entities the policy rules apply to. If not set, then it defaults to ManagedService. |
services ManagedServiceSubject |
Support multiple different services including: Org Multi-Tenant Service: - UIConsole - APIServer Services represents the service you want to select Support for MT managed services like ODS in the future. |
OrganizationNetworkPolicySubjectType
Underlying type: string
OrganizationNetworkPolicySubjectType defines the target type of the policies.
Appears in: - OrganizationNetworkPolicySubject
PolicyManagedServiceSubject
PolicyManagedServiceSubject defines a managed service target.
Appears in: - ProjectNetworkPolicySubject
| Field | Description |
|---|---|
matchTypes string array |
MatchTypes specifies the managed service types that the policy applies to. Exactly one item can be specified. |
PolicyProjects
PolicyProjects is used to match a set of projects.
Appears in: - ProjectNetworkPolicyPeer
| Field | Description |
|---|---|
matchNames string array |
MatchNames selects the projects within the organization on their name. The project namespace is derived from the project network policy's namespace. If this field is empty or missing, this rule matches all projects. At max one item can be specified. |
PolicySubjectType
Underlying type: string
PolicySubjectType defines the target type of the network policies.
Appears in: - ProjectNetworkPolicySubject
PolicyType
Underlying type: string
PolicyType specifies the direction of traffic on which the policy rules are applied.
Appears in: - ProjectNetworkPolicySpec
PolicyVerdict
Underlying type: string
PolicyVerdict is a list of verdicts classifying flows.
Appears in: - FlowLogFilter
ProjectNetworkPolicy
ProjectNetworkPolicy is the Schema for the projectnetworkpolicies API.
Appears in: - ProjectNetworkPolicyList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
ProjectNetworkPolicy |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec ProjectNetworkPolicySpec |
Spec contains the desired configuration for ProjectNetworkPolicy. |
status ProjectNetworkPolicyStatus |
Status contains the observed state for ProjectNetworkPolicy. |
ProjectNetworkPolicyEgressRule
ProjectNetworkPolicyEgressRule defines a single egress rule for a ProjectNetworkPolicy.
Appears in: - ProjectNetworkPolicySpec
| Field | Description |
|---|---|
ports ProjectNetworkPolicyPort array |
List of destination ports outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. |
to ProjectNetworkPolicyPeer array |
List of destinations for outgoing traffic of the subject for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the "to" list. If this At max one item can be specified. |
ProjectNetworkPolicyIngressRule
ProjectNetworkPolicyIngressRule defines a single ingress rule for a ProjectNetworkPolicy.
Appears in: - ProjectNetworkPolicySpec
| Field | Description |
|---|---|
ports ProjectNetworkPolicyPort array |
List of ports for incoming traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. |
from ProjectNetworkPolicyPeer array |
List of sources which should be able to access the subject of the policy. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the "from" list. At max one item can be specified. |
ProjectNetworkPolicyList
ProjectNetworkPolicyList contains a list of ProjectNetworkPolicy.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
ProjectNetworkPolicyList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items ProjectNetworkPolicy array |
ProjectNetworkPolicyPeer
ProjectNetworkPolicyPeer describes a peer to allow traffic from. Exactly one of the subfields must be specified.
Appears in: - ProjectNetworkPolicyEgressRule - ProjectNetworkPolicyIngressRule
| Field | Description |
|---|---|
projects PolicyProjects |
Projects defines the projects to apply the network policy to. |
ipBlock IPBlock |
IPBlock defines policy on a particular IPBlock. If empty, then all external IPs (excludes k8s nodes, workloads in the organization) are selected. |
ProjectNetworkPolicyPort
ProjectNetworkPolicyPort describes a port to allow traffic on. If all subfields are empty, all TCP traffic is selected.
Appears in: - ProjectNetworkPolicyEgressRule - ProjectNetworkPolicyIngressRule
| Field | Description |
|---|---|
protocol Protocol |
The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP. |
port IntOrString |
The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol AND port will be matched. |
ProjectNetworkPolicySpec
ProjectNetworkPolicySpec defines the desired state of ProjectNetworkPolicy. The array of ingress or egress rules for this policy applies to the specified subject/ target. When multiple rules are present, or when multiple policies are present, the rules for each are combined additively. In other words, traffic is allowed if it matches at least one rule.
Appears in: - ProjectNetworkPolicy
| Field | Description |
|---|---|
subject ProjectNetworkPolicySubject |
Subject specifies the target of the project network policies. If not specified, all pods excluding the managed services in the project are selected. |
policyType PolicyType |
PolicyType specifies the direction of traffic on which the policy rules are applied. This must be set to one of Ingress and Egress. If not set, then it defaults to Ingress. |
ingress ProjectNetworkPolicyIngressRule array |
Ingress defines the list of ingress rules for this policy. If this field is empty or nil, the ProjectNetworkPolicy does not allow any traffic (and serves solely to ensure that subjects it selects are isolated by default). |
egress ProjectNetworkPolicyEgressRule array |
Egress defines the list of egress rules for this policy. If this field is empty or nil, the ProjectNetworkPolicy does not allow any traffic (and serves solely to ensure that subjects it selects are isolated by default). |
ProjectNetworkPolicyStatus
ProjectNetworkPolicyStatus defines the observed state of ProjectNetworkPolicy.
Appears in: - ProjectNetworkPolicy
| Field | Description |
|---|---|
conditions Condition array |
If Ready is True, it means that all NetworkPolicies are successfully propagated to all user clusters; if Ready is False, it means that some (or all) NetworkPolicies have failed to propagate. |
propagatedName string |
PropagatedName is the name of the propagated NetworkPolicy realized in all user clusters within the project. Expected to be set when SubjectType="UserWorkload". |
clusters ClusterStatus array |
Clusters is the list of propagation status on the clusters. Expected to be set when SubjectType="UserWorkload". |
propagatedManagedServiceNamespaces string array |
PropagatedManagedServiceNamespaces is the list of managed service namespaces that the policy is propagated to. Expected to be set when SubjectType="ManagedService". |
ProjectNetworkPolicySubject
ProjectNetworkPolicySubject defines the target for project network policies.
Appears in: - ProjectNetworkPolicySpec
| Field | Description |
|---|---|
subjectType PolicySubjectType |
SubjectType specifies the type of entities the policy rules apply to. This must be set to one of UserWorkload and ManagedService. If not set, then it defaults to UserWorkload. If set to UserWorkload, then all pods excluding the managed services in the project are selected. If set to ManagedService, then specified managed services are selected. |
managedServices PolicyManagedServiceSubject |
ManagedServices selects the managed services that the policy rules apply to. Must be specified only with SubjectType=ManagedService. |
PropagationStatus
PropagationStatus contains the propagation status for a specific cluster.
Appears in: - FlowLogStatus
| Field | Description |
|---|---|
cluster string |
Cluster is the cluster name where this resource is propagated. |
node string |
Node is the node name where this resource is propagated. |
namespace string |
Namespace is the namespace where this resource is propagated. |
name string |
Name is the name of the propagated resource. |
conditions Condition array |
Conditions indicate the current status of the programmed resources. |