Documentation
¶
Overview ¶
Package v1 contains API Schema definitions for the firewall v1 API group +kubebuilder:object:generate=true +groupName=metal-stack.io
Index ¶
- Constants
- Variables
- type ClusterwideNetworkPolicy
- type ClusterwideNetworkPolicyList
- func (in *ClusterwideNetworkPolicyList) DeepCopy() *ClusterwideNetworkPolicyList
- func (in *ClusterwideNetworkPolicyList) DeepCopyInto(out *ClusterwideNetworkPolicyList)
- func (in *ClusterwideNetworkPolicyList) DeepCopyObject() runtime.Object
- func (l *ClusterwideNetworkPolicyList) GetFQDNs() []FQDNSelector
- type EgressRule
- type FQDNSelector
- type FQDNState
- type IPSet
- type IPVersion
- type IngressRule
- type PolicyDeploymentState
- type PolicySpec
- type PolicyStatus
Constants ¶
const ( // PolicyDeploymentStateDeployed the CWNP was deployed to a native nftable rule PolicyDeploymentStateDeployed = PolicyDeploymentState("deployed") // PolicyDeploymentStateIgnored the CWNP was not deployed to a native nftable rule because it is outside of allowed networks PolicyDeploymentStateIgnored = PolicyDeploymentState("ignored") )
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "metal-stack.io", Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type ClusterwideNetworkPolicy ¶
type ClusterwideNetworkPolicy struct {
metav1.TypeMeta `json:",inline"`
metav1.ObjectMeta `json:"metadata,omitempty"`
Spec PolicySpec `json:"spec,omitempty"`
Status PolicyStatus `json:"status,omitempty"`
}
ClusterwideNetworkPolicy contains the desired state for a cluster wide network policy to be applied. +kubebuilder:object:root=true +kubebuilder:resource:shortName=cwnp +kubebuilder:subresource:status +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state" +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.message"
func (*ClusterwideNetworkPolicy) DeepCopy ¶
func (in *ClusterwideNetworkPolicy) DeepCopy() *ClusterwideNetworkPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterwideNetworkPolicy.
func (*ClusterwideNetworkPolicy) DeepCopyInto ¶
func (in *ClusterwideNetworkPolicy) DeepCopyInto(out *ClusterwideNetworkPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterwideNetworkPolicy) DeepCopyObject ¶
func (in *ClusterwideNetworkPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ClusterwideNetworkPolicyList ¶
type ClusterwideNetworkPolicyList struct {
metav1.TypeMeta `json:",inline"`
metav1.ListMeta `json:"metadata,omitempty"`
Items []ClusterwideNetworkPolicy `json:"items"`
}
ClusterwideNetworkPolicyList contains a list of ClusterwideNetworkPolicy +kubebuilder:object:root=true
func (*ClusterwideNetworkPolicyList) DeepCopy ¶
func (in *ClusterwideNetworkPolicyList) DeepCopy() *ClusterwideNetworkPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterwideNetworkPolicyList.
func (*ClusterwideNetworkPolicyList) DeepCopyInto ¶
func (in *ClusterwideNetworkPolicyList) DeepCopyInto(out *ClusterwideNetworkPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterwideNetworkPolicyList) DeepCopyObject ¶
func (in *ClusterwideNetworkPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*ClusterwideNetworkPolicyList) GetFQDNs ¶
func (l *ClusterwideNetworkPolicyList) GetFQDNs() []FQDNSelector
type EgressRule ¶
type EgressRule struct {
// List of destination ports for outgoing traffic.
// Each item in this list is combined using a logical OR. If this field is
// empty or missing, this rule matches all ports (traffic not restricted by port).
// If this field is present and contains at least one item, then this rule allows
// traffic only if the traffic matches at least one port in the list.
// +optional
Ports []networking.NetworkPolicyPort `json:"ports,omitempty"`
// List of destinations for outgoing traffic of a cluster for this rule.
// Items in this list are combined using a logical OR operation. If this field is
// empty or missing, this rule matches all destinations (traffic not restricted by
// destination). If this field is present and contains at least one item, this rule
// allows traffic only if the traffic matches at least one item in the to list.
// To rules can't contain ToFQDNs rules.
// +optional
To []networking.IPBlock `json:"to,omitempty"`
// List of FQDNs (fully qualified domain names) for outgoing traffic of a cluster for this rule.
// Items in this list are combined using a logical OR operation. This field is used as
// whitelist for DNS names. If none specified, no rule will be applied.
// ToFQDNs rules can't contain To rules.
// +optional
ToFQDNs []FQDNSelector `json:"toFQDNs,omitempty"`
}
EgressRule describes a particular set of traffic that is allowed out of the cluster The traffic must match both ports and to.
func (*EgressRule) DeepCopy ¶
func (in *EgressRule) DeepCopy() *EgressRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressRule.
func (*EgressRule) DeepCopyInto ¶
func (in *EgressRule) DeepCopyInto(out *EgressRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FQDNSelector ¶
type FQDNSelector struct {
// MatchName matches FQDN.
// +kubebuilder:validation:Pattern=`^([-a-zA-Z0-9_]+[.]?)+$`
MatchName string `json:"matchName,omitempty"`
// MatchPattern allows using "*" to match DNS names.
// "*" matches 0 or more valid characters.
// +kubebuilder:validation:Pattern=`^([-a-zA-Z0-9_*]+[.]?)+$`
MatchPattern string `json:"matchPattern,omitempty"`
}
FQDNSelector describes rules for matching DNS names.
func (*FQDNSelector) DeepCopy ¶
func (in *FQDNSelector) DeepCopy() *FQDNSelector
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FQDNSelector.
func (*FQDNSelector) DeepCopyInto ¶
func (in *FQDNSelector) DeepCopyInto(out *FQDNSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FQDNSelector) GetMatchName ¶
func (s *FQDNSelector) GetMatchName() string
func (*FQDNSelector) GetName ¶
func (s *FQDNSelector) GetName() string
func (*FQDNSelector) GetRegex ¶
func (s *FQDNSelector) GetRegex() string
GetRegex converts a MatchPattern into a regexp string
type FQDNState ¶
func (FQDNState) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FQDNState.
func (FQDNState) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IPSet ¶
type IPSet struct {
// FQDN which this IP set is for.
FQDN string `json:"fqdn,omitempty"`
// A hash value merely used for reference.
SetName string `json:"setName,omitempty"`
// Deprecated: use `IPExpirationTimes` instead.
IPs []string `json:"ips,omitempty"`
// Deprecated: use `IPExpirationTimes` instead.
ExpirationTime metav1.Time `json:"expirationTime,omitempty"`
// Maps IP addresses to their expiration times.
IPExpirationTimes map[string]metav1.Time `json:"ipExpirationTimes,omitempty"`
// Whether this is a IPv4 or a IPv6 set.
Version IPVersion `json:"version,omitempty"`
}
IPSet stores set name association to IP addresses
func (*IPSet) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPSet.
func (*IPSet) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IngressRule ¶
type IngressRule struct {
// List of ports which should be made accessible on the cluster for this
// rule. Each item in this list is combined using a logical OR. If this field is
// empty or missing, this rule matches all ports (traffic not restricted by port).
// If this field is present and contains at least one item, then this rule allows
// traffic only if the traffic matches at least one port in the list.
// +optional
Ports []networking.NetworkPolicyPort `json:"ports,omitempty"`
// List of sources which should be able to access the cluster for this rule.
// Items in this list are combined using a logical OR operation. If this field is
// empty or missing, this rule matches all sources (traffic not restricted by
// source). If this field is present and contains at least one item, this rule
// allows traffic only if the traffic matches at least one item in the from list.
// +optional
From []networking.IPBlock `json:"from,omitempty"`
}
IngressRule describes a particular set of traffic that is allowed to the cluster. The traffic must match both ports and from.
func (*IngressRule) DeepCopy ¶
func (in *IngressRule) DeepCopy() *IngressRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressRule.
func (*IngressRule) DeepCopyInto ¶
func (in *IngressRule) DeepCopyInto(out *IngressRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicyDeploymentState ¶ added in v2.3.0
type PolicyDeploymentState string
PolicyDeploymentState describes the state of a CWNP deployment
type PolicySpec ¶
type PolicySpec struct {
// Description is a free form string, it can be used by the creator of
// the rule to store human-readable explanation of the purpose of this
// rule. Rules cannot be identified by comment.
//
// +optional
Description string `json:"description,omitempty"`
// List of ingress rules to be applied. Traffic is allowed to
// a cluster if there is a ClusterwideNetworkPolicy that allows it, OR there is a service
// exposed with type Loadbalancer. Clusters are isolated by default.
// +optional
Ingress []IngressRule `json:"ingress,omitempty"`
// List of egress rules to be applied. Outgoing traffic is
// allowed if there is a ClusterwideNetworkPolicy that allows it.
// Clusters are isolated by default.
// +optional
Egress []EgressRule `json:"egress,omitempty"`
}
PolicySpec defines the rules to create for ingress and egress
func (*PolicySpec) DeepCopy ¶
func (in *PolicySpec) DeepCopy() *PolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.
func (*PolicySpec) DeepCopyInto ¶
func (in *PolicySpec) DeepCopyInto(out *PolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicySpec) Validate ¶
func (p *PolicySpec) Validate() error
Validate validates the spec of a ClusterwideNetworkPolicy
type PolicyStatus ¶
type PolicyStatus struct {
// FQDNState stores mapping from FQDN rules to nftables sets used for a firewall rule.
// Key is either MatchName or MatchPattern
// +optional
FQDNState FQDNState `json:"fqdn_state,omitempty"`
// State of the CWNP, can be either deployed or ignored
State PolicyDeploymentState `json:"state,omitempty"`
// Message describes why the state changed
Message string `json:"message,omitempty"`
}
PolicyStatus defines the observed state for CWNP resource
func (*PolicyStatus) DeepCopy ¶
func (in *PolicyStatus) DeepCopy() *PolicyStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.
func (*PolicyStatus) DeepCopyInto ¶
func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
Source Files