Skip to content

Commit

Permalink
Update firewall crds (#181)
Browse files Browse the repository at this point in the history
  • Loading branch information
@majst01
majst01 authored May 12, 2021
1 parent d223748 commit b4627ad
Show file tree
Hide file tree
Showing 4 changed files with 193 additions and 232 deletions.
338 changes: 172 additions & 166 deletions charts/internal/crds-firewall/templates/metal-stack.io_clusterwidenetworkpolicies.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,10 @@

---
apiVersion: apiextensions.k8s.io/v1beta1
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
controller-gen.kubebuilder.io/version: v0.3.0
controller-gen.kubebuilder.io/version: v0.4.0
creationTimestamp: null
name: clusterwidenetworkpolicies.metal-stack.io
spec:
Expand All @@ -12,176 +13,181 @@ spec:
kind: ClusterwideNetworkPolicy
listKind: ClusterwideNetworkPolicyList
plural: clusterwidenetworkpolicies
shortNames:
- cwnp
singular: clusterwidenetworkpolicy
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
description: ClusterwideNetworkPolicy contains the desired state for a cluster
wide network policy to be applied.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: PolicySpec defines the rules to create for ingress and egress
properties:
description:
description: Description is a free form string, it can be used by the
creator of the rule to store human readable explanation of the purpose
of this rule. Rules cannot be identified by comment.
type: string
egress:
description: List of egress rules to be applied. Outgoing traffic is
allowed if there is a ClusterwideNetworkPolicy that allows it. Clusters
are isolated by default.
items:
description: EgressRule describes a particular set of traffic that
is allowed out of the cluster The traffic must match both ports
and to.
properties:
ports:
description: List of destination ports for outgoing traffic. Each
item in this list is combined using a logical OR. If this field
is empty or missing, this rule matches all ports (traffic not
restricted by port). If this field is present and contains at
least one item, then this rule allows traffic only if the traffic
matches at least one port in the list.
items:
description: NetworkPolicyPort describes a port to allow traffic
on
properties:
port:
anyOf:
- type: integer
- type: string
description: The port on the given protocol. This can either
be a numerical or named port on a pod. If this field is
not provided, this matches all port names and numbers.
x-kubernetes-int-or-string: true
protocol:
description: The protocol (TCP, UDP, or SCTP) which traffic
must match. If not specified, this field defaults to TCP.
type: string
type: object
type: array
to:
description: List of destinations for outgoing traffic of a cluster
for this rule. Items in this list are combined using a logical
OR operation. If this field is empty or missing, this rule matches
all destinations (traffic not restricted by destination). If
this field is present and contains at least one item, this rule
allows traffic only if the traffic matches at least one item
in the to list.
items:
description: IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64")
that is allowed to the pods matched by a NetworkPolicySpec's
podSelector. The except entry describes CIDRs that should
not be included within this rule.
properties:
cidr:
description: CIDR is a string representing the IP Block
Valid examples are "192.168.1.1/24" or "2001:db9::/64"
type: string
except:
description: Except is a slice of CIDRs that should not
be included within an IP Block Valid examples are "192.168.1.1/24"
or "2001:db9::/64" Except values will be rejected if they
are outside the CIDR range
items:
type: string
type: array
required:
- cidr
type: object
type: array
type: object
type: array
ingress:
description: List of ingress rules to be applied. Traffic is allowed
to a cluster if there is a ClusterwideNetworkPolicy that allows it,
OR there is a service exposed with type Loadbalancer. Clusters are
isolated by default.
items:
description: IngressRule describes a particular set of traffic that
is allowed to the cluster. The traffic must match both ports and
from.
properties:
from:
description: List of sources which should be able to access the
cluster for this rule. Items in this list are combined using
a logical OR operation. If this field is empty or missing, this
rule matches all sources (traffic not restricted by source).
If this field is present and contains at least one item, this
rule allows traffic only if the traffic matches at least one
item in the from list.
items:
description: IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64")
that is allowed to the pods matched by a NetworkPolicySpec's
podSelector. The except entry describes CIDRs that should
not be included within this rule.
properties:
cidr:
description: CIDR is a string representing the IP Block
Valid examples are "192.168.1.1/24" or "2001:db9::/64"
type: string
except:
description: Except is a slice of CIDRs that should not
be included within an IP Block Valid examples are "192.168.1.1/24"
or "2001:db9::/64" Except values will be rejected if they
are outside the CIDR range
items:
type: string
type: array
required:
- cidr
type: object
type: array
ports:
description: List of ports which should be made accessible on
the cluster for this rule. Each item in this list is combined
using a logical OR. If this field is empty or missing, this
rule matches all ports (traffic not restricted by port). If
this field is present and contains at least one item, then this
rule allows traffic only if the traffic matches at least one
port in the list.
items:
description: NetworkPolicyPort describes a port to allow traffic
on
properties:
port:
anyOf:
- type: integer
- type: string
description: The port on the given protocol. This can either
be a numerical or named port on a pod. If this field is
not provided, this matches all port names and numbers.
x-kubernetes-int-or-string: true
protocol:
description: The protocol (TCP, UDP, or SCTP) which traffic
must match. If not specified, this field defaults to TCP.
type: string
type: object
type: array
type: object
type: array
type: object
type: object
version: v1
versions:
- name: v1
schema:
openAPIV3Schema:
description: ClusterwideNetworkPolicy contains the desired state for a cluster
wide network policy to be applied.
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
description: PolicySpec defines the rules to create for ingress and egress
properties:
description:
description: Description is a free form string, it can be used by
the creator of the rule to store human readable explanation of the
purpose of this rule. Rules cannot be identified by comment.
type: string
egress:
description: List of egress rules to be applied. Outgoing traffic
is allowed if there is a ClusterwideNetworkPolicy that allows it.
Clusters are isolated by default.
items:
description: EgressRule describes a particular set of traffic that
is allowed out of the cluster The traffic must match both ports
and to.
properties:
ports:
description: List of destination ports for outgoing traffic.
Each item in this list is combined using a logical OR. If
this field is empty or missing, this rule matches all ports
(traffic not restricted by port). If this field is present
and contains at least one item, then this rule allows traffic
only if the traffic matches at least one port in the list.
items:
description: NetworkPolicyPort describes a port to allow traffic
on
properties:
port:
anyOf:
- type: integer
- type: string
description: The port on the given protocol. This can
either be a numerical or named port on a pod. If this
field is not provided, this matches all port names and
numbers.
x-kubernetes-int-or-string: true
protocol:
description: The protocol (TCP, UDP, or SCTP) which traffic
must match. If not specified, this field defaults to
TCP.
type: string
type: object
type: array
to:
description: List of destinations for outgoing traffic of a
cluster for this rule. Items in this list are combined using
a logical OR operation. If this field is empty or missing,
this rule matches all destinations (traffic not restricted
by destination). If this field is present and contains at
least one item, this rule allows traffic only if the traffic
matches at least one item in the to list.
items:
description: IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64")
that is allowed to the pods matched by a NetworkPolicySpec's
podSelector. The except entry describes CIDRs that should
not be included within this rule.
properties:
cidr:
description: CIDR is a string representing the IP Block
Valid examples are "192.168.1.1/24" or "2001:db9::/64"
type: string
except:
description: Except is a slice of CIDRs that should not
be included within an IP Block Valid examples are "192.168.1.1/24"
or "2001:db9::/64" Except values will be rejected if
they are outside the CIDR range
items:
type: string
type: array
required:
- cidr
type: object
type: array
type: object
type: array
ingress:
description: List of ingress rules to be applied. Traffic is allowed
to a cluster if there is a ClusterwideNetworkPolicy that allows
it, OR there is a service exposed with type Loadbalancer. Clusters
are isolated by default.
items:
description: IngressRule describes a particular set of traffic that
is allowed to the cluster. The traffic must match both ports and
from.
properties:
from:
description: List of sources which should be able to access
the cluster for this rule. Items in this list are combined
using a logical OR operation. If this field is empty or missing,
this rule matches all sources (traffic not restricted by source).
If this field is present and contains at least one item, this
rule allows traffic only if the traffic matches at least one
item in the from list.
items:
description: IPBlock describes a particular CIDR (Ex. "192.168.1.1/24","2001:db9::/64")
that is allowed to the pods matched by a NetworkPolicySpec's
podSelector. The except entry describes CIDRs that should
not be included within this rule.
properties:
cidr:
description: CIDR is a string representing the IP Block
Valid examples are "192.168.1.1/24" or "2001:db9::/64"
type: string
except:
description: Except is a slice of CIDRs that should not
be included within an IP Block Valid examples are "192.168.1.1/24"
or "2001:db9::/64" Except values will be rejected if
they are outside the CIDR range
items:
type: string
type: array
required:
- cidr
type: object
type: array
ports:
description: List of ports which should be made accessible on
the cluster for this rule. Each item in this list is combined
using a logical OR. If this field is empty or missing, this
rule matches all ports (traffic not restricted by port). If
this field is present and contains at least one item, then
this rule allows traffic only if the traffic matches at least
one port in the list.
items:
description: NetworkPolicyPort describes a port to allow traffic
on
properties:
port:
anyOf:
- type: integer
- type: string
description: The port on the given protocol. This can
either be a numerical or named port on a pod. If this
field is not provided, this matches all port names and
numbers.
x-kubernetes-int-or-string: true
protocol:
description: The protocol (TCP, UDP, or SCTP) which traffic
must match. If not specified, this field defaults to
TCP.
type: string
type: object
type: array
type: object
type: array
type: object
type: object
served: true
storage: true
subresources:
status: {}
status:
acceptedNames:
kind: ""
Expand Down
2 changes: 2 additions & 0 deletions charts/internal/crds-firewall/templates/metal-stack.io_firewalls.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,8 @@ spec:
kind: Firewall
listKind: FirewallList
plural: firewalls
shortNames:
- fw
singular: firewall
scope: Namespaced
versions:
Expand Down
Loading

0 comments on commit b4627ad

Please sign in to comment.