mirror of
https://github.com/ceph/ceph-csi.git
synced 2024-10-19 05:39:51 +00:00
e46099a504
Signed-off-by: Huamin Chen <hchen@redhat.com>
204 lines
10 KiB
Go
204 lines
10 KiB
Go
/*
|
|
Copyright 2017 The Kubernetes Authors.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
you may not use this file except in compliance with the License.
|
|
You may obtain a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
See the License for the specific language governing permissions and
|
|
limitations under the License.
|
|
*/
|
|
|
|
package v1
|
|
|
|
import (
|
|
"k8s.io/api/core/v1"
|
|
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
|
|
"k8s.io/apimachinery/pkg/util/intstr"
|
|
)
|
|
|
|
// +genclient
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// NetworkPolicy describes what network traffic is allowed for a set of Pods
|
|
type NetworkPolicy struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// Standard object's metadata.
|
|
// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
|
|
// +optional
|
|
metav1.ObjectMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Specification of the desired behavior for this NetworkPolicy.
|
|
// +optional
|
|
Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
|
|
}
|
|
|
|
// Policy Type string describes the NetworkPolicy type
|
|
// This type is beta-level in 1.8
|
|
type PolicyType string
|
|
|
|
const (
|
|
// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods
|
|
PolicyTypeIngress PolicyType = "Ingress"
|
|
// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods
|
|
PolicyTypeEgress PolicyType = "Egress"
|
|
)
|
|
|
|
// NetworkPolicySpec provides the specification of a NetworkPolicy
|
|
type NetworkPolicySpec struct {
|
|
// Selects the pods to which this NetworkPolicy object applies. The array of
|
|
// ingress rules is applied to any pods selected by this field. Multiple network
|
|
// policies can select the same set of pods. In this case, the ingress rules for
|
|
// each are combined additively. This field is NOT optional and follows standard
|
|
// label selector semantics. An empty podSelector matches all pods in this
|
|
// namespace.
|
|
PodSelector metav1.LabelSelector `json:"podSelector" protobuf:"bytes,1,opt,name=podSelector"`
|
|
|
|
// List of ingress rules to be applied to the selected pods. Traffic is allowed to
|
|
// a pod if there are no NetworkPolicies selecting the pod
|
|
// (and cluster policy otherwise allows the traffic), OR if the traffic source is
|
|
// the pod's local node, OR if the traffic matches at least one ingress rule
|
|
// across all of the NetworkPolicy objects whose podSelector matches the pod. If
|
|
// this field is empty then this NetworkPolicy does not allow any traffic (and serves
|
|
// solely to ensure that the pods it selects are isolated by default)
|
|
// +optional
|
|
Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty" protobuf:"bytes,2,rep,name=ingress"`
|
|
|
|
// List of egress rules to be applied to the selected pods. Outgoing traffic is
|
|
// allowed if there are no NetworkPolicies selecting the pod (and cluster policy
|
|
// otherwise allows the traffic), OR if the traffic matches at least one egress rule
|
|
// across all of the NetworkPolicy objects whose podSelector matches the pod. If
|
|
// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
|
|
// solely to ensure that the pods it selects are isolated by default).
|
|
// This field is beta-level in 1.8
|
|
// +optional
|
|
Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`
|
|
|
|
// List of rule types that the NetworkPolicy relates to.
|
|
// Valid options are Ingress, Egress, or Ingress,Egress.
|
|
// If this field is not specified, it will default based on the existence of Ingress or Egress rules;
|
|
// policies that contain an Egress section are assumed to affect Egress, and all policies
|
|
// (whether or not they contain an Ingress section) are assumed to affect Ingress.
|
|
// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
|
|
// Likewise, if you want to write a policy that specifies that no egress is allowed,
|
|
// you must specify a policyTypes value that include "Egress" (since such a policy would not include
|
|
// an Egress section and would otherwise default to just [ "Ingress" ]).
|
|
// This field is beta-level in 1.8
|
|
// +optional
|
|
PolicyTypes []PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,4,rep,name=policyTypes,casttype=PolicyType"`
|
|
}
|
|
|
|
// NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
|
|
// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
|
|
type NetworkPolicyIngressRule struct {
|
|
// List of ports which should be made accessible on the pods selected for this
|
|
// rule. Each item in this list is combined using a logical OR. If this field is
|
|
// empty or missing, this rule matches all ports (traffic not restricted by port).
|
|
// If this field is present and contains at least one item, then this rule allows
|
|
// traffic only if the traffic matches at least one port in the list.
|
|
// +optional
|
|
Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
|
|
|
|
// List of sources which should be able to access the pods selected for this rule.
|
|
// Items in this list are combined using a logical OR operation. If this field is
|
|
// empty or missing, this rule matches all sources (traffic not restricted by
|
|
// source). If this field is present and contains at least on item, this rule
|
|
// allows traffic only if the traffic matches at least one item in the from list.
|
|
// +optional
|
|
From []NetworkPolicyPeer `json:"from,omitempty" protobuf:"bytes,2,rep,name=from"`
|
|
}
|
|
|
|
// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
|
|
// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
|
|
// This type is beta-level in 1.8
|
|
type NetworkPolicyEgressRule struct {
|
|
// List of destination ports for outgoing traffic.
|
|
// Each item in this list is combined using a logical OR. If this field is
|
|
// empty or missing, this rule matches all ports (traffic not restricted by port).
|
|
// If this field is present and contains at least one item, then this rule allows
|
|
// traffic only if the traffic matches at least one port in the list.
|
|
// +optional
|
|
Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
|
|
|
|
// List of destinations for outgoing traffic of pods selected for this rule.
|
|
// Items in this list are combined using a logical OR operation. If this field is
|
|
// empty or missing, this rule matches all destinations (traffic not restricted by
|
|
// destination). If this field is present and contains at least one item, this rule
|
|
// allows traffic only if the traffic matches at least one item in the to list.
|
|
// +optional
|
|
To []NetworkPolicyPeer `json:"to,omitempty" protobuf:"bytes,2,rep,name=to"`
|
|
}
|
|
|
|
// NetworkPolicyPort describes a port to allow traffic on
|
|
type NetworkPolicyPort struct {
|
|
// The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this
|
|
// field defaults to TCP.
|
|
// +optional
|
|
Protocol *v1.Protocol `json:"protocol,omitempty" protobuf:"bytes,1,opt,name=protocol,casttype=k8s.io/api/core/v1.Protocol"`
|
|
|
|
// The port on the given protocol. This can either be a numerical or named port on
|
|
// a pod. If this field is not provided, this matches all port names and numbers.
|
|
// +optional
|
|
Port *intstr.IntOrString `json:"port,omitempty" protobuf:"bytes,2,opt,name=port"`
|
|
}
|
|
|
|
// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed to the pods
|
|
// matched by a NetworkPolicySpec's podSelector. The except entry describes CIDRs that should
|
|
// not be included within this rule.
|
|
type IPBlock struct {
|
|
// CIDR is a string representing the IP Block
|
|
// Valid examples are "192.168.1.1/24"
|
|
CIDR string `json:"cidr" protobuf:"bytes,1,name=cidr"`
|
|
// Except is a slice of CIDRs that should not be included within an IP Block
|
|
// Valid examples are "192.168.1.1/24"
|
|
// Except values will be rejected if they are outside the CIDR range
|
|
// +optional
|
|
Except []string `json:"except,omitempty" protobuf:"bytes,2,rep,name=except"`
|
|
}
|
|
|
|
// NetworkPolicyPeer describes a peer to allow traffic from. Only certain combinations of
|
|
// fields are allowed
|
|
type NetworkPolicyPeer struct {
|
|
// This is a label selector which selects Pods. This field follows standard label
|
|
// selector semantics; if present but empty, it selects all pods.
|
|
//
|
|
// If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
|
|
// the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
|
|
// Otherwise it selects the Pods matching PodSelector in the policy's own Namespace.
|
|
// +optional
|
|
PodSelector *metav1.LabelSelector `json:"podSelector,omitempty" protobuf:"bytes,1,opt,name=podSelector"`
|
|
|
|
// Selects Namespaces using cluster-scoped labels. This field follows standard label
|
|
// selector semantics; if present but empty, it selects all namespaces.
|
|
//
|
|
// If PodSelector is also set, then the NetworkPolicyPeer as a whole selects
|
|
// the Pods matching PodSelector in the Namespaces selected by NamespaceSelector.
|
|
// Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.
|
|
// +optional
|
|
NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty" protobuf:"bytes,2,opt,name=namespaceSelector"`
|
|
|
|
// IPBlock defines policy on a particular IPBlock. If this field is set then
|
|
// neither of the other fields can be.
|
|
// +optional
|
|
IPBlock *IPBlock `json:"ipBlock,omitempty" protobuf:"bytes,3,rep,name=ipBlock"`
|
|
}
|
|
|
|
// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
|
|
|
|
// NetworkPolicyList is a list of NetworkPolicy objects.
|
|
type NetworkPolicyList struct {
|
|
metav1.TypeMeta `json:",inline"`
|
|
// Standard list metadata.
|
|
// More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#metadata
|
|
// +optional
|
|
metav1.ListMeta `json:"metadata,omitempty" protobuf:"bytes,1,opt,name=metadata"`
|
|
|
|
// Items is a list of schema objects.
|
|
Items []NetworkPolicy `json:"items" protobuf:"bytes,2,rep,name=items"`
|
|
}
|