diff --git a/.pipelines/pipeline.yaml b/.pipelines/pipeline.yaml index b0c72e08b3..4bf015e1f0 100644 --- a/.pipelines/pipeline.yaml +++ b/.pipelines/pipeline.yaml @@ -278,8 +278,18 @@ stages: vmSize: Standard_B2ms k8sVersion: "" dependsOn: ["test"] + + # Cilium EBPF Podsubnet E2E tests + - template: singletenancy/cilium-ebpf/cilium-e2e-job-template.yaml + parameters: + name: "cilium_ebpf_podsubnet_e2e" + displayName: Cilium EBPF Podsubnet Ubuntu 24 + clusterType: swift-byocni-nokubeproxy-up + clusterName: "cilbpfpode2e" + vmSize: Standard_B2ms + k8sVersion: "" + dependsOn: ["test"] - # Cilium Nodesubnet E2E tests - template: singletenancy/cilium-nodesubnet/cilium-nodesubnet-e2e-job-template.yaml parameters: @@ -313,8 +323,19 @@ stages: vmSize: Standard_B2ms k8sVersion: "" dependsOn: ["test"] + + # Cilium EBPF Overlay E2E tests + - template: singletenancy/cilium-overlay-ebpf/cilium-overlay-e2e-job-template.yaml + parameters: + name: "cilium_ebpf_overlay_e2e" + displayName: Cilium EBPF on AKS Overlay Azure Linux + clusterType: overlay-byocni-nokubeproxy-up + clusterName: "cilbpfovere2e" + vmSize: Standard_B2ms + k8sVersion: "" + dependsOn: ["test"] - # Cilium Overlay with hubble E2E tests + # Cilium Overlay with hubble E2E tests - template: singletenancy/cilium-overlay-withhubble/cilium-overlay-e2e-job-template.yaml parameters: name: "cilium_h_overlay_e2e" @@ -447,8 +468,10 @@ stages: - aks_swift_e2e - cilium_e2e - cilium_vnetscale_e2e + - cilium_ebpf_podsubnet_e2e - cilium_nodesubnet_e2e - cilium_overlay_e2e + - cilium_ebpf_overlay_e2e - cilium_h_overlay_e2e - aks_ubuntu_22_linux_e2e - aks_swift_vnetscale_e2e @@ -473,6 +496,10 @@ stages: name: cilium_vnetscale_e2e clusterName: "ciliumvscalee2e" region: $(REGION_AKS_CLUSTER_TEST) + cilium_ebpf_podsubnet_e2e: + name: cilium_ebpf_podsubnet_e2e + clusterName: "cilbpfpode2e" + region: $(REGION_AKS_CLUSTER_TEST) cilium_nodesubnet_e2e: name: cilium_nodesubnet_e2e clusterName: "cilndsubnete2e" @@ -481,6 +508,10 @@ stages: name: cilium_overlay_e2e clusterName: "cilovere2e" region: $(REGION_AKS_CLUSTER_TEST) + cilium_ebpf_overlay_e2e: + name: cilium_ebpf_overlay_e2e + clusterName: "cilbpfovere2e" + region: $(REGION_AKS_CLUSTER_TEST) cilium_h_overlay_e2e: name: cilium_h_overlay_e2e clusterName: "cilwhleovere2e" diff --git a/.pipelines/singletenancy/cilium-ebpf/cilium-e2e-job-template.yaml b/.pipelines/singletenancy/cilium-ebpf/cilium-e2e-job-template.yaml new file mode 100644 index 0000000000..6b9a200d17 --- /dev/null +++ b/.pipelines/singletenancy/cilium-ebpf/cilium-e2e-job-template.yaml @@ -0,0 +1,89 @@ +parameters: + name: "" + displayName: "" + clusterType: "" + clusterName: "" + vmSize: "" + k8sVersion: "" + dependsOn: "" + os: "linux" + +stages: + - stage: ${{ parameters.clusterName }} + displayName: Create Cluster - ${{ parameters.displayName }} + dependsOn: + - ${{ parameters.dependsOn }} + - setup + pool: + name: $(BUILD_POOL_NAME_DEFAULT) + variables: + commitID: $[ stagedependencies.setup.env.outputs['EnvironmentalVariables.commitID'] ] + jobs: + - template: ../../templates/create-cluster.yaml + parameters: + name: ${{ parameters.name }} + displayName: ${{ parameters.displayName }} + clusterType: ${{ parameters.clusterType }} + clusterName: ${{ parameters.clusterName }}-$(commitID) + vmSize: ${{ parameters.vmSize }} + k8sVersion: ${{ parameters.k8sVersion }} + dependsOn: ${{ parameters.dependsOn }} + osSKU: "Ubuntu2404" + region: $(REGION_AKS_CLUSTER_TEST) + + - stage: ${{ parameters.name }} + displayName: E2E - ${{ parameters.displayName }} + dependsOn: + - setup + - publish + - ${{ parameters.clusterName }} + variables: + TAG: $[ stagedependencies.setup.env.outputs['EnvironmentalVariables.Tag'] ] + CURRENT_VERSION: $[ stagedependencies.containerize.check_tag.outputs['CurrentTagManifests.currentTagManifests'] ] + commitID: $[ stagedependencies.setup.env.outputs['EnvironmentalVariables.commitID'] ] + GOPATH: "$(Agent.TempDirectory)/go" # Go workspace path + GOBIN: "$(GOPATH)/bin" # Go binaries path + modulePath: "$(GOPATH)/src/github.com/Azure/azure-container-networking" + condition: and(succeeded(), eq(variables.TAG, variables.CURRENT_VERSION)) + pool: + name: $(BUILD_POOL_NAME_DEFAULT) + jobs: + - job: ${{ parameters.name }} + displayName: Cilium Test Suite - (${{ parameters.name }}) + timeoutInMinutes: 120 + pool: + name: $(BUILD_POOL_NAME_DEFAULT) + demands: + - agent.os -equals Linux + - Role -equals $(CUSTOM_E2E_ROLE) + steps: + - template: cilium-e2e-step-template.yaml + parameters: + name: ${{ parameters.name }} + clusterName: ${{ parameters.clusterName }}-$(commitID) + scaleup: 50 + + - template: ../../cni/k8s-e2e/k8s-e2e-job-template.yaml + parameters: + sub: $(BUILD_VALIDATIONS_SERVICE_CONNECTION) + clusterName: ${{ parameters.clusterName }}-$(commitID) + os: ${{ parameters.os }} + cni: cilium + dependsOn: ${{ parameters.name }} + datapath: true + dns: true + portforward: true + service: true + + - job: failedE2ELogs + displayName: "Failure Logs" + dependsOn: + - ${{ parameters.name }} + - cni_${{ parameters.os }} + condition: failed() + steps: + - template: ../../templates/log-template.yaml + parameters: + clusterName: ${{ parameters.clusterName }}-$(commitID) + os: ${{ parameters.os }} + cni: cilium diff --git a/.pipelines/singletenancy/cilium-ebpf/cilium-e2e-step-template.yaml b/.pipelines/singletenancy/cilium-ebpf/cilium-e2e-step-template.yaml new file mode 100644 index 0000000000..ff825116f9 --- /dev/null +++ b/.pipelines/singletenancy/cilium-ebpf/cilium-e2e-step-template.yaml @@ -0,0 +1,45 @@ +parameters: + name: "" + clusterName: "" + scaleup: "" + +steps: + - template: ../../templates/setup-environment.yaml + + - task: AzureCLI@2 + inputs: + azureSubscription: $(BUILD_VALIDATIONS_SERVICE_CONNECTION) + scriptLocation: "inlineScript" + scriptType: "bash" + addSpnToEnvironment: true + inlineScript: | + set -e + make -C ./hack/aks set-kubeconf AZCLI=az CLUSTER=${{ parameters.clusterName }} + ls -lah + pwd + kubectl cluster-info + kubectl get pods -Aowide + + # see makefile + export AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY=acnpublic.azurecr.io + export AZURE_IPTABLES_MONITOR_TAG=$(make azure-iptables-monitor-version) + make -C ./hack/aks deploy-ebpf-podsubnet-cilium + + kubectl get pods -Aowide + name: "installCilium" + displayName: "Install EBPF Podsubnet Cilium" + + - template: ../../templates/cilium-cli.yaml + + - script: | + echo "Start Azilium E2E Tests" + kubectl get po -owide -A + sudo -E env "PATH=$PATH" make test-load SCALE_UP=32 OS_TYPE=linux VALIDATE_STATEFILE=true INSTALL_CNS=true INSTALL_AZILIUM=true AZURE_IPAM_VERSION=$(make azure-ipam-version) CNS_VERSION=$(make cns-version) CLEANUP=true + retryCountOnTaskFailure: 3 + name: "aziliumTest" + displayName: "Run Azilium E2E" + + - template: ../../templates/cilium-tests.yaml + parameters: + clusterName: ${{ parameters.clusterName }} + scaleup: ${{ parameters.scaleup }} diff --git a/.pipelines/singletenancy/cilium-overlay-ebpf/cilium-overlay-e2e-job-template.yaml b/.pipelines/singletenancy/cilium-overlay-ebpf/cilium-overlay-e2e-job-template.yaml new file mode 100644 index 0000000000..cf15021dc8 --- /dev/null +++ b/.pipelines/singletenancy/cilium-overlay-ebpf/cilium-overlay-e2e-job-template.yaml @@ -0,0 +1,86 @@ +parameters: + name: "" + displayName: "" + clusterType: "" + clusterName: "" + vmSize: "" + k8sVersion: "" + dependsOn: "" + os: "linux" + +stages: + - stage: ${{ parameters.clusterName }} + displayName: Create Cluster - ${{ parameters.displayName }} + dependsOn: + - ${{ parameters.dependsOn }} + - setup + pool: + name: $(BUILD_POOL_NAME_DEFAULT) + variables: + commitID: $[ stagedependencies.setup.env.outputs['EnvironmentalVariables.commitID'] ] + jobs: + - template: ../../templates/create-cluster.yaml + parameters: + name: ${{ parameters.name }} + displayName: ${{ parameters.displayName }} + clusterType: ${{ parameters.clusterType }} + clusterName: ${{ parameters.clusterName }}-$(commitID) + vmSize: ${{ parameters.vmSize }} + k8sVersion: ${{ parameters.k8sVersion }} + dependsOn: ${{ parameters.dependsOn }} + osSKU: "AzureLinux" + region: $(REGION_AKS_CLUSTER_TEST) + + - stage: ${{ parameters.name }} + displayName: E2E - ${{ parameters.displayName }} + dependsOn: + - setup + - publish + - ${{ parameters.clusterName }} + variables: + commitID: $[ stagedependencies.setup.env.outputs['EnvironmentalVariables.commitID'] ] + GOPATH: "$(Agent.TempDirectory)/go" # Go workspace path + GOBIN: "$(GOPATH)/bin" # Go binaries path + modulePath: "$(GOPATH)/src/github.com/Azure/azure-container-networking" + pool: + name: $(BUILD_POOL_NAME_DEFAULT) + jobs: + - job: ${{ parameters.name }} + displayName: Cilium EBPF Overlay Test Suite - (${{ parameters.name }}) + timeoutInMinutes: 120 + pool: + name: $(BUILD_POOL_NAME_DEFAULT) + demands: + - agent.os -equals Linux + - Role -equals $(CUSTOM_E2E_ROLE) + steps: + - template: cilium-overlay-e2e-step-template.yaml + parameters: + name: ${{ parameters.name }} + clusterName: ${{ parameters.clusterName }}-$(commitID) + scaleup: 50 + + - template: ../../cni/k8s-e2e/k8s-e2e-job-template.yaml + parameters: + sub: $(BUILD_VALIDATIONS_SERVICE_CONNECTION) + clusterName: ${{ parameters.clusterName }}-$(commitID) + os: ${{ parameters.os }} + cni: cilium + dependsOn: ${{ parameters.name }} + datapath: true + dns: true + portforward: true + service: true + + - job: failedE2ELogs + displayName: "Failure Logs" + dependsOn: + - ${{ parameters.name }} + - cni_${{ parameters.os }} + condition: failed() + steps: + - template: ../../templates/log-template.yaml + parameters: + clusterName: ${{ parameters.clusterName }}-$(commitID) + os: ${{ parameters.os }} + cni: cilium diff --git a/.pipelines/singletenancy/cilium-overlay-ebpf/cilium-overlay-e2e-step-template.yaml b/.pipelines/singletenancy/cilium-overlay-ebpf/cilium-overlay-e2e-step-template.yaml new file mode 100644 index 0000000000..8a223af1aa --- /dev/null +++ b/.pipelines/singletenancy/cilium-overlay-ebpf/cilium-overlay-e2e-step-template.yaml @@ -0,0 +1,48 @@ +parameters: + name: "" + clusterName: "" + scaleup: "" + + +steps: + - template: ../../templates/setup-environment.yaml + + - task: AzureCLI@2 + inputs: + azureSubscription: $(BUILD_VALIDATIONS_SERVICE_CONNECTION) + scriptLocation: "inlineScript" + scriptType: "bash" + addSpnToEnvironment: true + inlineScript: | + set -e + make -C ./hack/aks set-kubeconf AZCLI=az CLUSTER=${{ parameters.clusterName }} + ls -lah + pwd + kubectl cluster-info + kubectl get pods -Aowide + + # see makefile + export AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY=acnpublic.azurecr.io + export AZURE_IPTABLES_MONITOR_TAG=$(make azure-iptables-monitor-version) + export AZURE_IP_MASQ_MERGER_IMAGE_REGISTRY=acnpublic.azurecr.io + export AZURE_IP_MASQ_MERGER_TAG=$(make azure-ip-masq-merger-version) + make -C ./hack/aks deploy-ebpf-overlay-cilium + + kubectl get pods -Aowide + name: "installCilium" + displayName: "Install Cilium EBPF on AKS Overlay" + + - template: ../../templates/cilium-cli.yaml + + - script: | + CNS=$(make cns-version) IPAM=$(make azure-ipam-version) + kubectl get pods -Aowide + sudo -E env "PATH=$PATH" make test-load SCALE_UP=32 OS_TYPE=linux VALIDATE_STATEFILE=true INSTALL_CNS=true INSTALL_OVERLAY=true AZURE_IPAM_VERSION=${IPAM} CNS_VERSION=${CNS} CLEANUP=true + retryCountOnTaskFailure: 3 + name: "aziliumTest" + displayName: "Deploy CNS and Run Azilium E2E on AKS Overlay" + + - template: ../../templates/cilium-tests.yaml + parameters: + clusterName: ${{ parameters.clusterName }} + scaleup: ${{ parameters.scaleup }} diff --git a/.pipelines/templates/create-cluster.yaml b/.pipelines/templates/create-cluster.yaml index 60573922a3..3b34c16553 100644 --- a/.pipelines/templates/create-cluster.yaml +++ b/.pipelines/templates/create-cluster.yaml @@ -7,6 +7,7 @@ parameters: vmSizeWin: "" k8sVersion: "" osSkuWin: "Windows2022" # Currently we only support Windows2022 + osSKU: "Ubuntu" dependsOn: "" region: "" os: linux @@ -44,7 +45,7 @@ jobs: AZCLI=az REGION=${{ parameters.region }} SUB=$(SUB_AZURE_NETWORK_AGENT_BUILD_VALIDATIONS) \ CLUSTER=${{ parameters.clusterName }} \ VM_SIZE=${{ parameters.vmSize }} VM_SIZE_WIN=${{ parameters.vmSizeWin }} \ - OS_SKU_WIN=${{ parameters.osSkuWin }} OS=${{ parameters.os }} + OS_SKU_WIN=${{ parameters.osSkuWin }} OS=${{ parameters.os }} OS_SKU=${{ parameters.osSKU }} echo "Cluster successfully created" displayName: Cluster - ${{ parameters.clusterType }} diff --git a/.pipelines/templates/setup-environment.yaml b/.pipelines/templates/setup-environment.yaml new file mode 100644 index 0000000000..1bc235e00b --- /dev/null +++ b/.pipelines/templates/setup-environment.yaml @@ -0,0 +1,22 @@ +steps: + - bash: | + echo $UID + sudo rm -rf $(System.DefaultWorkingDirectory)/* + displayName: "Set up OS environment" + + - checkout: self + + - bash: | + go version + go env + mkdir -p '$(GOBIN)' + mkdir -p '$(GOPATH)/pkg' + mkdir -p '$(modulePath)' + echo '##vso[task.prependpath]$(GOBIN)' + echo '##vso[task.prependpath]$(GOROOT)/bin' + name: "GoEnv" + displayName: "Set up the Go environment" + + - task: KubectlInstaller@0 + inputs: + kubectlVersion: latest diff --git a/hack/aks/Makefile b/hack/aks/Makefile index d0ce352528..a5011611f9 100644 --- a/hack/aks/Makefile +++ b/hack/aks/Makefile @@ -1,3 +1,5 @@ +include deploy.mk + .DEFAULT_GOAL: help # construct containerized azcli command @@ -50,6 +52,7 @@ COMMON_AKS_FIELDS = $(AZCLI) aks create -n $(CLUSTER) -g $(GROUP) -l $(REGION) \ --no-ssh-key \ --os-sku $(OS_SKU) \ $(LTS_ARGS) +POD_CIDR = 192.168.0.0/16 ##@ Help @@ -147,6 +150,7 @@ nodesubnet-byocni-nokubeproxy-up: rg-up ipv4 overlay-net-up ## Brings up an Node --network-plugin none \ --vnet-subnet-id /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/virtualNetworks/$(VNET)/subnets/nodenet \ --kube-proxy-config $(KUBE_PROXY_JSON_PATH) \ + --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/Ubuntu2404Preview \ --yes @$(MAKE) set-kubeconf @@ -155,7 +159,7 @@ overlay-byocni-up: rg-up ipv4 overlay-net-up ## Brings up an Overlay BYO CNI clu --load-balancer-outbound-ips $(PUBLIC_IPv4) \ --network-plugin none \ --network-plugin-mode overlay \ - --pod-cidr 192.168.0.0/16 \ + --pod-cidr $(POD_CIDR) \ --vnet-subnet-id /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/virtualNetworks/$(VNET)/subnets/nodenet \ --yes @$(MAKE) set-kubeconf @@ -168,9 +172,10 @@ overlay-byocni-nokubeproxy-up: rg-up ipv4 overlay-net-up ## Brings up an Overlay --load-balancer-outbound-ips $(PUBLIC_IPv4) \ --network-plugin none \ --network-plugin-mode overlay \ - --pod-cidr 192.168.0.0/16 \ + --pod-cidr $(POD_CIDR) \ --vnet-subnet-id /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/virtualNetworks/$(VNET)/subnets/nodenet \ --kube-proxy-config $(KUBE_PROXY_JSON_PATH) \ + --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/Ubuntu2404Preview \ --yes @$(MAKE) set-kubeconf @@ -180,17 +185,31 @@ overlay-cilium-up: rg-up ipv4 overlay-net-up ## Brings up an Overlay Cilium clus --network-plugin azure \ --network-dataplane cilium \ --network-plugin-mode overlay \ - --pod-cidr 192.168.0.0/16 \ + --pod-cidr $(POD_CIDR) \ --vnet-subnet-id /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/virtualNetworks/$(VNET)/subnets/nodenet \ --yes @$(MAKE) set-kubeconf +ebpf-overlay-cilium-up: rg-up ipv4 overlay-net-up ## Brings up an EBPF Overlay Cilium cluster + $(COMMON_AKS_FIELDS) \ + --load-balancer-outbound-ips $(PUBLIC_IPv4) \ + --network-plugin azure \ + --network-dataplane cilium \ + --network-plugin-mode overlay \ + --pod-cidr $(POD_CIDR) \ + --vnet-subnet-id /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/virtualNetworks/$(VNET)/subnets/nodenet \ + --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AdvancedNetworkingPerformancePreview \ + --enable-acns \ + --acns-datapath-acceleration-mode BpfVeth \ + --yes + @$(MAKE) set-kubeconf + overlay-up: rg-up ipv4 overlay-net-up ## Brings up an Overlay AzCNI cluster $(COMMON_AKS_FIELDS) \ --load-balancer-outbound-ips $(PUBLIC_IPv4) \ --network-plugin azure \ --network-plugin-mode overlay \ - --pod-cidr 192.168.0.0/16 \ + --pod-cidr $(POD_CIDR) \ --vnet-subnet-id /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/virtualNetworks/$(VNET)/subnets/nodenet \ --yes @$(MAKE) set-kubeconf @@ -217,6 +236,7 @@ swift-byocni-nokubeproxy-up: rg-up ipv4 swift-net-up ## Bring up a SWIFT BYO CNI --vnet-subnet-id /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/virtualNetworks/$(VNET)/subnets/nodenet \ --pod-subnet-id /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/virtualNetworks/$(VNET)/subnets/podnet \ --kube-proxy-config $(KUBE_PROXY_JSON_PATH) \ + --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/Ubuntu2404Preview \ --yes @$(MAKE) set-kubeconf @@ -286,6 +306,7 @@ vnetscale-swift-byocni-nokubeproxy-up: rg-up ipv4 vnetscale-swift-net-up ## Brin --pod-subnet-id /subscriptions/$(SUB)/resourceGroups/$(GROUP)/providers/Microsoft.Network/virtualNetworks/$(VNET)/subnets/podnet \ --kube-proxy-config $(KUBE_PROXY_JSON_PATH) \ --pod-ip-allocation-mode StaticBlock \ + --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/Ubuntu2404Preview \ --yes @$(MAKE) set-kubeconf @@ -376,7 +397,7 @@ dualstack-byocni-nokubeproxy-up: rg-up ipv4 ipv6 overlay-net-up ## Brings up a D --network-plugin-mode overlay \ --subscription $(SUB) \ --ip-families ipv4,ipv6 \ - --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureOverlayDualStackPreview \ + --aks-custom-headers AKSHTTPCustomFeatures=Microsoft.ContainerService/AzureOverlayDualStackPreview,AKSHTTPCustomFeatures=Microsoft.ContainerService/Ubuntu2404Preview \ --kube-proxy-config $(KUBE_PROXY_JSON_PATH) \ --yes @$(MAKE) set-kubeconf diff --git a/hack/aks/deploy.mk b/hack/aks/deploy.mk new file mode 100644 index 0000000000..3b02fad9ee --- /dev/null +++ b/hack/aks/deploy.mk @@ -0,0 +1,49 @@ +EBPF_CILIUM_DIR ?= 1.17 +# we don't use CILIUM_VERSION_TAG or CILIUM_IMAGE_REGISTRY because we want to use the version supported by ebpf +EBPF_CILIUM_VERSION_TAG ?= v1.17.7-250927 +EBPF_CILIUM_IMAGE_REGISTRY ?= mcr.microsoft.com/containernetworking +IPV6_HP_BPF_VERSION ?= v0.0.1 +AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY ?= mcr.microsoft.com/containernetworking +AZURE_IPTABLES_MONITOR_TAG ?= v0.0.3 +AZURE_IP_MASQ_MERGER_IMAGE_REGISTRY ?= mcr.microsoft.com/containernetworking +AZURE_IP_MASQ_MERGER_TAG ?= v0.0.1-0 +# so we can use in envsubst +export IPV6_HP_BPF_VERSION +export AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY +export AZURE_IPTABLES_MONITOR_TAG +export AZURE_IP_MASQ_MERGER_IMAGE_REGISTRY +export AZURE_IP_MASQ_MERGER_TAG + +deploy-common-ebpf-cilium: + @kubectl apply -f ../../test/integration/manifests/cilium/v$(EBPF_CILIUM_DIR)/cilium-agent/files/ + @kubectl apply -f ../../test/integration/manifests/cilium/v$(EBPF_CILIUM_DIR)/cilium-operator/files/ +# set cilium version tag and registry here so they are visible as env vars to envsubst + CILIUM_VERSION_TAG=$(EBPF_CILIUM_VERSION_TAG) CILIUM_IMAGE_REGISTRY=$(EBPF_CILIUM_IMAGE_REGISTRY) \ + envsubst '$${CILIUM_VERSION_TAG},$${CILIUM_IMAGE_REGISTRY},$${IPV6_HP_BPF_VERSION}' < \ + ../../test/integration/manifests/cilium/v$(EBPF_CILIUM_DIR)/cilium-operator/templates/deployment.yaml \ + | kubectl apply -f - + @kubectl apply -f ../../test/integration/manifests/cilium/v$(EBPF_CILIUM_DIR)/ebpf/common/ciliumclusterwidenetworkpolicies.yaml + @kubectl wait --for=condition=Established crd/ciliumclusterwidenetworkpolicies.cilium.io + @kubectl apply -f ../../test/integration/manifests/cilium/v$(EBPF_CILIUM_DIR)/ebpf/common/ + +deploy-ebpf-overlay-cilium: deploy-common-ebpf-cilium + @kubectl apply -f ../../test/integration/manifests/cilium/v$(EBPF_CILIUM_DIR)/ebpf/overlay/static/ + CILIUM_VERSION_TAG=$(EBPF_CILIUM_VERSION_TAG) CILIUM_IMAGE_REGISTRY=$(EBPF_CILIUM_IMAGE_REGISTRY) \ + envsubst '$${CILIUM_VERSION_TAG},$${CILIUM_IMAGE_REGISTRY},$${IPV6_HP_BPF_VERSION},$${AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY},$${AZURE_IPTABLES_MONITOR_TAG},$${AZURE_IP_MASQ_MERGER_IMAGE_REGISTRY},$${AZURE_IP_MASQ_MERGER_TAG}' < \ + ../../test/integration/manifests/cilium/v$(EBPF_CILIUM_DIR)/ebpf/overlay/cilium.yaml \ + | kubectl apply -f - + @$(MAKE) wait-for-cilium + +deploy-ebpf-podsubnet-cilium: deploy-common-ebpf-cilium + @kubectl apply -f ../../test/integration/manifests/cilium/v$(EBPF_CILIUM_DIR)/ebpf/podsubnet/static/ +# ebpf podsubnet does not have ip masq merger + CILIUM_VERSION_TAG=$(EBPF_CILIUM_VERSION_TAG) CILIUM_IMAGE_REGISTRY=$(EBPF_CILIUM_IMAGE_REGISTRY) \ + envsubst '$${CILIUM_VERSION_TAG},$${CILIUM_IMAGE_REGISTRY},$${IPV6_HP_BPF_VERSION},$${AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY},$${AZURE_IPTABLES_MONITOR_TAG}' < \ + ../../test/integration/manifests/cilium/v$(EBPF_CILIUM_DIR)/ebpf/podsubnet/cilium.yaml \ + | kubectl apply -f - + @$(MAKE) wait-for-cilium + +wait-for-cilium: + @kubectl rollout status deployment/cilium-operator -n kube-system --timeout=1200s + @kubectl rollout status daemonset/cilium -n kube-system --timeout=1200s + diff --git a/test/integration/manifests/cilium/v1.17/ebpf/common/allowed-iptables-patterns.yaml b/test/integration/manifests/cilium/v1.17/ebpf/common/allowed-iptables-patterns.yaml new file mode 100644 index 0000000000..cd8b1ca589 --- /dev/null +++ b/test/integration/manifests/cilium/v1.17/ebpf/common/allowed-iptables-patterns.yaml @@ -0,0 +1,61 @@ +apiVersion: v1 +data: + filter: | + ^.*--comment.*kubernetes load balancer firewall + ^.*--comment.*kubernetes health check service ports + ^.*--comment.*kubernetes externally visible service portals + ^.*--comment.*kubernetes forwarding rules + ^.*--comment.*kubernetes forwarding conntrack rule + ^.*--comment.*kubernetes service portals + ^.*--comment.*kubernetes externally-visible service portals + + -A INPUT -j KUBE-FIREWALL + -A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 32526 -j DROP + -A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 80 -j DROP + -A OUTPUT -j KUBE-FIREWALL + -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP + -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP + -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN + global: | + ^-N .* + ^-P .* + ^.*--comment.*cilium: + ^.*--comment.*cilium-feeder: + ^.*--comment.*AKS managed: added by AgentBaker + mangle: | + -A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 80 -j DROP + -A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 32526 -j DROP + nat: | + ^.*--comment.*metrics-server + ^.*--comment.*kube-dns + ^.*--comment.*gatekeeper-webhook-service + ^.*--comment.*azure-policy-webhook-service + ^.*--comment.*kubernetes:https cluster IP + ^.*--comment.*kubernetes forwarding rules + ^.*--comment.*kubernetes service traffic requiring SNAT + ^.*--comment.*kubernetes postrouting rules + ^.*--set-xmark 0x4000 + ^.*--comment.*kubernetes service portals + ^.*--comment.*kubernetes service nodeports + ^.*--comment.*kubernetes:https + ^.*--comment.*ip-masq-agent + ^.*0x4000/0x4000 + -A POSTROUTING -j SWIFT + -A SWIFT -s + -A POSTROUTING -j SWIFT-POSTROUTING + -A SWIFT-POSTROUTING -s + raw: "" + security: | + -A OUTPUT -d 168.63.129.16/32 -p tcp -m tcp --dport 53 -j ACCEPT + -A OUTPUT -d 168.63.129.16/32 -p tcp -m owner --uid-owner 0 -j ACCEPT + -A OUTPUT -d 168.63.129.16/32 -p tcp -m conntrack --ctstate INVALID,NEW -j DROP +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + name: allowed-iptables-patterns + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.17/ebpf/common/ccnps.yaml b/test/integration/manifests/cilium/v1.17/ebpf/common/ccnps.yaml new file mode 100644 index 0000000000..cc0b65e95b --- /dev/null +++ b/test/integration/manifests/cilium/v1.17/ebpf/common/ccnps.yaml @@ -0,0 +1,19 @@ +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: block-azure-destinations +spec: + description: "Block TCP access to Azure destinations from all pods" + endpointSelector: {} # Applies to all pods in all namespaces + enableDefaultDeny: + egress: false + ingress: false + egressDeny: + - toCIDR: + - 168.63.129.16/32 # Azure DNS + toPorts: + - ports: + - port: "80" + protocol: TCP + - port: "32526" + protocol: TCP diff --git a/test/integration/manifests/cilium/v1.17/ebpf/common/cilium-agent-clusterrole.yaml b/test/integration/manifests/cilium/v1.17/ebpf/common/cilium-agent-clusterrole.yaml new file mode 100644 index 0000000000..30a5fecb72 --- /dev/null +++ b/test/integration/manifests/cilium/v1.17/ebpf/common/cilium-agent-clusterrole.yaml @@ -0,0 +1,125 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: cilium + name: cilium +rules: +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - services + - pods + - endpoints + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - get +- apiGroups: + - cilium.io + resources: + - ciliumbgppeeringpolicies + - ciliumclusterwideenvoyconfigs + - ciliumclusterwidenetworkpolicies + - ciliumegressgatewaypolicies + - ciliumendpoints + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumidentities + - ciliumlocalredirectpolicies + - ciliumnetworkpolicies + - ciliumnodes + - ciliumnodeconfigs + - ciliumloadbalancerippools + - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools + - ciliumbgpnodeconfigs + - ciliumbgpadvertisements + - ciliumbgppeerconfigs + verbs: + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumidentities + - ciliumendpoints + - ciliumnodes + verbs: + - create +- apiGroups: + - cilium.io + resources: + - ciliumidentities + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints + verbs: + - delete + - get +- apiGroups: + - cilium.io + resources: + - ciliumnodes + - ciliumnodes/status + verbs: + - get + - update +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints/status + - ciliumendpoints + - ciliuml2announcementpolicies/status + - ciliumbgpnodeconfigs/status + verbs: + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create +- apiGroups: + - cilium.io + resources: + - ciliumnodes + verbs: + - patch diff --git a/test/integration/manifests/cilium/v1.17/ebpf/common/ciliumclusterwidenetworkpolicies.yaml b/test/integration/manifests/cilium/v1.17/ebpf/common/ciliumclusterwidenetworkpolicies.yaml new file mode 100644 index 0000000000..1027fc52ed --- /dev/null +++ b/test/integration/manifests/cilium/v1.17/ebpf/common/ciliumclusterwidenetworkpolicies.yaml @@ -0,0 +1,7054 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.5 + eno.azure.io/disable-updates: "true" + name: ciliumclusterwidenetworkpolicies.cilium.io +spec: + group: cilium.io + names: + categories: + - cilium + - ciliumpolicy + kind: CiliumClusterwideNetworkPolicy + listKind: CiliumClusterwideNetworkPolicyList + plural: ciliumclusterwidenetworkpolicies + shortNames: + - ccnp + singular: ciliumclusterwidenetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Valid')].status + name: Valid + type: string + name: v2 + schema: + openAPIV3Schema: + description: |- + CiliumClusterwideNetworkPolicy is a Kubernetes third-party resource with an + modified version of CiliumNetworkPolicy which is cluster scoped rather than + namespace scoped. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + anyOf: + - properties: + ingress: {} + required: + - ingress + - properties: + ingressDeny: {} + required: + - ingressDeny + - properties: + egress: {} + required: + - egress + - properties: + egressDeny: {} + required: + - egressDeny + description: Spec is the desired Cilium specific rule specification. + oneOf: + - properties: + endpointSelector: {} + required: + - endpointSelector + - properties: + nodeSelector: {} + required: + - nodeSelector + properties: + description: + description: |- + Description is a free form string, it can be used by the creator of + the rule to store human readable explanation of the purpose of this + rule. Rules cannot be identified by comment. + type: string + egress: + description: |- + Egress is a list of EgressRule which are enforced at egress. + If omitted or empty, this rule does not apply at egress. + items: + description: |- + EgressRule contains all rule types which can be applied at egress, i.e. + network traffic that originates inside the endpoint and exits the endpoint + selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception to this + rule is the ToRequires member; the effects of any Requires field in any + rule will apply to all other rules as well. + + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are + mutually exclusive. Only one of these members may be present within an + individual rule. + properties: + authentication: + description: Authentication is the required authentication type + for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode for + the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is allowed to connect to. + + Example: + Any endpoint with the label "app=httpd" is allowed to initiate + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should be + an 8bit code (0-255), or it's CamelCase name (for + example, \"EchoReply\").\nAllowed ICMP types are:\n + \ Ipv4: EchoReply | DestinationUnreachable | + Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest + | EchoReply | MulticastListenerQuery| MulticastListenerReport + |\n\t\t\t MulticastListenerDone | RouterSolicitation + | RouterAdvertisement | NeighborSolicitation |\n\t\t\t + NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toCIDR: + description: |- + ToCIDR is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections. Only connections destined for + outside of the cluster and not targeting the host will be subject + to CIDR rules. This will match on the destination IP address of + outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet + with no ExcludeCIDRs is equivalent. Overlaps are allowed between + ToCIDR and ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + toCIDRSet: + description: |- + ToCIDRSet is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections to in addition to connections + which are allowed via ToEndpoints, along with a list of subnets contained + within their corresponding IP block to which traffic should not be + allowed. This will match on the destination IP address of outgoing + connections. Adding a prefix into ToCIDR or into ToCIDRSet with no + ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and + ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + toEndpoints: + description: |- + ToEndpoints is a list of endpoints identified by an EndpointSelector to + which the endpoints subject to the rule are allowed to communicate. + + Example: + Any endpoint with the label "role=frontend" can communicate with any + endpoint carrying the label "role=backend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toEntities: + description: |- + ToEntities is a list of special entities to which the endpoint subject + to the rule is allowed to initiate connections. Supported entities are + `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, + `health`,`unmanaged` and `all`. + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toFQDNs: + description: |- + ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result + from DNS resolution of `ToFQDN.MatchName`s are added to the same + EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and + L7 rules within this EgressRule will also apply to these IPs. + The DNS -> IP mapping is re-resolved periodically from within the + cilium-agent, and the IPs in the DNS response are effected in the policy + for selected pods as-is (i.e. the list of IPs is not modified in any way). + Note: An explicit rule to allow for DNS traffic is needed for the pods, as + ToFQDN counts as an egress rule and will enforce egress policy when + PolicyEnforcment=default. + Note: If the resolved IPs are IPs within the kubernetes cluster, the + ToFQDN rule will not apply to that IP. + Note: ToFQDN cannot occur in the same policy as other To* rules. + items: + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + toGroups: + description: |- + ToGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + toGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toNodes: + description: |- + ToNodes is a list of nodes identified by an + EndpointSelector to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is allowed to + connect to. + + Example: + Any endpoint with the label "role=frontend" is allowed to initiate + connections to destination port 8080/tcp + items: + description: |- + PortRule is a list of ports/protocol combinations with optional Layer 7 + rules which must be met. + properties: + listener: + description: |- + listener specifies the name of a custom Envoy listener to which this traffic should be + redirected to. + properties: + envoyConfig: + description: |- + EnvoyConfig is a reference to the CEC or CCEC resource in which + the listener is defined. + properties: + kind: + description: |- + Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or + CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, + respectively. The only case this is currently explicitly needed is when referring to a + CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener + from a cluster scoped policy is not allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: |- + Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where + the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + priority: + description: |- + Priority for this Listener that is used when multiple rules would apply different + listeners to a policy map entry. Behavior of this is implementation dependent. + maximum: 100 + minimum: 1 + type: integer + required: + - envoyConfig + - name + type: object + originatingTLS: + description: |- + OriginatingTLS is the TLS context for the connections originated by + the L7 proxy. For egress policy this specifies the client-side TLS + parameters for the upstream connection originating from the L7 proxy + to the remote destination. For ingress policy this specifies the + client-side TLS parameters for the connection from the L7 proxy to + the local endpoint. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + maxItems: 40 + type: array + rules: + description: |- + Rules is a list of additional port level rules which must be met in + order for the PortRule to allow the traffic. If omitted or empty, + no layer 7 rules are enforced. + oneOf: + - properties: + http: {} + required: + - http + - properties: + kafka: {} + required: + - kafka + - properties: + dns: {} + required: + - dns + - properties: + l7proto: {} + required: + - l7proto + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed DNS + lookups. + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: |- + PortRuleHTTP is a list of HTTP protocol constraints. All fields are + optional, if all fields are empty or missing, the rule does not have any + effect. + + All fields of this type are extended POSIX regex as defined by IEEE Std + 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) + matched against the path of an incoming request. Currently it can contain + characters disallowed from the conventional "path" part of a URL as defined + by RFC 3986. + properties: + headerMatches: + description: |- + HeaderMatches is a list of HTTP headers which must be + present and match against the given values. Mismatch field can be used + to specify what to do when there is no match. + items: + description: |- + HeaderMatch extends the HeaderValue for matching requirement of a + named header field against an immediate string, a secret value, or + a regex. If none of the optional fields is present, then the + header value is not matched, only presence of the header is enough. + properties: + mismatch: + description: |- + Mismatch identifies what to do in case there is no match. The default is + to drop the request. Otherwise the overall rule is still considered as + matching, but the mismatches are logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + minLength: 1 + type: string + secret: + description: |- + Secret refers to a secret that contains the value to be matched against. + The secret must only contain one entry. If the referred secret does not + exist, and there is no "Value" specified, the match will fail. + properties: + name: + description: Name is the name of the + secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: |- + Value matches the exact value of the header. Can be specified either + alone or together with "Secret"; will be used as the header value if the + secret can not be found in the latter case. + type: string + required: + - name + type: object + type: array + headers: + description: |- + Headers is a list of HTTP headers which must be present in the + request. If omitted or empty, requests are allowed regardless of + headers present. + items: + type: string + type: array + host: + description: |- + Host is an extended POSIX regex matched against the host header of a + request. Examples: + + - foo.bar.com will match the host fooXbar.com or foo-bar.com + - foo\.bar\.com will only match the host foo.bar.com + + If omitted or empty, the value of the host header is ignored. + format: idn-hostname + type: string + method: + description: |- + Method is an extended POSIX regex matched against the method of a + request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... + + If omitted or empty, all methods are allowed. + type: string + path: + description: |- + Path is an extended POSIX regex matched against the path of a + request. Currently it can contain characters disallowed from the + conventional "path" part of a URL as defined by RFC 3986. + + If omitted or empty, all paths are all allowed. + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: |- + PortRule is a list of Kafka protocol constraints. All fields are + optional, if all fields are empty or missing, the rule will match all + Kafka messages. + properties: + apiKey: + description: |- + APIKey is a case-insensitive string matched against the key of a + request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al + Reference: https://kafka.apache.org/protocol#protocol_api_keys + + If omitted or empty, and if Role is not specified, then all keys are allowed. + type: string + apiVersion: + description: |- + APIVersion is the version matched against the api version of the + Kafka message. If set, it has to be a string representing a positive + integer. + + If omitted or empty, all versions are allowed. + type: string + clientID: + description: |- + ClientID is the client identifier as provided in the request. + + From Kafka protocol documentation: + This is a user supplied identifier for the client application. The + user can use any identifier they like and it will be used when + logging errors, monitoring aggregates, etc. For example, one might + want to monitor not just the requests per second overall, but the + number coming from each client application (each of which could + reside on multiple servers). This id acts as a logical grouping + across all requests from a particular client. + + If omitted or empty, all client identifiers are allowed. + type: string + role: + description: |- + Role is a case-insensitive string and describes a group of API keys + necessary to perform certain higher-level Kafka operations such as "produce" + or "consume". A Role automatically expands into all APIKeys required + to perform the specified higher-level operation. + + The following values are supported: + - "produce": Allow producing to the topics specified in the rule + - "consume": Allow consuming from the topics specified in the rule + + This field is incompatible with the APIKey field, i.e APIKey and Role + cannot both be specified in the same rule. + + If omitted or empty, and if APIKey is not specified, then all keys are + allowed. + enum: + - produce + - consume + type: string + topic: + description: |- + Topic is the topic name contained in the message. If a Kafka request + contains multiple topics, then all topics must be allowed or the + message will be rejected. + + This constraint is ignored if the matched request message type + doesn't contain any topic. Maximum size of Topic can be 249 + characters as per recent Kafka spec and allowed characters are + a-z, A-Z, 0-9, -, . and _. + + Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 + version the length was changed from 255 to 249. For compatibility + reasons we are using 255. + + If omitted or empty, all topics are allowed. + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: |- + PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as + protocol constraints. All fields are optional, if all fields are empty or + missing, the rule does not have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: |- + ServerNames is a list of allowed TLS SNI values. If not empty, then + TLS must be present and one of the provided SNIs must be indicated in the + TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: |- + TerminatingTLS is the TLS context for the connection terminated by + the L7 proxy. For egress policy this specifies the server-side TLS + parameters to be applied on the connections originated from the local + endpoint and terminated by the L7 proxy. For ingress policy this specifies + the server-side TLS parameters to be applied on the connections + originated from a remote source and terminated by the L7 proxy. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + toRequires: + description: |- + ToRequires is a list of additional constraints which must be met + in order for the selected endpoints to be able to connect to other + endpoints. These additional constraints do no by itself grant access + privileges and must always be accompanied with at least one matching + ToEndpoints. + + Example: + Any Endpoint with the label "team=A" requires any endpoint to which it + communicates to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toServices: + description: |- + ToServices is a list of services to which the endpoint subject + to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services. + items: + description: |- + Service selects policy targets that are bundled as part of a + logical load-balanced service. + + Currently only Kubernetes-based Services are supported. + properties: + k8sService: + description: K8sService selects service by name and namespace + pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by k8s + labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector for + k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + type: object + type: array + type: object + type: array + egressDeny: + description: |- + EgressDeny is a list of EgressDenyRule which are enforced at egress. + Any rule inserted here will be denied regardless of the allowed egress + rules in the 'egress' field. + If omitted or empty, this rule does not apply at egress. + items: + description: |- + EgressDenyRule contains all rule types which can be applied at egress, i.e. + network traffic that originates inside the endpoint and exits the endpoint + selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception to this + rule is the ToRequires member; the effects of any Requires field in any + rule will apply to all other rules as well. + + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are + mutually exclusive. Only one of these members may be present within an + individual rule. + properties: + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is not allowed to connect to. + + Example: + Any endpoint with the label "app=httpd" is not allowed to initiate + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should be + an 8bit code (0-255), or it's CamelCase name (for + example, \"EchoReply\").\nAllowed ICMP types are:\n + \ Ipv4: EchoReply | DestinationUnreachable | + Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest + | EchoReply | MulticastListenerQuery| MulticastListenerReport + |\n\t\t\t MulticastListenerDone | RouterSolicitation + | RouterAdvertisement | NeighborSolicitation |\n\t\t\t + NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toCIDR: + description: |- + ToCIDR is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections. Only connections destined for + outside of the cluster and not targeting the host will be subject + to CIDR rules. This will match on the destination IP address of + outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet + with no ExcludeCIDRs is equivalent. Overlaps are allowed between + ToCIDR and ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + toCIDRSet: + description: |- + ToCIDRSet is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections to in addition to connections + which are allowed via ToEndpoints, along with a list of subnets contained + within their corresponding IP block to which traffic should not be + allowed. This will match on the destination IP address of outgoing + connections. Adding a prefix into ToCIDR or into ToCIDRSet with no + ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and + ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + toEndpoints: + description: |- + ToEndpoints is a list of endpoints identified by an EndpointSelector to + which the endpoints subject to the rule are allowed to communicate. + + Example: + Any endpoint with the label "role=frontend" can communicate with any + endpoint carrying the label "role=backend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toEntities: + description: |- + ToEntities is a list of special entities to which the endpoint subject + to the rule is allowed to initiate connections. Supported entities are + `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, + `health`,`unmanaged` and `all`. + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toGroups: + description: |- + ToGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + toGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toNodes: + description: |- + ToNodes is a list of nodes identified by an + EndpointSelector to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is not allowed to connect + to. + + Example: + Any endpoint with the label "role=frontend" is not allowed to initiate + connections to destination port 8080/tcp + items: + description: |- + PortDenyRule is a list of ports/protocol that should be used for deny + policies. This structure lacks the L7Rules since it's not supported in deny + policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + toRequires: + description: |- + ToRequires is a list of additional constraints which must be met + in order for the selected endpoints to be able to connect to other + endpoints. These additional constraints do no by itself grant access + privileges and must always be accompanied with at least one matching + ToEndpoints. + + Example: + Any Endpoint with the label "team=A" requires any endpoint to which it + communicates to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toServices: + description: |- + ToServices is a list of services to which the endpoint subject + to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services. + items: + description: |- + Service selects policy targets that are bundled as part of a + logical load-balanced service. + + Currently only Kubernetes-based Services are supported. + properties: + k8sService: + description: K8sService selects service by name and namespace + pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by k8s + labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector for + k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + type: object + type: array + type: object + type: array + enableDefaultDeny: + description: |- + EnableDefaultDeny determines whether this policy configures the + subject endpoint(s) to have a default deny mode. If enabled, + this causes all traffic not explicitly allowed by a network policy + to be dropped. + + If not specified, the default is true for each traffic direction + that has rules, and false otherwise. For example, if a policy + only has Ingress or IngressDeny rules, then the default for + ingress is true and egress is false. + + If multiple policies apply to an endpoint, that endpoint's default deny + will be enabled if any policy requests it. + + This is useful for creating broad-based network policies that will not + cause endpoints to enter default-deny mode. + properties: + egress: + description: |- + Whether or not the endpoint should have a default-deny rule applied + to egress traffic. + type: boolean + ingress: + description: |- + Whether or not the endpoint should have a default-deny rule applied + to ingress traffic. + type: boolean + type: object + endpointSelector: + description: |- + EndpointSelector selects all endpoints which should be subject to + this rule. EndpointSelector and NodeSelector cannot be both empty and + are mutually exclusive. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + ingress: + description: |- + Ingress is a list of IngressRule which are enforced at ingress. + If omitted or empty, this rule does not apply at ingress. + items: + description: |- + IngressRule contains all rule types which can be applied at ingress, + i.e. network traffic that originates outside of the endpoint and + is entering the endpoint selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members are set, all of them need to match in order for + the rule to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all other + rules as well. + + - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually + exclusive. Only one of these members may be present within an individual + rule. + properties: + authentication: + description: Authentication is the required authentication type + for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode for + the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + fromCIDR: + description: |- + FromCIDR is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from. Only connections which + do *not* originate from the cluster or from the local host are subject + to CIDR rules. In order to allow in-cluster connectivity, use the + FromEndpoints field. This will match on the source IP address of + incoming connections. Adding a prefix into FromCIDR or into + FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are + allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.3.9.1 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + fromCIDRSet: + description: |- + FromCIDRSet is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from in addition to FromEndpoints, + along with a list of subnets contained within their corresponding IP block + from which traffic should not be allowed. + This will match on the source IP address of incoming connections. Adding + a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is + equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + fromEndpoints: + description: |- + FromEndpoints is a list of endpoints identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + + Example: + Any endpoint with the label "role=backend" can be consumed by any + endpoint carrying the label "role=frontend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromEntities: + description: |- + FromEntities is a list of special entities which the endpoint subject + to the rule is allowed to receive connections from. Supported entities are + `world`, `cluster` and `host` + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromGroups: + description: |- + FromGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + FromGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: |- + FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromRequires: + description: |- + FromRequires is a list of additional constraints which must be met + in order for the selected endpoints to be reachable. These + additional constraints do no by itself grant access privileges and + must always be accompanied with at least one matching FromEndpoints. + + Example: + Any Endpoint with the label "team=A" requires consuming endpoint + to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can only accept incoming + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should be + an 8bit code (0-255), or it's CamelCase name (for + example, \"EchoReply\").\nAllowed ICMP types are:\n + \ Ipv4: EchoReply | DestinationUnreachable | + Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest + | EchoReply | MulticastListenerQuery| MulticastListenerReport + |\n\t\t\t MulticastListenerDone | RouterSolicitation + | RouterAdvertisement | NeighborSolicitation |\n\t\t\t + NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can only accept incoming + connections on port 80/tcp. + items: + description: |- + PortRule is a list of ports/protocol combinations with optional Layer 7 + rules which must be met. + properties: + listener: + description: |- + listener specifies the name of a custom Envoy listener to which this traffic should be + redirected to. + properties: + envoyConfig: + description: |- + EnvoyConfig is a reference to the CEC or CCEC resource in which + the listener is defined. + properties: + kind: + description: |- + Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or + CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, + respectively. The only case this is currently explicitly needed is when referring to a + CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener + from a cluster scoped policy is not allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: |- + Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where + the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + priority: + description: |- + Priority for this Listener that is used when multiple rules would apply different + listeners to a policy map entry. Behavior of this is implementation dependent. + maximum: 100 + minimum: 1 + type: integer + required: + - envoyConfig + - name + type: object + originatingTLS: + description: |- + OriginatingTLS is the TLS context for the connections originated by + the L7 proxy. For egress policy this specifies the client-side TLS + parameters for the upstream connection originating from the L7 proxy + to the remote destination. For ingress policy this specifies the + client-side TLS parameters for the connection from the L7 proxy to + the local endpoint. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + maxItems: 40 + type: array + rules: + description: |- + Rules is a list of additional port level rules which must be met in + order for the PortRule to allow the traffic. If omitted or empty, + no layer 7 rules are enforced. + oneOf: + - properties: + http: {} + required: + - http + - properties: + kafka: {} + required: + - kafka + - properties: + dns: {} + required: + - dns + - properties: + l7proto: {} + required: + - l7proto + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed DNS + lookups. + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: |- + PortRuleHTTP is a list of HTTP protocol constraints. All fields are + optional, if all fields are empty or missing, the rule does not have any + effect. + + All fields of this type are extended POSIX regex as defined by IEEE Std + 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) + matched against the path of an incoming request. Currently it can contain + characters disallowed from the conventional "path" part of a URL as defined + by RFC 3986. + properties: + headerMatches: + description: |- + HeaderMatches is a list of HTTP headers which must be + present and match against the given values. Mismatch field can be used + to specify what to do when there is no match. + items: + description: |- + HeaderMatch extends the HeaderValue for matching requirement of a + named header field against an immediate string, a secret value, or + a regex. If none of the optional fields is present, then the + header value is not matched, only presence of the header is enough. + properties: + mismatch: + description: |- + Mismatch identifies what to do in case there is no match. The default is + to drop the request. Otherwise the overall rule is still considered as + matching, but the mismatches are logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + minLength: 1 + type: string + secret: + description: |- + Secret refers to a secret that contains the value to be matched against. + The secret must only contain one entry. If the referred secret does not + exist, and there is no "Value" specified, the match will fail. + properties: + name: + description: Name is the name of the + secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: |- + Value matches the exact value of the header. Can be specified either + alone or together with "Secret"; will be used as the header value if the + secret can not be found in the latter case. + type: string + required: + - name + type: object + type: array + headers: + description: |- + Headers is a list of HTTP headers which must be present in the + request. If omitted or empty, requests are allowed regardless of + headers present. + items: + type: string + type: array + host: + description: |- + Host is an extended POSIX regex matched against the host header of a + request. Examples: + + - foo.bar.com will match the host fooXbar.com or foo-bar.com + - foo\.bar\.com will only match the host foo.bar.com + + If omitted or empty, the value of the host header is ignored. + format: idn-hostname + type: string + method: + description: |- + Method is an extended POSIX regex matched against the method of a + request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... + + If omitted or empty, all methods are allowed. + type: string + path: + description: |- + Path is an extended POSIX regex matched against the path of a + request. Currently it can contain characters disallowed from the + conventional "path" part of a URL as defined by RFC 3986. + + If omitted or empty, all paths are all allowed. + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: |- + PortRule is a list of Kafka protocol constraints. All fields are + optional, if all fields are empty or missing, the rule will match all + Kafka messages. + properties: + apiKey: + description: |- + APIKey is a case-insensitive string matched against the key of a + request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al + Reference: https://kafka.apache.org/protocol#protocol_api_keys + + If omitted or empty, and if Role is not specified, then all keys are allowed. + type: string + apiVersion: + description: |- + APIVersion is the version matched against the api version of the + Kafka message. If set, it has to be a string representing a positive + integer. + + If omitted or empty, all versions are allowed. + type: string + clientID: + description: |- + ClientID is the client identifier as provided in the request. + + From Kafka protocol documentation: + This is a user supplied identifier for the client application. The + user can use any identifier they like and it will be used when + logging errors, monitoring aggregates, etc. For example, one might + want to monitor not just the requests per second overall, but the + number coming from each client application (each of which could + reside on multiple servers). This id acts as a logical grouping + across all requests from a particular client. + + If omitted or empty, all client identifiers are allowed. + type: string + role: + description: |- + Role is a case-insensitive string and describes a group of API keys + necessary to perform certain higher-level Kafka operations such as "produce" + or "consume". A Role automatically expands into all APIKeys required + to perform the specified higher-level operation. + + The following values are supported: + - "produce": Allow producing to the topics specified in the rule + - "consume": Allow consuming from the topics specified in the rule + + This field is incompatible with the APIKey field, i.e APIKey and Role + cannot both be specified in the same rule. + + If omitted or empty, and if APIKey is not specified, then all keys are + allowed. + enum: + - produce + - consume + type: string + topic: + description: |- + Topic is the topic name contained in the message. If a Kafka request + contains multiple topics, then all topics must be allowed or the + message will be rejected. + + This constraint is ignored if the matched request message type + doesn't contain any topic. Maximum size of Topic can be 249 + characters as per recent Kafka spec and allowed characters are + a-z, A-Z, 0-9, -, . and _. + + Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 + version the length was changed from 255 to 249. For compatibility + reasons we are using 255. + + If omitted or empty, all topics are allowed. + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: |- + PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as + protocol constraints. All fields are optional, if all fields are empty or + missing, the rule does not have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: |- + ServerNames is a list of allowed TLS SNI values. If not empty, then + TLS must be present and one of the provided SNIs must be indicated in the + TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: |- + TerminatingTLS is the TLS context for the connection terminated by + the L7 proxy. For egress policy this specifies the server-side TLS + parameters to be applied on the connections originated from the local + endpoint and terminated by the L7 proxy. For ingress policy this specifies + the server-side TLS parameters to be applied on the connections + originated from a remote source and terminated by the L7 proxy. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + type: object + type: array + ingressDeny: + description: |- + IngressDeny is a list of IngressDenyRule which are enforced at ingress. + Any rule inserted here will be denied regardless of the allowed ingress + rules in the 'ingress' field. + If omitted or empty, this rule does not apply at ingress. + items: + description: |- + IngressDenyRule contains all rule types which can be applied at ingress, + i.e. network traffic that originates outside of the endpoint and + is entering the endpoint selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members are set, all of them need to match in order for + the rule to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all other + rules as well. + + - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually + exclusive. Only one of these members may be present within an individual + rule. + properties: + fromCIDR: + description: |- + FromCIDR is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from. Only connections which + do *not* originate from the cluster or from the local host are subject + to CIDR rules. In order to allow in-cluster connectivity, use the + FromEndpoints field. This will match on the source IP address of + incoming connections. Adding a prefix into FromCIDR or into + FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are + allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.3.9.1 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + fromCIDRSet: + description: |- + FromCIDRSet is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from in addition to FromEndpoints, + along with a list of subnets contained within their corresponding IP block + from which traffic should not be allowed. + This will match on the source IP address of incoming connections. Adding + a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is + equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + fromEndpoints: + description: |- + FromEndpoints is a list of endpoints identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + + Example: + Any endpoint with the label "role=backend" can be consumed by any + endpoint carrying the label "role=frontend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromEntities: + description: |- + FromEntities is a list of special entities which the endpoint subject + to the rule is allowed to receive connections from. Supported entities are + `world`, `cluster` and `host` + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromGroups: + description: |- + FromGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + FromGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: |- + FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromRequires: + description: |- + FromRequires is a list of additional constraints which must be met + in order for the selected endpoints to be reachable. These + additional constraints do no by itself grant access privileges and + must always be accompanied with at least one matching FromEndpoints. + + Example: + Any Endpoint with the label "team=A" requires consuming endpoint + to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is not allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can not accept incoming + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should be + an 8bit code (0-255), or it's CamelCase name (for + example, \"EchoReply\").\nAllowed ICMP types are:\n + \ Ipv4: EchoReply | DestinationUnreachable | + Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest + | EchoReply | MulticastListenerQuery| MulticastListenerReport + |\n\t\t\t MulticastListenerDone | RouterSolicitation + | RouterAdvertisement | NeighborSolicitation |\n\t\t\t + NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is not allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can not accept incoming + connections on port 80/tcp. + items: + description: |- + PortDenyRule is a list of ports/protocol that should be used for deny + policies. This structure lacks the L7Rules since it's not supported in deny + policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + type: object + type: array + labels: + description: |- + Labels is a list of optional strings which can be used to + re-identify the rule or to store metadata. It is possible to lookup + or delete strings based on labels. Labels are not required to be + unique, multiple rules can have overlapping or identical labels. + items: + description: Label is the Cilium's representation of a container + label. + properties: + key: + type: string + source: + description: 'Source can be one of the above values (e.g.: LabelSourceContainer).' + type: string + value: + type: string + required: + - key + type: object + type: array + nodeSelector: + description: |- + NodeSelector selects all nodes which should be subject to this rule. + EndpointSelector and NodeSelector cannot be both empty and are mutually + exclusive. Can only be used in CiliumClusterwideNetworkPolicies. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + specs: + description: Specs is a list of desired Cilium specific rule specification. + items: + anyOf: + - properties: + ingress: {} + required: + - ingress + - properties: + ingressDeny: {} + required: + - ingressDeny + - properties: + egress: {} + required: + - egress + - properties: + egressDeny: {} + required: + - egressDeny + description: |- + Rule is a policy rule which must be applied to all endpoints which match the + labels contained in the endpointSelector + + Each rule is split into an ingress section which contains all rules + applicable at ingress, and an egress section applicable at egress. For rule + types such as `L4Rule` and `CIDR` which can be applied at both ingress and + egress, both ingress and egress side have to either specifically allow the + connection or one side has to be omitted. + + Either ingress, egress, or both can be provided. If both ingress and egress + are omitted, the rule has no effect. + oneOf: + - properties: + endpointSelector: {} + required: + - endpointSelector + - properties: + nodeSelector: {} + required: + - nodeSelector + properties: + description: + description: |- + Description is a free form string, it can be used by the creator of + the rule to store human readable explanation of the purpose of this + rule. Rules cannot be identified by comment. + type: string + egress: + description: |- + Egress is a list of EgressRule which are enforced at egress. + If omitted or empty, this rule does not apply at egress. + items: + description: |- + EgressRule contains all rule types which can be applied at egress, i.e. + network traffic that originates inside the endpoint and exits the endpoint + selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception to this + rule is the ToRequires member; the effects of any Requires field in any + rule will apply to all other rules as well. + + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are + mutually exclusive. Only one of these members may be present within an + individual rule. + properties: + authentication: + description: Authentication is the required authentication + type for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode + for the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is allowed to connect to. + + Example: + Any endpoint with the label "app=httpd" is allowed to initiate + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should + be an 8bit code (0-255), or it's CamelCase name + (for example, \"EchoReply\").\nAllowed ICMP + types are:\n Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t + EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport |\n\t\t\t MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation |\n\t\t\t NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement |\n\t\t\t + HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toCIDR: + description: |- + ToCIDR is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections. Only connections destined for + outside of the cluster and not targeting the host will be subject + to CIDR rules. This will match on the destination IP address of + outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet + with no ExcludeCIDRs is equivalent. Overlaps are allowed between + ToCIDR and ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + toCIDRSet: + description: |- + ToCIDRSet is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections to in addition to connections + which are allowed via ToEndpoints, along with a list of subnets contained + within their corresponding IP block to which traffic should not be + allowed. This will match on the destination IP address of outgoing + connections. Adding a prefix into ToCIDR or into ToCIDRSet with no + ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and + ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + toEndpoints: + description: |- + ToEndpoints is a list of endpoints identified by an EndpointSelector to + which the endpoints subject to the rule are allowed to communicate. + + Example: + Any endpoint with the label "role=frontend" can communicate with any + endpoint carrying the label "role=backend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toEntities: + description: |- + ToEntities is a list of special entities to which the endpoint subject + to the rule is allowed to initiate connections. Supported entities are + `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, + `health`,`unmanaged` and `all`. + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toFQDNs: + description: |- + ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result + from DNS resolution of `ToFQDN.MatchName`s are added to the same + EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and + L7 rules within this EgressRule will also apply to these IPs. + The DNS -> IP mapping is re-resolved periodically from within the + cilium-agent, and the IPs in the DNS response are effected in the policy + for selected pods as-is (i.e. the list of IPs is not modified in any way). + Note: An explicit rule to allow for DNS traffic is needed for the pods, as + ToFQDN counts as an egress rule and will enforce egress policy when + PolicyEnforcment=default. + Note: If the resolved IPs are IPs within the kubernetes cluster, the + ToFQDN rule will not apply to that IP. + Note: ToFQDN cannot occur in the same policy as other To* rules. + items: + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + toGroups: + description: |- + ToGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + toGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toNodes: + description: |- + ToNodes is a list of nodes identified by an + EndpointSelector to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is allowed to + connect to. + + Example: + Any endpoint with the label "role=frontend" is allowed to initiate + connections to destination port 8080/tcp + items: + description: |- + PortRule is a list of ports/protocol combinations with optional Layer 7 + rules which must be met. + properties: + listener: + description: |- + listener specifies the name of a custom Envoy listener to which this traffic should be + redirected to. + properties: + envoyConfig: + description: |- + EnvoyConfig is a reference to the CEC or CCEC resource in which + the listener is defined. + properties: + kind: + description: |- + Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or + CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, + respectively. The only case this is currently explicitly needed is when referring to a + CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener + from a cluster scoped policy is not allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: |- + Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where + the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + priority: + description: |- + Priority for this Listener that is used when multiple rules would apply different + listeners to a policy map entry. Behavior of this is implementation dependent. + maximum: 100 + minimum: 1 + type: integer + required: + - envoyConfig + - name + type: object + originatingTLS: + description: |- + OriginatingTLS is the TLS context for the connections originated by + the L7 proxy. For egress policy this specifies the client-side TLS + parameters for the upstream connection originating from the L7 proxy + to the remote destination. For ingress policy this specifies the + client-side TLS parameters for the connection from the L7 proxy to + the local endpoint. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + maxItems: 40 + type: array + rules: + description: |- + Rules is a list of additional port level rules which must be met in + order for the PortRule to allow the traffic. If omitted or empty, + no layer 7 rules are enforced. + oneOf: + - properties: + http: {} + required: + - http + - properties: + kafka: {} + required: + - kafka + - properties: + dns: {} + required: + - dns + - properties: + l7proto: {} + required: + - l7proto + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed + DNS lookups. + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: |- + PortRuleHTTP is a list of HTTP protocol constraints. All fields are + optional, if all fields are empty or missing, the rule does not have any + effect. + + All fields of this type are extended POSIX regex as defined by IEEE Std + 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) + matched against the path of an incoming request. Currently it can contain + characters disallowed from the conventional "path" part of a URL as defined + by RFC 3986. + properties: + headerMatches: + description: |- + HeaderMatches is a list of HTTP headers which must be + present and match against the given values. Mismatch field can be used + to specify what to do when there is no match. + items: + description: |- + HeaderMatch extends the HeaderValue for matching requirement of a + named header field against an immediate string, a secret value, or + a regex. If none of the optional fields is present, then the + header value is not matched, only presence of the header is enough. + properties: + mismatch: + description: |- + Mismatch identifies what to do in case there is no match. The default is + to drop the request. Otherwise the overall rule is still considered as + matching, but the mismatches are logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + minLength: 1 + type: string + secret: + description: |- + Secret refers to a secret that contains the value to be matched against. + The secret must only contain one entry. If the referred secret does not + exist, and there is no "Value" specified, the match will fail. + properties: + name: + description: Name is the name of + the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: |- + Value matches the exact value of the header. Can be specified either + alone or together with "Secret"; will be used as the header value if the + secret can not be found in the latter case. + type: string + required: + - name + type: object + type: array + headers: + description: |- + Headers is a list of HTTP headers which must be present in the + request. If omitted or empty, requests are allowed regardless of + headers present. + items: + type: string + type: array + host: + description: |- + Host is an extended POSIX regex matched against the host header of a + request. Examples: + + - foo.bar.com will match the host fooXbar.com or foo-bar.com + - foo\.bar\.com will only match the host foo.bar.com + + If omitted or empty, the value of the host header is ignored. + format: idn-hostname + type: string + method: + description: |- + Method is an extended POSIX regex matched against the method of a + request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... + + If omitted or empty, all methods are allowed. + type: string + path: + description: |- + Path is an extended POSIX regex matched against the path of a + request. Currently it can contain characters disallowed from the + conventional "path" part of a URL as defined by RFC 3986. + + If omitted or empty, all paths are all allowed. + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: |- + PortRule is a list of Kafka protocol constraints. All fields are + optional, if all fields are empty or missing, the rule will match all + Kafka messages. + properties: + apiKey: + description: |- + APIKey is a case-insensitive string matched against the key of a + request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al + Reference: https://kafka.apache.org/protocol#protocol_api_keys + + If omitted or empty, and if Role is not specified, then all keys are allowed. + type: string + apiVersion: + description: |- + APIVersion is the version matched against the api version of the + Kafka message. If set, it has to be a string representing a positive + integer. + + If omitted or empty, all versions are allowed. + type: string + clientID: + description: |- + ClientID is the client identifier as provided in the request. + + From Kafka protocol documentation: + This is a user supplied identifier for the client application. The + user can use any identifier they like and it will be used when + logging errors, monitoring aggregates, etc. For example, one might + want to monitor not just the requests per second overall, but the + number coming from each client application (each of which could + reside on multiple servers). This id acts as a logical grouping + across all requests from a particular client. + + If omitted or empty, all client identifiers are allowed. + type: string + role: + description: |- + Role is a case-insensitive string and describes a group of API keys + necessary to perform certain higher-level Kafka operations such as "produce" + or "consume". A Role automatically expands into all APIKeys required + to perform the specified higher-level operation. + + The following values are supported: + - "produce": Allow producing to the topics specified in the rule + - "consume": Allow consuming from the topics specified in the rule + + This field is incompatible with the APIKey field, i.e APIKey and Role + cannot both be specified in the same rule. + + If omitted or empty, and if APIKey is not specified, then all keys are + allowed. + enum: + - produce + - consume + type: string + topic: + description: |- + Topic is the topic name contained in the message. If a Kafka request + contains multiple topics, then all topics must be allowed or the + message will be rejected. + + This constraint is ignored if the matched request message type + doesn't contain any topic. Maximum size of Topic can be 249 + characters as per recent Kafka spec and allowed characters are + a-z, A-Z, 0-9, -, . and _. + + Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 + version the length was changed from 255 to 249. For compatibility + reasons we are using 255. + + If omitted or empty, all topics are allowed. + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: |- + PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as + protocol constraints. All fields are optional, if all fields are empty or + missing, the rule does not have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: |- + ServerNames is a list of allowed TLS SNI values. If not empty, then + TLS must be present and one of the provided SNIs must be indicated in the + TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: |- + TerminatingTLS is the TLS context for the connection terminated by + the L7 proxy. For egress policy this specifies the server-side TLS + parameters to be applied on the connections originated from the local + endpoint and terminated by the L7 proxy. For ingress policy this specifies + the server-side TLS parameters to be applied on the connections + originated from a remote source and terminated by the L7 proxy. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + toRequires: + description: |- + ToRequires is a list of additional constraints which must be met + in order for the selected endpoints to be able to connect to other + endpoints. These additional constraints do no by itself grant access + privileges and must always be accompanied with at least one matching + ToEndpoints. + + Example: + Any Endpoint with the label "team=A" requires any endpoint to which it + communicates to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toServices: + description: |- + ToServices is a list of services to which the endpoint subject + to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services. + items: + description: |- + Service selects policy targets that are bundled as part of a + logical load-balanced service. + + Currently only Kubernetes-based Services are supported. + properties: + k8sService: + description: K8sService selects service by name and + namespace pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by + k8s labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector + for k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + type: object + type: array + type: object + type: array + egressDeny: + description: |- + EgressDeny is a list of EgressDenyRule which are enforced at egress. + Any rule inserted here will be denied regardless of the allowed egress + rules in the 'egress' field. + If omitted or empty, this rule does not apply at egress. + items: + description: |- + EgressDenyRule contains all rule types which can be applied at egress, i.e. + network traffic that originates inside the endpoint and exits the endpoint + selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception to this + rule is the ToRequires member; the effects of any Requires field in any + rule will apply to all other rules as well. + + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are + mutually exclusive. Only one of these members may be present within an + individual rule. + properties: + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is not allowed to connect to. + + Example: + Any endpoint with the label "app=httpd" is not allowed to initiate + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should + be an 8bit code (0-255), or it's CamelCase name + (for example, \"EchoReply\").\nAllowed ICMP + types are:\n Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t + EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport |\n\t\t\t MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation |\n\t\t\t NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement |\n\t\t\t + HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toCIDR: + description: |- + ToCIDR is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections. Only connections destined for + outside of the cluster and not targeting the host will be subject + to CIDR rules. This will match on the destination IP address of + outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet + with no ExcludeCIDRs is equivalent. Overlaps are allowed between + ToCIDR and ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + toCIDRSet: + description: |- + ToCIDRSet is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections to in addition to connections + which are allowed via ToEndpoints, along with a list of subnets contained + within their corresponding IP block to which traffic should not be + allowed. This will match on the destination IP address of outgoing + connections. Adding a prefix into ToCIDR or into ToCIDRSet with no + ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and + ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + toEndpoints: + description: |- + ToEndpoints is a list of endpoints identified by an EndpointSelector to + which the endpoints subject to the rule are allowed to communicate. + + Example: + Any endpoint with the label "role=frontend" can communicate with any + endpoint carrying the label "role=backend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toEntities: + description: |- + ToEntities is a list of special entities to which the endpoint subject + to the rule is allowed to initiate connections. Supported entities are + `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, + `health`,`unmanaged` and `all`. + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toGroups: + description: |- + ToGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + toGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toNodes: + description: |- + ToNodes is a list of nodes identified by an + EndpointSelector to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is not allowed to connect + to. + + Example: + Any endpoint with the label "role=frontend" is not allowed to initiate + connections to destination port 8080/tcp + items: + description: |- + PortDenyRule is a list of ports/protocol that should be used for deny + policies. This structure lacks the L7Rules since it's not supported in deny + policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + toRequires: + description: |- + ToRequires is a list of additional constraints which must be met + in order for the selected endpoints to be able to connect to other + endpoints. These additional constraints do no by itself grant access + privileges and must always be accompanied with at least one matching + ToEndpoints. + + Example: + Any Endpoint with the label "team=A" requires any endpoint to which it + communicates to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toServices: + description: |- + ToServices is a list of services to which the endpoint subject + to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services. + items: + description: |- + Service selects policy targets that are bundled as part of a + logical load-balanced service. + + Currently only Kubernetes-based Services are supported. + properties: + k8sService: + description: K8sService selects service by name and + namespace pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by + k8s labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector + for k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + type: object + type: array + type: object + type: array + enableDefaultDeny: + description: |- + EnableDefaultDeny determines whether this policy configures the + subject endpoint(s) to have a default deny mode. If enabled, + this causes all traffic not explicitly allowed by a network policy + to be dropped. + + If not specified, the default is true for each traffic direction + that has rules, and false otherwise. For example, if a policy + only has Ingress or IngressDeny rules, then the default for + ingress is true and egress is false. + + If multiple policies apply to an endpoint, that endpoint's default deny + will be enabled if any policy requests it. + + This is useful for creating broad-based network policies that will not + cause endpoints to enter default-deny mode. + properties: + egress: + description: |- + Whether or not the endpoint should have a default-deny rule applied + to egress traffic. + type: boolean + ingress: + description: |- + Whether or not the endpoint should have a default-deny rule applied + to ingress traffic. + type: boolean + type: object + endpointSelector: + description: |- + EndpointSelector selects all endpoints which should be subject to + this rule. EndpointSelector and NodeSelector cannot be both empty and + are mutually exclusive. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + ingress: + description: |- + Ingress is a list of IngressRule which are enforced at ingress. + If omitted or empty, this rule does not apply at ingress. + items: + description: |- + IngressRule contains all rule types which can be applied at ingress, + i.e. network traffic that originates outside of the endpoint and + is entering the endpoint selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members are set, all of them need to match in order for + the rule to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all other + rules as well. + + - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually + exclusive. Only one of these members may be present within an individual + rule. + properties: + authentication: + description: Authentication is the required authentication + type for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode + for the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + fromCIDR: + description: |- + FromCIDR is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from. Only connections which + do *not* originate from the cluster or from the local host are subject + to CIDR rules. In order to allow in-cluster connectivity, use the + FromEndpoints field. This will match on the source IP address of + incoming connections. Adding a prefix into FromCIDR or into + FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are + allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.3.9.1 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + fromCIDRSet: + description: |- + FromCIDRSet is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from in addition to FromEndpoints, + along with a list of subnets contained within their corresponding IP block + from which traffic should not be allowed. + This will match on the source IP address of incoming connections. Adding + a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is + equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + fromEndpoints: + description: |- + FromEndpoints is a list of endpoints identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + + Example: + Any endpoint with the label "role=backend" can be consumed by any + endpoint carrying the label "role=frontend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromEntities: + description: |- + FromEntities is a list of special entities which the endpoint subject + to the rule is allowed to receive connections from. Supported entities are + `world`, `cluster` and `host` + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromGroups: + description: |- + FromGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + FromGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: |- + FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromRequires: + description: |- + FromRequires is a list of additional constraints which must be met + in order for the selected endpoints to be reachable. These + additional constraints do no by itself grant access privileges and + must always be accompanied with at least one matching FromEndpoints. + + Example: + Any Endpoint with the label "team=A" requires consuming endpoint + to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can only accept incoming + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should + be an 8bit code (0-255), or it's CamelCase name + (for example, \"EchoReply\").\nAllowed ICMP + types are:\n Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t + EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport |\n\t\t\t MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation |\n\t\t\t NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement |\n\t\t\t + HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can only accept incoming + connections on port 80/tcp. + items: + description: |- + PortRule is a list of ports/protocol combinations with optional Layer 7 + rules which must be met. + properties: + listener: + description: |- + listener specifies the name of a custom Envoy listener to which this traffic should be + redirected to. + properties: + envoyConfig: + description: |- + EnvoyConfig is a reference to the CEC or CCEC resource in which + the listener is defined. + properties: + kind: + description: |- + Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or + CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, + respectively. The only case this is currently explicitly needed is when referring to a + CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener + from a cluster scoped policy is not allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: |- + Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where + the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + priority: + description: |- + Priority for this Listener that is used when multiple rules would apply different + listeners to a policy map entry. Behavior of this is implementation dependent. + maximum: 100 + minimum: 1 + type: integer + required: + - envoyConfig + - name + type: object + originatingTLS: + description: |- + OriginatingTLS is the TLS context for the connections originated by + the L7 proxy. For egress policy this specifies the client-side TLS + parameters for the upstream connection originating from the L7 proxy + to the remote destination. For ingress policy this specifies the + client-side TLS parameters for the connection from the L7 proxy to + the local endpoint. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + maxItems: 40 + type: array + rules: + description: |- + Rules is a list of additional port level rules which must be met in + order for the PortRule to allow the traffic. If omitted or empty, + no layer 7 rules are enforced. + oneOf: + - properties: + http: {} + required: + - http + - properties: + kafka: {} + required: + - kafka + - properties: + dns: {} + required: + - dns + - properties: + l7proto: {} + required: + - l7proto + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed + DNS lookups. + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: |- + PortRuleHTTP is a list of HTTP protocol constraints. All fields are + optional, if all fields are empty or missing, the rule does not have any + effect. + + All fields of this type are extended POSIX regex as defined by IEEE Std + 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) + matched against the path of an incoming request. Currently it can contain + characters disallowed from the conventional "path" part of a URL as defined + by RFC 3986. + properties: + headerMatches: + description: |- + HeaderMatches is a list of HTTP headers which must be + present and match against the given values. Mismatch field can be used + to specify what to do when there is no match. + items: + description: |- + HeaderMatch extends the HeaderValue for matching requirement of a + named header field against an immediate string, a secret value, or + a regex. If none of the optional fields is present, then the + header value is not matched, only presence of the header is enough. + properties: + mismatch: + description: |- + Mismatch identifies what to do in case there is no match. The default is + to drop the request. Otherwise the overall rule is still considered as + matching, but the mismatches are logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + minLength: 1 + type: string + secret: + description: |- + Secret refers to a secret that contains the value to be matched against. + The secret must only contain one entry. If the referred secret does not + exist, and there is no "Value" specified, the match will fail. + properties: + name: + description: Name is the name of + the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: |- + Value matches the exact value of the header. Can be specified either + alone or together with "Secret"; will be used as the header value if the + secret can not be found in the latter case. + type: string + required: + - name + type: object + type: array + headers: + description: |- + Headers is a list of HTTP headers which must be present in the + request. If omitted or empty, requests are allowed regardless of + headers present. + items: + type: string + type: array + host: + description: |- + Host is an extended POSIX regex matched against the host header of a + request. Examples: + + - foo.bar.com will match the host fooXbar.com or foo-bar.com + - foo\.bar\.com will only match the host foo.bar.com + + If omitted or empty, the value of the host header is ignored. + format: idn-hostname + type: string + method: + description: |- + Method is an extended POSIX regex matched against the method of a + request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... + + If omitted or empty, all methods are allowed. + type: string + path: + description: |- + Path is an extended POSIX regex matched against the path of a + request. Currently it can contain characters disallowed from the + conventional "path" part of a URL as defined by RFC 3986. + + If omitted or empty, all paths are all allowed. + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: |- + PortRule is a list of Kafka protocol constraints. All fields are + optional, if all fields are empty or missing, the rule will match all + Kafka messages. + properties: + apiKey: + description: |- + APIKey is a case-insensitive string matched against the key of a + request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al + Reference: https://kafka.apache.org/protocol#protocol_api_keys + + If omitted or empty, and if Role is not specified, then all keys are allowed. + type: string + apiVersion: + description: |- + APIVersion is the version matched against the api version of the + Kafka message. If set, it has to be a string representing a positive + integer. + + If omitted or empty, all versions are allowed. + type: string + clientID: + description: |- + ClientID is the client identifier as provided in the request. + + From Kafka protocol documentation: + This is a user supplied identifier for the client application. The + user can use any identifier they like and it will be used when + logging errors, monitoring aggregates, etc. For example, one might + want to monitor not just the requests per second overall, but the + number coming from each client application (each of which could + reside on multiple servers). This id acts as a logical grouping + across all requests from a particular client. + + If omitted or empty, all client identifiers are allowed. + type: string + role: + description: |- + Role is a case-insensitive string and describes a group of API keys + necessary to perform certain higher-level Kafka operations such as "produce" + or "consume". A Role automatically expands into all APIKeys required + to perform the specified higher-level operation. + + The following values are supported: + - "produce": Allow producing to the topics specified in the rule + - "consume": Allow consuming from the topics specified in the rule + + This field is incompatible with the APIKey field, i.e APIKey and Role + cannot both be specified in the same rule. + + If omitted or empty, and if APIKey is not specified, then all keys are + allowed. + enum: + - produce + - consume + type: string + topic: + description: |- + Topic is the topic name contained in the message. If a Kafka request + contains multiple topics, then all topics must be allowed or the + message will be rejected. + + This constraint is ignored if the matched request message type + doesn't contain any topic. Maximum size of Topic can be 249 + characters as per recent Kafka spec and allowed characters are + a-z, A-Z, 0-9, -, . and _. + + Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 + version the length was changed from 255 to 249. For compatibility + reasons we are using 255. + + If omitted or empty, all topics are allowed. + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: |- + PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as + protocol constraints. All fields are optional, if all fields are empty or + missing, the rule does not have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: |- + ServerNames is a list of allowed TLS SNI values. If not empty, then + TLS must be present and one of the provided SNIs must be indicated in the + TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: |- + TerminatingTLS is the TLS context for the connection terminated by + the L7 proxy. For egress policy this specifies the server-side TLS + parameters to be applied on the connections originated from the local + endpoint and terminated by the L7 proxy. For ingress policy this specifies + the server-side TLS parameters to be applied on the connections + originated from a remote source and terminated by the L7 proxy. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + type: object + type: array + ingressDeny: + description: |- + IngressDeny is a list of IngressDenyRule which are enforced at ingress. + Any rule inserted here will be denied regardless of the allowed ingress + rules in the 'ingress' field. + If omitted or empty, this rule does not apply at ingress. + items: + description: |- + IngressDenyRule contains all rule types which can be applied at ingress, + i.e. network traffic that originates outside of the endpoint and + is entering the endpoint selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members are set, all of them need to match in order for + the rule to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all other + rules as well. + + - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually + exclusive. Only one of these members may be present within an individual + rule. + properties: + fromCIDR: + description: |- + FromCIDR is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from. Only connections which + do *not* originate from the cluster or from the local host are subject + to CIDR rules. In order to allow in-cluster connectivity, use the + FromEndpoints field. This will match on the source IP address of + incoming connections. Adding a prefix into FromCIDR or into + FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are + allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.3.9.1 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + fromCIDRSet: + description: |- + FromCIDRSet is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from in addition to FromEndpoints, + along with a list of subnets contained within their corresponding IP block + from which traffic should not be allowed. + This will match on the source IP address of incoming connections. Adding + a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is + equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + fromEndpoints: + description: |- + FromEndpoints is a list of endpoints identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + + Example: + Any endpoint with the label "role=backend" can be consumed by any + endpoint carrying the label "role=frontend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromEntities: + description: |- + FromEntities is a list of special entities which the endpoint subject + to the rule is allowed to receive connections from. Supported entities are + `world`, `cluster` and `host` + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromGroups: + description: |- + FromGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + FromGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: |- + FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromRequires: + description: |- + FromRequires is a list of additional constraints which must be met + in order for the selected endpoints to be reachable. These + additional constraints do no by itself grant access privileges and + must always be accompanied with at least one matching FromEndpoints. + + Example: + Any Endpoint with the label "team=A" requires consuming endpoint + to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is not allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can not accept incoming + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should + be an 8bit code (0-255), or it's CamelCase name + (for example, \"EchoReply\").\nAllowed ICMP + types are:\n Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t + EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport |\n\t\t\t MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation |\n\t\t\t NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement |\n\t\t\t + HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is not allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can not accept incoming + connections on port 80/tcp. + items: + description: |- + PortDenyRule is a list of ports/protocol that should be used for deny + policies. This structure lacks the L7Rules since it's not supported in deny + policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + type: object + type: array + labels: + description: |- + Labels is a list of optional strings which can be used to + re-identify the rule or to store metadata. It is possible to lookup + or delete strings based on labels. Labels are not required to be + unique, multiple rules can have overlapping or identical labels. + items: + description: Label is the Cilium's representation of a container + label. + properties: + key: + type: string + source: + description: 'Source can be one of the above values (e.g.: + LabelSourceContainer).' + type: string + value: + type: string + required: + - key + type: object + type: array + nodeSelector: + description: |- + NodeSelector selects all nodes which should be subject to this rule. + EndpointSelector and NodeSelector cannot be both empty and are mutually + exclusive. Can only be used in CiliumClusterwideNetworkPolicies. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + status: + description: |- + Status is the status of the Cilium policy rule. + + The reason this field exists in this structure is due a bug in the k8s + code-generator that doesn't create a `UpdateStatus` method because the + field does not exist in the structure. + properties: + conditions: + items: + properties: + lastTransitionTime: + description: The last time the condition transitioned from one + status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: The status of the condition, one of True, False, + or Unknown + type: string + type: + description: The type of the policy condition + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + derivativePolicies: + additionalProperties: + description: |- + CiliumNetworkPolicyNodeStatus is the status of a Cilium policy rule for a + specific node. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations corresponds to the Annotations in the ObjectMeta of the CNP + that have been realized on the node for CNP. That is, if a CNP has been + imported and has been assigned annotation X=Y by the user, + Annotations in CiliumNetworkPolicyNodeStatus will be X=Y once the + CNP that was imported corresponding to Annotation X=Y has been realized on + the node. + type: object + enforcing: + description: |- + Enforcing is set to true once all endpoints present at the time the + policy has been imported are enforcing this policy. + type: boolean + error: + description: |- + Error describes any error that occurred when parsing or importing the + policy, or realizing the policy for the endpoints to which it applies + on the node. + type: string + lastUpdated: + description: LastUpdated contains the last time this status + was updated + format: date-time + type: string + localPolicyRevision: + description: |- + Revision is the policy revision of the repository which first implemented + this policy. + format: int64 + type: integer + ok: + description: |- + OK is true when the policy has been parsed and imported successfully + into the in-memory policy repository on the node. + type: boolean + type: object + description: |- + DerivativePolicies is the status of all policies derived from the Cilium + policy + type: object + type: object + required: + - metadata + type: object + served: true + storage: true + subresources: + status: {} diff --git a/test/integration/manifests/cilium/v1.17/ebpf/overlay/cilium.yaml b/test/integration/manifests/cilium/v1.17/ebpf/overlay/cilium.yaml new file mode 100644 index 0000000000..2d80205e3d --- /dev/null +++ b/test/integration/manifests/cilium/v1.17/ebpf/overlay/cilium.yaml @@ -0,0 +1,538 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + k8s-app: cilium + kubernetes.azure.com/managedby: aks + name: cilium + namespace: kube-system +spec: + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: cilium + template: + metadata: + annotations: + prometheus.io/port: "9962" + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/managed-by: Eno + k8s-app: cilium + kubernetes.azure.com/ebpf-dataplane: cilium + kubernetes.azure.com/managedby: aks + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/os + operator: In + values: + - linux + automountServiceAccountToken: true + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + - name: KUBE_CLIENT_BACKOFF_BASE + value: "1" + - name: KUBE_CLIENT_BACKOFF_DURATION + value: "120" + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + - name: require-k8s-connectivity + value: "false" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-agent + ports: + - containerPort: 9962 + hostPort: 9962 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/proc/sys/net + name: host-proc-sys-net + - mountPath: /host/proc/sys/kernel + name: host-proc-sys-kernel + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns + - mountPath: /flowlog-config + name: hubble-flowlog-config + readOnly: true + - mountPath: /var/log/acns/hubble + name: networkflowlogs + - mountPath: /etc/config + name: azure-ip-masq-dir + readOnly: true + - command: + - /azure-iptables-monitor + - -v + - "3" + - -events=true + - -checkMap=true + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: azure-iptables-monitor + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/config + name: iptables-config + - mountPath: /azure-block-iptables-bpf-map + name: iptables-block-bpf-map + readOnly: true + - command: + - ./azure-ip-masq-merger + - -v + - "2" + image: $AZURE_IP_MASQ_MERGER_IMAGE_REGISTRY/azure-ip-masq-merger:$AZURE_IP_MASQ_MERGER_TAG + imagePullPolicy: IfNotPresent + name: azure-ip-masq-merger + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/config/ + name: azure-ip-masq-agent-config-volume + - mountPath: /etc/merged-config/ + name: azure-ip-masq-dir + dnsPolicy: ClusterFirst + hostNetwork: true + initContainers: + - command: + - /azure-block-iptables + - -mode=attach + - -overwrite=true + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: iptables-blocker-init + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /proc + name: hostproc + - command: + - /azure-iptables-monitor + - -v + - "3" + - -events=true + - -terminateOnSuccess=true + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: azure-iptables-monitor-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/config + name: iptables-config + - command: + - /install-plugin.sh + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: install-cni-binaries + resources: {} + securityContext: + capabilities: + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-mount /hostbin/cilium-mount; + nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; + rm /hostbin/cilium-mount + env: + - name: CGROUP_ROOT + value: /run/cilium/cgroupv2 + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-cgroup + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; + nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; + rm /hostbin/cilium-sysctlfix + env: + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: apply-sysctl-overwrites + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - args: + - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf + command: + - /bin/bash + - -c + - -- + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-bpf-fs + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-maps + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: clean-cilium-state + resources: + requests: + cpu: 100m + memory: 100Mi + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /run/cilium/cgroupv2 + mountPropagation: HostToContainer + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + priorityClassName: system-node-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: cilium + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists + volumes: + - hostPath: + path: /etc/systemd + type: DirectoryOrCreate + name: host-etc-systemd + - hostPath: + path: /lib/systemd + type: DirectoryOrCreate + name: host-lib-systemd + - hostPath: + path: /usr/lib + type: DirectoryOrCreate + name: host-usr-lib + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + - hostPath: + path: /proc + type: Directory + name: hostproc + - hostPath: + path: /run/cilium/cgroupv2 + type: DirectoryOrCreate + name: cilium-cgroup + - hostPath: + path: /opt/cni/bin + type: DirectoryOrCreate + name: cni-path + - hostPath: + path: /etc/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + - hostPath: + path: /lib/modules + type: "" + name: lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + - name: clustermesh-secrets + secret: + defaultMode: 256 + optional: true + secretName: cilium-clustermesh + - configMap: + defaultMode: 420 + name: cilium-config + name: cilium-config-path + - hostPath: + path: /proc/sys/net + type: Directory + name: host-proc-sys-net + - hostPath: + path: /proc/sys/kernel + type: Directory + name: host-proc-sys-kernel + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns + - configMap: + defaultMode: 420 + name: acns-flowlog-config + optional: true + name: hubble-flowlog-config + - hostPath: + path: /var/log/acns/hubble + type: DirectoryOrCreate + name: networkflowlogs + - configMap: + defaultMode: 420 + name: allowed-iptables-patterns + optional: true + name: iptables-config + - hostPath: + path: /sys/fs/bpf/azure-block-iptables + type: DirectoryOrCreate + name: iptables-block-bpf-map + - emptyDir: {} + name: azure-ip-masq-dir + - name: azure-ip-masq-agent-config-volume + projected: + defaultMode: 420 + sources: + - configMap: + items: + - key: ip-masq-agent + mode: 444 + path: ip-masq-agent + name: azure-ip-masq-agent-config + optional: true + - configMap: + items: + - key: ip-masq-agent-reconciled + mode: 444 + path: ip-masq-agent-reconciled + name: azure-ip-masq-agent-config-reconciled + optional: true + updateStrategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 5% + type: RollingUpdate diff --git a/test/integration/manifests/cilium/v1.17/ebpf/overlay/static/azure-ip-masq-agent-config-reconciled.yaml b/test/integration/manifests/cilium/v1.17/ebpf/overlay/static/azure-ip-masq-agent-config-reconciled.yaml new file mode 100644 index 0000000000..e6d8edca6a --- /dev/null +++ b/test/integration/manifests/cilium/v1.17/ebpf/overlay/static/azure-ip-masq-agent-config-reconciled.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + ip-masq-agent-reconciled: | + MasqLinkLocal: true + NonMasqueradeCIDRs: + - 192.168.0.0/16 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/managed-by: Eno + component: ip-masq-agent + name: azure-ip-masq-agent-config-reconciled + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.17/ebpf/overlay/static/cilium-config.yaml b/test/integration/manifests/cilium/v1.17/ebpf/overlay/static/cilium-config.yaml new file mode 100644 index 0000000000..c0d38cc82d --- /dev/null +++ b/test/integration/manifests/cilium/v1.17/ebpf/overlay/static/cilium-config.yaml @@ -0,0 +1,166 @@ +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s + auto-direct-node-routes: "false" + bpf-algorithm-annotation: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-external-clusterip: "false" + bpf-lb-map-max: "65536" + bpf-lb-mode: snat + bpf-lb-mode-annotation: "false" + bpf-lb-sock: "false" + bpf-lb-sock-hostns-only: "true" + bpf-lb-sock-terminate-pod-connections: "false" + bpf-lb-source-range-all-types: "false" + bpf-map-dynamic-size-ratio: "0.0025" + bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf + ces-slice-mode: fcfs + cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" + cluster-name: alewoverebpfcilcanary + cni-exclusive: "false" + cni-log-file: /var/run/cilium/cilium-cni.log + datapath-mode: veth + debug: "false" + direct-routing-skip-unreachable: "false" + disable-cnp-status-updates: "true" + disable-embedded-dns-proxy: "false" + disable-endpoint-crd: "false" + dnsproxy-enable-transparent-mode: "false" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bgp-control-plane: "false" + enable-bpf-clock-probe: "true" + enable-bpf-masquerade: "true" + enable-cilium-endpoint-slice: "true" + enable-endpoint-health-checking: "false" + enable-endpoint-lockdown-on-policy-overflow: "false" + enable-endpoint-routes: "true" + enable-experimental-lb: "false" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-legacy-routing: "false" + enable-hubble: "true" + enable-hubble-open-metrics: "false" + enable-internal-traffic-policy: "true" + enable-ip-masq-agent: "true" + enable-ipv4: "true" + enable-ipv4-big-tcp: "false" + enable-ipv4-masquerade: "true" + enable-ipv6: "false" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "false" + enable-k8s-networkpolicy: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" + enable-l7-proxy: "true" + enable-lb-ipam: "false" + enable-local-node-route: "false" + enable-local-redirect-policy: "true" + enable-masquerade-to-route-source: "false" + enable-metrics: "true" + enable-node-selector-labels: "false" + enable-non-default-deny-policies: "true" + enable-policy: default + enable-remote-node-identity: "true" + enable-remote-node-masquerade: "true" + enable-runtime-device-detection: "false" + enable-sctp: "false" + enable-session-affinity: "true" + enable-source-ip-verification: "false" + enable-standalone-dns-proxy: "true" + enable-svc-source-range-check: "true" + enable-tcx: "false" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-wireguard: "false" + enable-xt-socket-fallback: "true" + external-envoy-proxy: "false" + health-check-icmp-failure-threshold: "3" + hubble-disable-tls: "false" + hubble-event-buffer-capacity: "4095" + hubble-export-file-max-backups: "5" + hubble-export-file-max-size-mb: "10" + hubble-flowlogs-config-path: /flowlog-config/flowlogs.yaml + hubble-listen-address: :4244 + hubble-metrics: flow:sourceEgressContext=pod;destinationIngressContext=pod tcp:sourceEgressContext=pod;destinationIngressContext=pod + drop:sourceEgressContext=pod;destinationIngressContext=pod dns:sourceEgressContext=pod;destinationIngressContext=pod + hubble-metrics-server: :9965 + hubble-socket-path: /var/run/cilium/hubble.sock + hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt + hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt + hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key + identity-allocation-mode: crd + install-iptables-rules: "true" + install-no-conntrack-iptables-rules: "false" + ipam: delegated-plugin + ipam-cilium-node-update-rate: 15s + ipv4-native-routing-cidr: 192.168.0.0/16 + k8s-client-burst: "20" + k8s-client-qps: "10" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + kube-proxy-replacement: "true" + kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256 + local-router-ipv4: 169.254.23.0 + mesh-auth-enabled: "false" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" + metrics: +cilium_bpf_map_pressure +cilium_proxy_datapath_update_timeout_total + monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" + nodes-gc-interval: 5m0s + operator-api-serve-addr: 127.0.0.1:9234 + operator-prometheus-serve-addr: :9963 + preallocate-bpf-maps: "false" + procfs: /host/proc + prometheus-serve-addr: :9962 + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" + remove-cilium-node-taints: "true" + routing-mode: native + set-cilium-is-up-condition: "true" + set-cilium-node-taints: "true" + sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" + tofqdns-dns-reject-response-code: refused + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-min-ttl: "3600" + tofqdns-proxy-port: "40046" + tofqdns-proxy-response-max-delay: 100ms + tofqdns-server-port: "40045" + unmanaged-pod-watcher-interval: "0" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + name: cilium-config + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.17/ebpf/podsubnet/cilium.yaml b/test/integration/manifests/cilium/v1.17/ebpf/podsubnet/cilium.yaml new file mode 100644 index 0000000000..3e3054f41e --- /dev/null +++ b/test/integration/manifests/cilium/v1.17/ebpf/podsubnet/cilium.yaml @@ -0,0 +1,508 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + k8s-app: cilium + kubernetes.azure.com/managedby: aks + name: cilium + namespace: kube-system +spec: + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: cilium + template: + metadata: + annotations: + prometheus.io/port: "9962" + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/managed-by: Eno + k8s-app: cilium + kubernetes.azure.com/ebpf-dataplane: cilium + kubernetes.azure.com/managedby: aks + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/os + operator: In + values: + - linux + automountServiceAccountToken: true + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + - name: KUBE_CLIENT_BACKOFF_BASE + value: "1" + - name: KUBE_CLIENT_BACKOFF_DURATION + value: "120" + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + - name: require-k8s-connectivity + value: "false" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-agent + ports: + - containerPort: 9962 + hostPort: 9962 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/proc/sys/net + name: host-proc-sys-net + - mountPath: /host/proc/sys/kernel + name: host-proc-sys-kernel + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns + - mountPath: /flowlog-config + name: hubble-flowlog-config + readOnly: true + - mountPath: /var/log/acns/hubble + name: networkflowlogs + - mountPath: /etc/config + name: azure-ip-masq-dir + readOnly: true + - command: + - /azure-iptables-monitor + - -v + - "3" + - -events=true + - -checkMap=true + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: azure-iptables-monitor + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/config + name: iptables-config + - mountPath: /azure-block-iptables-bpf-map + name: iptables-block-bpf-map + readOnly: true + dnsPolicy: ClusterFirst + hostNetwork: true + initContainers: + - command: + - /azure-block-iptables + - -mode=attach + - -overwrite=true + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: iptables-blocker-init + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /proc + name: hostproc + - command: + - /azure-iptables-monitor + - -v + - "3" + - -events=true + - -terminateOnSuccess=true + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: azure-iptables-monitor-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/config + name: iptables-config + - command: + - /install-plugin.sh + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: install-cni-binaries + resources: {} + securityContext: + capabilities: + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-mount /hostbin/cilium-mount; + nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; + rm /hostbin/cilium-mount + env: + - name: CGROUP_ROOT + value: /run/cilium/cgroupv2 + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-cgroup + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; + nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; + rm /hostbin/cilium-sysctlfix + env: + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: apply-sysctl-overwrites + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - args: + - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf + command: + - /bin/bash + - -c + - -- + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-bpf-fs + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-maps + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: clean-cilium-state + resources: + requests: + cpu: 100m + memory: 100Mi + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /run/cilium/cgroupv2 + mountPropagation: HostToContainer + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + priorityClassName: system-node-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: cilium + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists + volumes: + - hostPath: + path: /etc/systemd + type: DirectoryOrCreate + name: host-etc-systemd + - hostPath: + path: /lib/systemd + type: DirectoryOrCreate + name: host-lib-systemd + - hostPath: + path: /usr/lib + type: DirectoryOrCreate + name: host-usr-lib + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + - hostPath: + path: /proc + type: Directory + name: hostproc + - hostPath: + path: /run/cilium/cgroupv2 + type: DirectoryOrCreate + name: cilium-cgroup + - hostPath: + path: /opt/cni/bin + type: DirectoryOrCreate + name: cni-path + - hostPath: + path: /etc/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + - hostPath: + path: /lib/modules + type: "" + name: lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + - name: clustermesh-secrets + secret: + defaultMode: 256 + optional: true + secretName: cilium-clustermesh + - configMap: + defaultMode: 420 + name: cilium-config + name: cilium-config-path + - hostPath: + path: /proc/sys/net + type: Directory + name: host-proc-sys-net + - hostPath: + path: /proc/sys/kernel + type: Directory + name: host-proc-sys-kernel + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns + - configMap: + defaultMode: 420 + name: acns-flowlog-config + optional: true + name: hubble-flowlog-config + - hostPath: + path: /var/log/acns/hubble + type: DirectoryOrCreate + name: networkflowlogs + - configMap: + defaultMode: 420 + name: allowed-iptables-patterns + optional: true + name: iptables-config + - hostPath: + path: /sys/fs/bpf/azure-block-iptables + type: DirectoryOrCreate + name: iptables-block-bpf-map + - configMap: + defaultMode: 420 + name: azure-dns-imds-ip-masq-agent-config + optional: true + name: azure-ip-masq-dir + updateStrategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 5% + type: RollingUpdate diff --git a/test/integration/manifests/cilium/v1.17/ebpf/podsubnet/static/azure-dns-imds-ip-masq-agent-config.yaml b/test/integration/manifests/cilium/v1.17/ebpf/podsubnet/static/azure-dns-imds-ip-masq-agent-config.yaml new file mode 100644 index 0000000000..2613c3b265 --- /dev/null +++ b/test/integration/manifests/cilium/v1.17/ebpf/podsubnet/static/azure-dns-imds-ip-masq-agent-config.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +data: + ip-masq-agent: "nonMasqueradeCIDRs:\n- 0.0.0.0/1\n- 128.0.0.0/3\n- 160.0.0.0/5\n- + 168.0.0.0/11\n- 168.32.0.0/12\n- 168.48.0.0/13\n- 168.56.0.0/14\n- 168.60.0.0/15\n- + 168.62.0.0/16\n- 168.63.0.0/17\n- 168.63.128.0/24\n- 168.63.129.0/29\n- 168.63.129.8/30\n- + 168.63.129.12/30\n- 168.63.129.17/32\n- 168.63.129.18/31\n- 168.63.129.20/30\n- + 168.63.129.24/29\n- 168.63.129.32/27\n- 168.63.129.64/26\n- 168.63.129.128/25\n- + 168.63.130.0/23\n- 168.63.132.0/22\n- 168.63.136.0/21\n- 168.63.144.0/20\n- 168.63.160.0/19\n- + 168.63.192.0/18\n- 168.64.0.0/10\n- 168.128.0.0/9\n- 169.0.0.0/9\n- 169.128.0.0/10\n- + 169.192.0.0/11\n- 169.224.0.0/12\n- 169.240.0.0/13\n- 169.248.0.0/14\n- 169.252.0.0/15\n- + 169.254.0.0/17\n- 169.254.128.0/19\n- 169.254.160.0/21\n- 169.254.168.0/24\n- + 169.254.169.0/25\n- 169.254.169.128/26\n- 169.254.169.192/27\n- 169.254.169.224/28\n- + 169.254.169.240/29\n- 169.254.169.248/30\n- 169.254.169.252/31\n- 169.254.169.255/32\n- + 169.254.170.0/23\n- 169.254.172.0/22\n- 169.254.176.0/20\n- 169.254.192.0/18\n- + 169.255.0.0/16\n- 170.0.0.0/7\n- 172.0.0.0/6\n- 176.0.0.0/4\n- 192.0.0.0/3\n- + 224.0.0.0/3\n \nmasqLinkLocal: true\nmasqLinkLocalIPv6: true\n" +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + name: azure-dns-imds-ip-masq-agent-config + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.17/ebpf/podsubnet/static/cilium-config.yaml b/test/integration/manifests/cilium/v1.17/ebpf/podsubnet/static/cilium-config.yaml new file mode 100644 index 0000000000..14cb5d0105 --- /dev/null +++ b/test/integration/manifests/cilium/v1.17/ebpf/podsubnet/static/cilium-config.yaml @@ -0,0 +1,166 @@ +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s + auto-direct-node-routes: "false" + bpf-algorithm-annotation: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-external-clusterip: "false" + bpf-lb-map-max: "65536" + bpf-lb-mode: snat + bpf-lb-mode-annotation: "false" + bpf-lb-sock: "false" + bpf-lb-sock-hostns-only: "true" + bpf-lb-sock-terminate-pod-connections: "false" + bpf-lb-source-range-all-types: "false" + bpf-map-dynamic-size-ratio: "0.0025" + bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf + ces-slice-mode: fcfs + cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" + cluster-name: alewpodsubebpfcilcanary + cni-exclusive: "false" + cni-log-file: /var/run/cilium/cilium-cni.log + datapath-mode: veth + debug: "false" + direct-routing-skip-unreachable: "false" + disable-cnp-status-updates: "true" + disable-embedded-dns-proxy: "false" + disable-endpoint-crd: "false" + dnsproxy-enable-transparent-mode: "false" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bgp-control-plane: "false" + enable-bpf-clock-probe: "true" + enable-bpf-masquerade: "true" + enable-cilium-endpoint-slice: "true" + enable-endpoint-health-checking: "false" + enable-endpoint-lockdown-on-policy-overflow: "false" + enable-endpoint-routes: "true" + enable-experimental-lb: "false" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-legacy-routing: "false" + enable-hubble: "true" + enable-hubble-open-metrics: "false" + enable-internal-traffic-policy: "true" + enable-ip-masq-agent: "true" + enable-ipv4: "true" + enable-ipv4-big-tcp: "false" + enable-ipv4-masquerade: "true" + enable-ipv6: "false" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "false" + enable-k8s-networkpolicy: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" + enable-l7-proxy: "true" + enable-lb-ipam: "false" + enable-local-node-route: "false" + enable-local-redirect-policy: "true" + enable-masquerade-to-route-source: "false" + enable-metrics: "true" + enable-node-selector-labels: "false" + enable-non-default-deny-policies: "true" + enable-policy: default + enable-remote-node-identity: "true" + enable-remote-node-masquerade: "false" + enable-runtime-device-detection: "false" + enable-sctp: "false" + enable-session-affinity: "true" + enable-source-ip-verification: "false" + enable-standalone-dns-proxy: "true" + enable-svc-source-range-check: "true" + enable-tcx: "false" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-wireguard: "false" + enable-xt-socket-fallback: "true" + external-envoy-proxy: "false" + health-check-icmp-failure-threshold: "3" + hubble-disable-tls: "false" + hubble-event-buffer-capacity: "4095" + hubble-export-file-max-backups: "5" + hubble-export-file-max-size-mb: "10" + hubble-flowlogs-config-path: /flowlog-config/flowlogs.yaml + hubble-listen-address: :4244 + hubble-metrics: flow:sourceEgressContext=pod;destinationIngressContext=pod tcp:sourceEgressContext=pod;destinationIngressContext=pod + drop:sourceEgressContext=pod;destinationIngressContext=pod dns:sourceEgressContext=pod;destinationIngressContext=pod + hubble-metrics-server: :9965 + hubble-socket-path: /var/run/cilium/hubble.sock + hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt + hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt + hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key + identity-allocation-mode: crd + install-iptables-rules: "true" + install-no-conntrack-iptables-rules: "false" + ipam: delegated-plugin + ipam-cilium-node-update-rate: 15s + ipv4-native-routing-cidr: 10.241.0.0/16 + k8s-client-burst: "20" + k8s-client-qps: "10" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + kube-proxy-replacement: "true" + kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256 + local-router-ipv4: 169.254.23.0 + mesh-auth-enabled: "false" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" + metrics: +cilium_bpf_map_pressure +cilium_proxy_datapath_update_timeout_total + monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" + nodes-gc-interval: 5m0s + operator-api-serve-addr: 127.0.0.1:9234 + operator-prometheus-serve-addr: :9963 + preallocate-bpf-maps: "false" + procfs: /host/proc + prometheus-serve-addr: :9962 + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" + remove-cilium-node-taints: "true" + routing-mode: native + set-cilium-is-up-condition: "true" + set-cilium-node-taints: "true" + sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" + tofqdns-dns-reject-response-code: refused + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-min-ttl: "3600" + tofqdns-proxy-port: "40046" + tofqdns-proxy-response-max-delay: 100ms + tofqdns-server-port: "40045" + unmanaged-pod-watcher-interval: "0" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + name: cilium-config + namespace: kube-system diff --git a/test/validate/linux_validate.go b/test/validate/linux_validate.go index 0f38a4c718..dccae9cff7 100644 --- a/test/validate/linux_validate.go +++ b/test/validate/linux_validate.go @@ -44,6 +44,7 @@ var linuxChecksMap = map[string][]check{ podLabelSelector: ciliumLabelSelector, podNamespace: privilegedNamespace, cmd: ciliumStateFileCmd, + containerName: "cilium-agent", }, { name: "cns cache",