From de8db0fed7da9a93f9d03ddc7945b7706d4f4cbd Mon Sep 17 00:00:00 2001 From: Vipul Singh Date: Thu, 23 Oct 2025 23:15:31 +0000 Subject: [PATCH] ci: Add manifest for cilium v1.18 Signed-off-by: Vipul Singh --- cni/Dockerfile | 2 +- cns/Dockerfile | 2 +- .../v1.18/cilium-agent/files/clusterrole.yaml | 121 + .../files/clusterrolebinding.yaml | 14 + .../cilium-agent/files/serviceaccount.yaml | 5 + .../templates/daemonset-dualstack.yaml | 436 + .../cilium-agent/templates/daemonset.yaml | 431 + .../cilium-config-dualstack.yaml | 147 + .../cilium-config/cilium-config-hubble.yaml | 149 + .../v1.18/cilium-config/cilium-config.yaml | 145 + .../cilium-operator/files/clusterrole.yaml | 282 + .../files/clusterrolebinding.yaml | 12 + .../cilium-operator/files/serviceaccount.yaml | 5 + .../cilium-operator/templates/deployment.yaml | 171 + .../common/allowed-iptables-patterns.yaml | 61 + .../cilium/v1.18/ebpf/common/ccnps.yaml | 19 + .../ebpf/common/cilium-agent-clusterrole.yaml | 125 + .../ciliumclusterwidenetworkpolicies.yaml | 7054 +++++++++++++++++ .../cilium/v1.18/ebpf/overlay/cilium.yaml | 538 ++ ...azure-ip-masq-agent-config-reconciled.yaml | 13 + .../ebpf/overlay/static/cilium-config.yaml | 173 + .../cilium/v1.18/ebpf/podsubnet/cilium.yaml | 508 ++ .../azure-dns-imds-ip-masq-agent-config.yaml | 26 + .../ebpf/podsubnet/static/cilium-config.yaml | 173 + .../cilium/v1.18/hubble/hubble-peer-svc.yaml | 18 + 25 files changed, 10628 insertions(+), 2 deletions(-) create mode 100644 test/integration/manifests/cilium/v1.18/cilium-agent/files/clusterrole.yaml create mode 100644 test/integration/manifests/cilium/v1.18/cilium-agent/files/clusterrolebinding.yaml create mode 100644 test/integration/manifests/cilium/v1.18/cilium-agent/files/serviceaccount.yaml create mode 100644 test/integration/manifests/cilium/v1.18/cilium-agent/templates/daemonset-dualstack.yaml create mode 100644 test/integration/manifests/cilium/v1.18/cilium-agent/templates/daemonset.yaml create mode 100644 test/integration/manifests/cilium/v1.18/cilium-config/cilium-config-dualstack.yaml create mode 100644 test/integration/manifests/cilium/v1.18/cilium-config/cilium-config-hubble.yaml create mode 100644 test/integration/manifests/cilium/v1.18/cilium-config/cilium-config.yaml create mode 100644 test/integration/manifests/cilium/v1.18/cilium-operator/files/clusterrole.yaml create mode 100644 test/integration/manifests/cilium/v1.18/cilium-operator/files/clusterrolebinding.yaml create mode 100644 test/integration/manifests/cilium/v1.18/cilium-operator/files/serviceaccount.yaml create mode 100644 test/integration/manifests/cilium/v1.18/cilium-operator/templates/deployment.yaml create mode 100644 test/integration/manifests/cilium/v1.18/ebpf/common/allowed-iptables-patterns.yaml create mode 100644 test/integration/manifests/cilium/v1.18/ebpf/common/ccnps.yaml create mode 100644 test/integration/manifests/cilium/v1.18/ebpf/common/cilium-agent-clusterrole.yaml create mode 100644 test/integration/manifests/cilium/v1.18/ebpf/common/ciliumclusterwidenetworkpolicies.yaml create mode 100644 test/integration/manifests/cilium/v1.18/ebpf/overlay/cilium.yaml create mode 100644 test/integration/manifests/cilium/v1.18/ebpf/overlay/static/azure-ip-masq-agent-config-reconciled.yaml create mode 100644 test/integration/manifests/cilium/v1.18/ebpf/overlay/static/cilium-config.yaml create mode 100644 test/integration/manifests/cilium/v1.18/ebpf/podsubnet/cilium.yaml create mode 100644 test/integration/manifests/cilium/v1.18/ebpf/podsubnet/static/azure-dns-imds-ip-masq-agent-config.yaml create mode 100644 test/integration/manifests/cilium/v1.18/ebpf/podsubnet/static/cilium-config.yaml create mode 100644 test/integration/manifests/cilium/v1.18/hubble/hubble-peer-svc.yaml diff --git a/cni/Dockerfile b/cni/Dockerfile index 5867fd09b2..90bbcf8f85 100644 --- a/cni/Dockerfile +++ b/cni/Dockerfile @@ -6,7 +6,7 @@ ARG OS_VERSION ARG OS # mcr.microsoft.com/oss/go/microsoft/golang:1.24-azurelinux3.0 -FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:7bbbda682ce4a462855bd8a61c5efdc1e79ab89d9e32c2610f41e6f9502e1cf4 AS go +FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:0284639670083833db35474c4248318b7d21e565428b66ddaadf97f8fe5e1696 AS go # mcr.microsoft.com/azurelinux/base/core:3.0 FROM --platform=linux/${ARCH} mcr.microsoft.com/azurelinux/base/core@sha256:833693619d523c23b1fe4d9c1f64a6c697e2a82f7a6ee26e1564897c3fe3fa02 AS mariner-core diff --git a/cns/Dockerfile b/cns/Dockerfile index 7908371aea..09efba5c3a 100644 --- a/cns/Dockerfile +++ b/cns/Dockerfile @@ -5,7 +5,7 @@ ARG OS_VERSION ARG OS # mcr.microsoft.com/oss/go/microsoft/golang:1.24-azurelinux3.0 -FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:7bbbda682ce4a462855bd8a61c5efdc1e79ab89d9e32c2610f41e6f9502e1cf4 AS go +FROM --platform=linux/${ARCH} mcr.microsoft.com/oss/go/microsoft/golang@sha256:0284639670083833db35474c4248318b7d21e565428b66ddaadf97f8fe5e1696 AS go # mcr.microsoft.com/azurelinux/base/core:3.0 FROM mcr.microsoft.com/azurelinux/base/core@sha256:833693619d523c23b1fe4d9c1f64a6c697e2a82f7a6ee26e1564897c3fe3fa02 AS mariner-core diff --git a/test/integration/manifests/cilium/v1.18/cilium-agent/files/clusterrole.yaml b/test/integration/manifests/cilium/v1.18/cilium-agent/files/clusterrole.yaml new file mode 100644 index 0000000000..b718138c9e --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-agent/files/clusterrole.yaml @@ -0,0 +1,121 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cilium + labels: + app.kubernetes.io/part-of: cilium +rules: +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - services + - pods + - endpoints + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + # This is used when validating policies in preflight. This will need to stay + # until we figure out how to avoid "get" inside the preflight, and then + # should be removed ideally. + - get +- apiGroups: + - cilium.io + resources: + - ciliumbgppeeringpolicies + - ciliumclusterwideenvoyconfigs + - ciliumclusterwidenetworkpolicies + - ciliumegressgatewaypolicies + - ciliumendpoints + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumidentities + - ciliumlocalredirectpolicies + - ciliumnetworkpolicies + - ciliumnodes + - ciliumnodeconfigs + - ciliumloadbalancerippools + - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools + - ciliumbgpnodeconfigs + - ciliumbgpadvertisements + - ciliumbgppeerconfigs + verbs: + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumidentities + - ciliumendpoints + - ciliumnodes + verbs: + - create +- apiGroups: + - cilium.io + # To synchronize garbage collection of such resources + resources: + - ciliumidentities + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints + verbs: + - delete + - get +- apiGroups: + - cilium.io + resources: + - ciliumnodes + - ciliumnodes/status + verbs: + - get + - update +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints/status + - ciliumendpoints + - ciliuml2announcementpolicies/status + - ciliumbgpnodeconfigs/status + verbs: + - patch +- apiGroups: + - "" + resourceNames: + - cilium-config + resources: + - configmaps + verbs: + - list + - watch diff --git a/test/integration/manifests/cilium/v1.18/cilium-agent/files/clusterrolebinding.yaml b/test/integration/manifests/cilium/v1.18/cilium-agent/files/clusterrolebinding.yaml new file mode 100644 index 0000000000..93a6e06cdc --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-agent/files/clusterrolebinding.yaml @@ -0,0 +1,14 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cilium + labels: + app.kubernetes.io/part-of: cilium +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium +subjects: +- kind: ServiceAccount + name: "cilium" + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/cilium-agent/files/serviceaccount.yaml b/test/integration/manifests/cilium/v1.18/cilium-agent/files/serviceaccount.yaml new file mode 100644 index 0000000000..f7097b1616 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-agent/files/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "cilium" + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/cilium-agent/templates/daemonset-dualstack.yaml b/test/integration/manifests/cilium/v1.18/cilium-agent/templates/daemonset-dualstack.yaml new file mode 100644 index 0000000000..e025348dbc --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-agent/templates/daemonset-dualstack.yaml @@ -0,0 +1,436 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + k8s-app: cilium + app.kubernetes.io/part-of: cilium + name: cilium + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: cilium + template: + metadata: + annotations: + prometheus.io/port: "9962" + prometheus.io/scrape: "true" + labels: + k8s-app: cilium + kubernetes.azure.com/ebpf-dataplane: cilium + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-agent + ports: + - containerPort: 9962 + hostPort: 9962 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + - BPF + - PERFMON + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/proc/sys/net + name: host-proc-sys-net + - mountPath: /host/proc/sys/kernel + name: host-proc-sys-kernel + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - mountPath: /var/run/cilium/netns + name: cilium-netns + mountPropagation: HostToContainer + dnsPolicy: ClusterFirst + hostNetwork: true + initContainers: + - name: install-cni-binaries + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + args: + - "/install-plugin.sh" + command: + - sh + securityContext: + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + drop: + - ALL + volumeMounts: + - name: cni-path + mountPath: /host/opt/cni/bin + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-mount /hostbin/cilium-mount; + nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; + rm /hostbin/cilium-mount + env: + - name: CGROUP_ROOT + value: /run/cilium/cgroupv2 + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-cgroup + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; + nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; + rm /hostbin/cilium-sysctlfix + env: + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: apply-sysctl-overwrites + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - args: + - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf + command: + - sh + - -c + - -- + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-bpf-fs + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-maps + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: clean-cilium-state + resources: + requests: + cpu: 100m + memory: 100Mi + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /run/cilium/cgroupv2 + mountPropagation: HostToContainer + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + - name: start-ipv6-hp-bpf + image: $IPV6_IMAGE_REGISTRY/ipv6-hp-bpf:$IPV6_HP_BPF_VERSION + imagePullPolicy: IfNotPresent + command: [/ipv6-hp-bpf] + securityContext: + privileged: true + volumeMounts: + - mountPath: /var/log + name: ipv6-hp-bpf + - name: block-wireserver + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + command: + - sh + - -cx + - | + iptables -t mangle -C FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP + status=$? + set -e + if [ $status -eq 0 ]; then + echo "Skip adding iptables as it already exists" + else + iptables -t mangle -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP + fi + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + drop: + - ALL + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: cilium + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists + volumes: + - hostPath: + path: /var/log + type: DirectoryOrCreate + name: ipv6-hp-bpf + - hostPath: + path: /etc/systemd + type: DirectoryOrCreate + name: host-etc-systemd + - hostPath: + path: /lib/systemd + type: DirectoryOrCreate + name: host-lib-systemd + - hostPath: + path: /usr/lib + type: DirectoryOrCreate + name: host-usr-lib + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + - hostPath: + path: /proc + type: Directory + name: hostproc + - hostPath: + path: /run/cilium/cgroupv2 + type: DirectoryOrCreate + name: cilium-cgroup + - hostPath: + path: /opt/cni/bin + type: DirectoryOrCreate + name: cni-path + - hostPath: + path: /etc/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + - hostPath: + path: /lib/modules + name: lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + - name: clustermesh-secrets + secret: + defaultMode: 256 + optional: true + secretName: cilium-clustermesh + - configMap: + defaultMode: 420 + name: cilium-config + name: cilium-config-path + - hostPath: + path: /proc/sys/net + type: Directory + name: host-proc-sys-net + - hostPath: + path: /proc/sys/kernel + type: Directory + name: host-proc-sys-kernel + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns + updateStrategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 2 + type: RollingUpdate diff --git a/test/integration/manifests/cilium/v1.18/cilium-agent/templates/daemonset.yaml b/test/integration/manifests/cilium/v1.18/cilium-agent/templates/daemonset.yaml new file mode 100644 index 0000000000..f7afdd7c21 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-agent/templates/daemonset.yaml @@ -0,0 +1,431 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + k8s-app: cilium + app.kubernetes.io/part-of: cilium + name: cilium + namespace: kube-system +spec: + selector: + matchLabels: + k8s-app: cilium + template: + metadata: + annotations: + prometheus.io/port: "9962" + prometheus.io/scrape: "true" + labels: + k8s-app: cilium + kubernetes.azure.com/ebpf-dataplane: cilium + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/os + operator: In + values: + - linux + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-agent + ports: + - containerPort: 9962 + hostPort: 9962 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + - BPF + - PERFMON + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /host/proc/sys/net + name: host-proc-sys-net + - mountPath: /host/proc/sys/kernel + name: host-proc-sys-kernel + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - mountPath: /var/run/cilium/netns + name: cilium-netns + mountPropagation: HostToContainer + dnsPolicy: ClusterFirst + hostNetwork: true + initContainers: + - name: install-cni-binaries + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + args: + - "/install-plugin.sh" + command: + - sh + securityContext: + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + drop: + - ALL + volumeMounts: + - name: cni-path + mountPath: /host/opt/cni/bin + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-mount /hostbin/cilium-mount; + nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; + rm /hostbin/cilium-mount + env: + - name: CGROUP_ROOT + value: /run/cilium/cgroupv2 + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-cgroup + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; + nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; + rm /hostbin/cilium-sysctlfix + env: + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: apply-sysctl-overwrites + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - args: + - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf + command: + - sh + - -c + - -- + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-bpf-fs + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-maps + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: clean-cilium-state + resources: + requests: + cpu: 100m + memory: 100Mi + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /run/cilium/cgroupv2 + mountPropagation: HostToContainer + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/etc/systemd + name: host-etc-systemd + - mountPath: /host/lib/systemd + name: host-lib-systemd + readOnly: true + - mountPath: /host/usr/lib + name: host-usr-lib + readOnly: true + - name: block-wireserver + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + command: + - sh + - -cx + - | + iptables -t mangle -C FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP + status=$? + set -e + if [ $status -eq 0 ]; then + echo "Skip adding iptables as it already exists" + else + iptables -t mangle -I FORWARD -d 168.63.129.16 -p tcp --dport 80 -j DROP + fi + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + drop: + - ALL + nodeSelector: + kubernetes.io/os: linux + priorityClassName: system-node-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: cilium + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists + volumes: + - hostPath: + path: /etc/systemd + type: DirectoryOrCreate + name: host-etc-systemd + - hostPath: + path: /lib/systemd + type: DirectoryOrCreate + name: host-lib-systemd + - hostPath: + path: /usr/lib + type: DirectoryOrCreate + name: host-usr-lib + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + - hostPath: + path: /proc + type: Directory + name: hostproc + - hostPath: + path: /run/cilium/cgroupv2 + type: DirectoryOrCreate + name: cilium-cgroup + - hostPath: + path: /opt/cni/bin + type: DirectoryOrCreate + name: cni-path + - hostPath: + path: /etc/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + - hostPath: + path: /lib/modules + name: lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + - name: clustermesh-secrets + secret: + defaultMode: 256 + optional: true + secretName: cilium-clustermesh + - configMap: + defaultMode: 420 + name: cilium-config + name: cilium-config-path + - hostPath: + path: /proc/sys/net + type: Directory + name: host-proc-sys-net + - hostPath: + path: /proc/sys/kernel + type: Directory + name: host-proc-sys-kernel + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns + updateStrategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 2 + type: RollingUpdate diff --git a/test/integration/manifests/cilium/v1.18/cilium-config/cilium-config-dualstack.yaml b/test/integration/manifests/cilium/v1.18/cilium-config/cilium-config-dualstack.yaml new file mode 100644 index 0000000000..ab05c977c4 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-config/cilium-config-dualstack.yaml @@ -0,0 +1,147 @@ +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s + auto-direct-node-routes: "false" + bpf-filter-priority: "2" + bpf-lb-external-clusterip: "false" + bpf-lb-map-max: "65536" + bpf-lb-mode: snat + bpf-map-dynamic-size-ratio: "0.0025" + bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf + cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" + cluster-name: default + debug: "false" + disable-cnp-status-updates: "true" + disable-endpoint-crd: "false" + dnsproxy-enable-transparent-mode: "false" + enable-auto-protect-node-port-range: "true" + enable-bgp-control-plane: "false" + enable-bpf-clock-probe: "true" + enable-endpoint-health-checking: "false" + enable-endpoint-routes: "true" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-legacy-routing: "true" + enable-hubble: "false" + enable-ipv4: "true" + enable-ipv4-masquerade: "false" + enable-ipv6: "true" + enable-ipv6-masquerade: "false" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" + enable-l7-proxy: "false" + enable-local-node-route: "false" + enable-local-redirect-policy: "false" + enable-metrics: "true" + enable-policy: default + enable-remote-node-identity: "true" + enable-session-affinity: "true" + enable-svc-source-range-check: "true" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + identity-allocation-mode: crd + install-iptables-rules: "true" + install-no-conntrack-iptables-rules: "false" + ipam: delegated-plugin + kube-proxy-replacement: "true" + kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256" + local-router-ipv4: 169.254.23.0 + local-router-ipv6: "fe80::" + metrics: +cilium_bpf_map_pressure + monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + node-port-bind-protection: "true" + nodes-gc-interval: 5m0s + operator-api-serve-addr: 127.0.0.1:9234 + operator-prometheus-serve-addr: :9963 + preallocate-bpf-maps: "false" + procfs: /host/proc + prometheus-serve-addr: :9962 + remove-cilium-node-taints: "true" + set-cilium-is-up-condition: "true" + sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" + tofqdns-dns-reject-response-code: refused + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-min-ttl: "0" + tofqdns-proxy-response-max-delay: 100ms + routing-mode: native + unmanaged-pod-watcher-interval: "15" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" + enable-sctp: "false" + external-envoy-proxy: "false" + k8s-client-qps: "10" + k8s-client-burst: "20" + mesh-auth-enabled: "true" + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" + mesh-auth-gc-interval: "5m0s" + proxy-connect-timeout: "2" + proxy-max-requests-per-connection: "0" + proxy-max-connection-duration-seconds: "0" + set-cilium-node-taints: "true" +## new values added for 1.16 below + enable-ipv4-big-tcp: "false" + enable-ipv6-big-tcp: "false" + enable-masquerade-to-route-source: "false" + enable-health-check-loadbalancer-ip: "false" + bpf-lb-acceleration: "disabled" + enable-k8s-networkpolicy: "true" + cni-exclusive: "false" # Cilium takes ownership of /etc/cni/net.d, pods cannot be scheduled with any other cni if cilium is down + cni-log-file: "/var/run/cilium/cilium-cni.log" + ipam-cilium-node-update-rate: "15s" + egress-gateway-reconciliation-trigger-interval: "1s" + nat-map-stats-entries: "32" + nat-map-stats-interval: "30s" + bpf-events-drop-enabled: "true" # exposes drop events to cilium monitor/hubble + bpf-events-policy-verdict-enabled: "true" # exposes policy verdict events to cilium monitor/hubble + bpf-events-trace-enabled: "true" # exposes trace events to cilium monitor/hubble + enable-tcx: "false" # attach endpoint programs with tcx if supported by kernel + datapath-mode: "veth" + direct-routing-skip-unreachable: "false" + enable-runtime-device-detection: "false" + bpf-lb-sock: "false" + bpf-lb-sock-terminate-pod-connections: "false" + nodeport-addresses: "" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + enable-node-selector-labels: "false" +## new values for 1.17 + ces-slice-mode: "fcfs" + enable-cilium-endpoint-slice: "true" + bpf-lb-source-range-all-types: "false" + bpf-algorithm-annotation: "false" + bpf-lb-mode-annotation: "false" + enable-experimental-lb: "false" + enable-endpoint-lockdown-on-policy-overflow: "false" + health-check-icmp-failure-threshold: "3" + enable-internal-traffic-policy: "true" + enable-lb-ipam: "true" + enable-non-default-deny-policies: "true" + enable-source-ip-verification: "true" +## new values for 1.18 + bpf-policy-stats-map-max: "65536" + identity-management-mode: "agent" + tofqdns-preallocate-identities: "true" + policy-default-local-cluster: "false" +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + name: cilium-config + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/cilium-config/cilium-config-hubble.yaml b/test/integration/manifests/cilium/v1.18/cilium-config/cilium-config-hubble.yaml new file mode 100644 index 0000000000..d618d7ac6c --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-config/cilium-config-hubble.yaml @@ -0,0 +1,149 @@ +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s + auto-direct-node-routes: "false" + bpf-lb-external-clusterip: "false" + bpf-lb-map-max: "65536" + bpf-lb-mode: snat + bpf-map-dynamic-size-ratio: "0.0025" + bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf + cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" + cluster-name: default + debug: "false" + disable-cnp-status-updates: "true" + disable-endpoint-crd: "false" + enable-auto-protect-node-port-range: "true" + enable-bgp-control-plane: "false" + enable-bpf-clock-probe: "true" + enable-endpoint-health-checking: "false" + enable-endpoint-routes: "true" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-legacy-routing: "true" + enable-hubble: "true" + enable-ipv4: "true" + enable-ipv4-masquerade: "false" + enable-ipv6: "false" + enable-ipv6-masquerade: "false" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" + enable-l7-proxy: "false" + enable-local-node-route: "false" + enable-local-redirect-policy: "false" + enable-metrics: "true" + enable-policy: default + enable-remote-node-identity: "true" + enable-session-affinity: "true" + enable-svc-source-range-check: "true" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + hubble-listen-address: "" + hubble-metrics: flow:sourceContext=pod;destinationContext=pod tcp:sourceContext=pod;destinationContext=pod + dns:query drop:sourceContext=pod;destinationContext=pod + hubble-metrics-server: :9965 + identity-allocation-mode: crd + install-iptables-rules: "true" + install-no-conntrack-iptables-rules: "false" + ipam: delegated-plugin + kube-proxy-replacement: "true" + kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256" + local-router-ipv4: 169.254.23.0 + metrics: +cilium_bpf_map_pressure + monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + node-port-bind-protection: "true" + nodes-gc-interval: 5m0s + operator-api-serve-addr: 127.0.0.1:9234 + operator-prometheus-serve-addr: :9963 + preallocate-bpf-maps: "false" + procfs: /host/proc + prometheus-serve-addr: :9962 + remove-cilium-node-taints: "true" + set-cilium-is-up-condition: "true" + sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" + tofqdns-dns-reject-response-code: refused + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-min-ttl: "0" + tofqdns-proxy-response-max-delay: 100ms + routing-mode: native + unmanaged-pod-watcher-interval: "15" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" + # new default values from Cilium v1.14.4 + enable-sctp: "false" + external-envoy-proxy: "false" + k8s-client-qps: "10" + k8s-client-burst: "20" + mesh-auth-enabled: "true" + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" + mesh-auth-gc-interval: "5m0s" + proxy-connect-timeout: "2" + proxy-max-requests-per-connection: "0" + proxy-max-connection-duration-seconds: "0" + set-cilium-node-taints: "true" + ## new values added for 1.16 below + enable-ipv4-big-tcp: "false" + enable-ipv6-big-tcp: "false" + enable-masquerade-to-route-source: "false" + enable-health-check-loadbalancer-ip: "false" + bpf-lb-acceleration: "disabled" + enable-k8s-networkpolicy: "true" + cni-exclusive: "false" # Cilium takes ownership of /etc/cni/net.d, pods cannot be scheduled with any other cni if cilium is down + cni-log-file: "/var/run/cilium/cilium-cni.log" + ipam-cilium-node-update-rate: "15s" + egress-gateway-reconciliation-trigger-interval: "1s" + nat-map-stats-entries: "32" + nat-map-stats-interval: "30s" + bpf-events-drop-enabled: "true" # exposes drop events to cilium monitor/hubble + bpf-events-policy-verdict-enabled: "true" # exposes policy verdict events to cilium monitor/hubble + bpf-events-trace-enabled: "true" # exposes trace events to cilium monitor/hubble + enable-tcx: "false" # attach endpoint programs with tcx if supported by kernel + datapath-mode: "veth" + direct-routing-skip-unreachable: "false" + enable-runtime-device-detection: "false" + bpf-lb-sock: "false" + bpf-lb-sock-terminate-pod-connections: "false" + nodeport-addresses: "" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + enable-node-selector-labels: "false" +## new values for 1.17 + ces-slice-mode: "fcfs" + enable-cilium-endpoint-slice: "true" + bpf-lb-source-range-all-types: "false" + bpf-algorithm-annotation: "false" + bpf-lb-mode-annotation: "false" + enable-experimental-lb: "false" + enable-endpoint-lockdown-on-policy-overflow: "false" + health-check-icmp-failure-threshold: "3" + enable-internal-traffic-policy: "true" + enable-lb-ipam: "false" + enable-non-default-deny-policies: "true" + enable-source-ip-verification: "false" + ## new values for 1.18 + bpf-policy-stats-map-max: "65536" + identity-management-mode: "agent" + tofqdns-preallocate-identities: "true" + policy-default-local-cluster: "false" +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + name: cilium-config + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/cilium-config/cilium-config.yaml b/test/integration/manifests/cilium/v1.18/cilium-config/cilium-config.yaml new file mode 100644 index 0000000000..0cd53bca70 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-config/cilium-config.yaml @@ -0,0 +1,145 @@ +apiVersion: v1 #Not verified, placeholder +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s + auto-direct-node-routes: "false" + bpf-lb-external-clusterip: "false" + bpf-lb-map-max: "65536" + bpf-lb-mode: snat + bpf-map-dynamic-size-ratio: "0.0025" + bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf + cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" + cluster-name: default + debug: "false" + disable-cnp-status-updates: "true" + disable-endpoint-crd: "false" + enable-auto-protect-node-port-range: "true" + enable-bgp-control-plane: "false" + enable-bpf-clock-probe: "true" + enable-endpoint-health-checking: "false" + enable-endpoint-routes: "true" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-legacy-routing: "true" + enable-hubble: "false" + enable-ipv4: "true" + enable-ipv4-masquerade: "false" + enable-ipv6: "false" + enable-ipv6-masquerade: "false" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" + enable-l7-proxy: "false" + enable-local-node-route: "false" + enable-local-redirect-policy: "true" # set to true for lrp test + enable-metrics: "true" + enable-policy: default + enable-session-affinity: "true" + enable-svc-source-range-check: "true" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-xt-socket-fallback: "true" + identity-allocation-mode: crd + install-iptables-rules: "true" + install-no-conntrack-iptables-rules: "false" + ipam: delegated-plugin + kube-proxy-replacement: "true" + kube-proxy-replacement-healthz-bind-address: "0.0.0.0:10256" + local-router-ipv4: 169.254.23.0 + metrics: +cilium_bpf_map_pressure + monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + node-port-bind-protection: "true" + nodes-gc-interval: 5m0s + operator-api-serve-addr: 127.0.0.1:9234 + operator-prometheus-serve-addr: :9963 + preallocate-bpf-maps: "false" + procfs: /host/proc + prometheus-serve-addr: :9962 + remove-cilium-node-taints: "true" + set-cilium-is-up-condition: "true" + sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" + tofqdns-dns-reject-response-code: refused + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-min-ttl: "0" + tofqdns-proxy-response-max-delay: 100ms + routing-mode: native + unmanaged-pod-watcher-interval: "15" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" + enable-sctp: "false" + external-envoy-proxy: "false" + k8s-client-qps: "10" + k8s-client-burst: "20" + mesh-auth-enabled: "true" + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" + mesh-auth-gc-interval: "5m0s" + proxy-connect-timeout: "2" + proxy-max-requests-per-connection: "0" + proxy-max-connection-duration-seconds: "0" + set-cilium-node-taints: "true" +## new values added for 1.16 below + enable-ipv4-big-tcp: "false" + enable-ipv6-big-tcp: "false" + enable-masquerade-to-route-source: "false" + enable-health-check-loadbalancer-ip: "false" + bpf-lb-acceleration: "disabled" + enable-k8s-networkpolicy: "true" + cni-exclusive: "false" # Cilium takes ownership of /etc/cni/net.d, pods cannot be scheduled with any other cni if cilium is down + cni-log-file: "/var/run/cilium/cilium-cni.log" + ipam-cilium-node-update-rate: "15s" + egress-gateway-reconciliation-trigger-interval: "1s" + nat-map-stats-entries: "32" + nat-map-stats-interval: "30s" + bpf-events-drop-enabled: "true" # exposes drop events to cilium monitor/hubble + bpf-events-policy-verdict-enabled: "true" # exposes policy verdict events to cilium monitor/hubble + bpf-events-trace-enabled: "true" # exposes trace events to cilium monitor/hubble + enable-tcx: "false" # attach endpoint programs with tcx if supported by kernel + datapath-mode: "veth" + direct-routing-skip-unreachable: "false" + enable-runtime-device-detection: "false" + bpf-lb-sock: "false" + bpf-lb-sock-terminate-pod-connections: "false" + nodeport-addresses: "" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + enable-node-selector-labels: "false" +## new values for 1.17 + ces-slice-mode: "fcfs" + enable-cilium-endpoint-slice: "true" + bpf-lb-source-range-all-types: "false" + bpf-algorithm-annotation: "false" + bpf-lb-mode-annotation: "false" + enable-experimental-lb: "false" + enable-endpoint-lockdown-on-policy-overflow: "false" + health-check-icmp-failure-threshold: "3" + enable-internal-traffic-policy: "true" + enable-lb-ipam: "false" + enable-non-default-deny-policies: "true" + enable-source-ip-verification: "false" +## new values for 1.18 + # bpf-policy-stats-map-max specifies the maximum number of entries in global + # policy stats map + bpf-policy-stats-map-max: "65536" + identity-management-mode: "agent" + tofqdns-preallocate-identities: "true" + policy-default-local-cluster: "false" +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/managed-by: Helm + name: cilium-config + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/cilium-operator/files/clusterrole.yaml b/test/integration/manifests/cilium/v1.18/cilium-operator/files/clusterrole.yaml new file mode 100644 index 0000000000..8b0e97601b --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-operator/files/clusterrole.yaml @@ -0,0 +1,282 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cilium-operator + labels: + app.kubernetes.io/part-of: cilium +rules: +- apiGroups: + - "" + resources: + - pods + verbs: + - get + - list + - watch + # to automatically delete [core|kube]dns pods so that are starting to being + # managed by Cilium + - delete +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + - cilium-config + verbs: + # allow patching of the configmap to set annotations + - patch +- apiGroups: + - "" + resources: + - nodes + verbs: + - list + - watch +- apiGroups: + - "" + resources: + # To remove node taints + - nodes + # To set NetworkUnavailable false on startup + - nodes/status + verbs: + - patch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + # to perform LB IP allocation for BGP + - services/status + verbs: + - update + - patch +- apiGroups: + - "" + resources: + # to check apiserver connectivity + - namespaces + - secrets + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + # to perform the translation of a CNP that contains `ToGroup` to its endpoints + - services + - endpoints + verbs: + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies + - ciliumclusterwidenetworkpolicies + verbs: + # Create auto-generated CNPs and CCNPs from Policies that have 'toGroups' + - create + - update + - deletecollection + # To update the status of the CNPs and CCNPs + - patch + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + verbs: + # Update the auto-generated CNPs and CCNPs status. + - patch + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints + - ciliumidentities + verbs: + # To perform garbage collection of such resources + - delete + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumidentities + verbs: + # To synchronize garbage collection of such resources + - update +- apiGroups: + - cilium.io + resources: + - ciliumnodes + verbs: + - create + - update + - get + - list + - watch + # To perform CiliumNode garbage collector + - delete +- apiGroups: + - cilium.io + resources: + - ciliumnodes/status + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumbgppeerconfigs + - ciliumbgpadvertisements + - ciliumbgpnodeconfigs + verbs: + - create + - update + - get + - list + - watch + - delete + - patch +- apiGroups: + - cilium.io + resources: + - ciliumbgpclusterconfigs/status + - ciliumbgppeerconfigs/status + verbs: + - update +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - create + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - update + resourceNames: + - ciliumloadbalancerippools.cilium.io + - ciliumbgppeeringpolicies.cilium.io + - ciliumbgpclusterconfigs.cilium.io + - ciliumbgppeerconfigs.cilium.io + - ciliumbgpadvertisements.cilium.io + - ciliumbgpnodeconfigs.cilium.io + - ciliumbgpnodeconfigoverrides.cilium.io + - ciliumclusterwideenvoyconfigs.cilium.io + - ciliumclusterwidenetworkpolicies.cilium.io + - ciliumegressgatewaypolicies.cilium.io + - ciliumendpoints.cilium.io + - ciliumendpointslices.cilium.io + - ciliumenvoyconfigs.cilium.io + - ciliumidentities.cilium.io + - ciliumlocalredirectpolicies.cilium.io + - ciliumnetworkpolicies.cilium.io + - ciliumnodes.cilium.io + - ciliumnodeconfigs.cilium.io + - ciliumcidrgroups.cilium.io + - ciliuml2announcementpolicies.cilium.io + - ciliumpodippools.cilium.io + - ciliumgatewayclassconfigs.cilium.io +- apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools + - ciliumpodippools + - ciliumbgppeeringpolicies + - ciliumbgpclusterconfigs + - ciliumbgpnodeconfigoverrides + - ciliumbgppeerconfigs + verbs: + - get + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumpodippools + verbs: + - create +- apiGroups: + - cilium.io + resources: + - ciliumloadbalancerippools/status + verbs: + - patch +# For cilium-operator running in HA mode. +# +# Cilium operator running in HA mode requires the use of ResourceLock for Leader Election +# between multiple running instances. +# The preferred way of doing this is to use LeasesResourceLock as edits to Leases are less +# common and fewer objects in the cluster watch "all Leases". +- apiGroups: + - coordination.k8s.io + resources: + - leases + verbs: + - create + - get + - update +- apiGroups: + - "" + resources: + - configmaps + verbs: + - create +- apiGroups: + - "" + resources: + - configmaps + resourceNames: + - acns-flowlog-config + verbs: + - update + - get + - list + - watch + - delete +- apiGroups: + - acn.azure.com + resources: + - retinanetworkflowlogs + - retinanetworkflowlogs/status + verbs: + - create + - delete + - get + - list + - patch + - update + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + resourceNames: + - retinanetworkflowlogs.acn.azure.com + verbs: + - get + - list + - watch + - create + - update + - delete diff --git a/test/integration/manifests/cilium/v1.18/cilium-operator/files/clusterrolebinding.yaml b/test/integration/manifests/cilium/v1.18/cilium-operator/files/clusterrolebinding.yaml new file mode 100644 index 0000000000..eb164361d4 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-operator/files/clusterrolebinding.yaml @@ -0,0 +1,12 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cilium-operator +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cilium-operator +subjects: +- kind: ServiceAccount + name: "cilium-operator" + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/cilium-operator/files/serviceaccount.yaml b/test/integration/manifests/cilium/v1.18/cilium-operator/files/serviceaccount.yaml new file mode 100644 index 0000000000..be4bfc048a --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-operator/files/serviceaccount.yaml @@ -0,0 +1,5 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: "cilium-operator" + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/cilium-operator/templates/deployment.yaml b/test/integration/manifests/cilium/v1.18/cilium-operator/templates/deployment.yaml new file mode 100644 index 0000000000..9ae13e2278 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/cilium-operator/templates/deployment.yaml @@ -0,0 +1,171 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cilium-operator + namespace: kube-system + labels: + io.cilium/app: operator + name: cilium-operator +spec: + replicas: 2 + selector: + matchLabels: + io.cilium/app: operator + name: cilium-operator + strategy: + rollingUpdate: + maxSurge: 1 + maxUnavailable: 1 + type: RollingUpdate + template: + metadata: + annotations: + prometheus.io/port: "9963" + prometheus.io/scrape: "true" + labels: + io.cilium/app: operator + name: cilium-operator + kubernetes.azure.com/ebpf-dataplane: cilium + spec: + securityContext: + seccompProfile: + type: RuntimeDefault + containers: + - name: cilium-operator + image: $CILIUM_IMAGE_REGISTRY/cilium/operator-generic:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + command: + - cilium-operator-generic + args: + - --config-dir=/tmp/cilium/config-map + - --debug=$(CILIUM_DEBUG) + - --identity-gc-interval=0m20s + - --identity-heartbeat-timeout=0m20s + - --enable-cilium-endpoint-slice=true + - --ces-slice-mode=fcfs + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_DEBUG + valueFrom: + configMapKeyRef: + key: debug + name: cilium-config + optional: true + ports: + - name: prometheus + containerPort: 9963 + hostPort: 9963 + protocol: TCP + securityContext: + seLinuxOptions: + level: 's0' + # Running with spc_t since we have removed the privileged mode. + # Users can change it to a different type as long as they have the + # type available on the system. + type: 'spc_t' + capabilities: + add: + # Use to set socket permission + - CHOWN + # Used to terminate envoy child process + - KILL + # Used since cilium modifies routing tables, etc... + - NET_ADMIN + # Used since cilium creates raw sockets, etc... + - NET_RAW + # Used since cilium monitor uses mmap + - IPC_LOCK + # Used in iptables. Consider removing once we are iptables-free + - SYS_MODULE + # We need it for now but might not need it for >= 5.11 specially + # for the 'SYS_RESOURCE'. + # In >= 5.8 there's already BPF and PERMON capabilities + - SYS_ADMIN + # Could be an alternative for the SYS_ADMIN for the RLIMIT_NPROC + - SYS_RESOURCE + # Both PERFMON and BPF requires kernel 5.8, container runtime + # cri-o >= v1.22.0 or containerd >= v1.5.0. + # If available, SYS_ADMIN can be removed. + #- PERFMON + #- BPF + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL + livenessProbe: + httpGet: + host: "127.0.0.1" + path: /healthz + port: 9234 + scheme: HTTP + initialDelaySeconds: 60 + periodSeconds: 10 + timeoutSeconds: 3 + volumeMounts: + - name: cilium-config-path + mountPath: /tmp/cilium/config-map + readOnly: true + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + hostNetwork: true + restartPolicy: Always + priorityClassName: system-cluster-critical + serviceAccount: "cilium-operator" + serviceAccountName: "cilium-operator" + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/os + operator: In + values: + - linux + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 100 + preference: + matchExpressions: + - key: kubernetes.azure.com/mode + operator: In + values: + - system + # In HA mode, cilium-operator pods must not be scheduled on the same + # node as they will clash with each other. + podAntiAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + io.cilium/app: operator + topologyKey: kubernetes.io/hostname + tolerations: + - key: "CriticalAddonsOnly" + operator: "Exists" + - operator: "Exists" + effect: NoExecute + - operator: "Exists" + effect: NoSchedule + volumes: + # To read the configuration from the config map + - name: cilium-config-path + configMap: + name: cilium-config diff --git a/test/integration/manifests/cilium/v1.18/ebpf/common/allowed-iptables-patterns.yaml b/test/integration/manifests/cilium/v1.18/ebpf/common/allowed-iptables-patterns.yaml new file mode 100644 index 0000000000..cd8b1ca589 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/ebpf/common/allowed-iptables-patterns.yaml @@ -0,0 +1,61 @@ +apiVersion: v1 +data: + filter: | + ^.*--comment.*kubernetes load balancer firewall + ^.*--comment.*kubernetes health check service ports + ^.*--comment.*kubernetes externally visible service portals + ^.*--comment.*kubernetes forwarding rules + ^.*--comment.*kubernetes forwarding conntrack rule + ^.*--comment.*kubernetes service portals + ^.*--comment.*kubernetes externally-visible service portals + + -A INPUT -j KUBE-FIREWALL + -A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 32526 -j DROP + -A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 80 -j DROP + -A OUTPUT -j KUBE-FIREWALL + -A KUBE-FIREWALL ! -s 127.0.0.0/8 -d 127.0.0.0/8 -m comment --comment "block incoming localnet connections" -m conntrack ! --ctstate RELATED,ESTABLISHED,DNAT -j DROP + -A KUBE-FORWARD -m conntrack --ctstate INVALID -j DROP + -A KUBE-POSTROUTING -m mark ! --mark 0x4000/0x4000 -j RETURN + global: | + ^-N .* + ^-P .* + ^.*--comment.*cilium: + ^.*--comment.*cilium-feeder: + ^.*--comment.*AKS managed: added by AgentBaker + mangle: | + -A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 80 -j DROP + -A FORWARD -d 168.63.129.16/32 -p tcp -m tcp --dport 32526 -j DROP + nat: | + ^.*--comment.*metrics-server + ^.*--comment.*kube-dns + ^.*--comment.*gatekeeper-webhook-service + ^.*--comment.*azure-policy-webhook-service + ^.*--comment.*kubernetes:https cluster IP + ^.*--comment.*kubernetes forwarding rules + ^.*--comment.*kubernetes service traffic requiring SNAT + ^.*--comment.*kubernetes postrouting rules + ^.*--set-xmark 0x4000 + ^.*--comment.*kubernetes service portals + ^.*--comment.*kubernetes service nodeports + ^.*--comment.*kubernetes:https + ^.*--comment.*ip-masq-agent + ^.*0x4000/0x4000 + -A POSTROUTING -j SWIFT + -A SWIFT -s + -A POSTROUTING -j SWIFT-POSTROUTING + -A SWIFT-POSTROUTING -s + raw: "" + security: | + -A OUTPUT -d 168.63.129.16/32 -p tcp -m tcp --dport 53 -j ACCEPT + -A OUTPUT -d 168.63.129.16/32 -p tcp -m owner --uid-owner 0 -j ACCEPT + -A OUTPUT -d 168.63.129.16/32 -p tcp -m conntrack --ctstate INVALID,NEW -j DROP +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + name: allowed-iptables-patterns + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/ebpf/common/ccnps.yaml b/test/integration/manifests/cilium/v1.18/ebpf/common/ccnps.yaml new file mode 100644 index 0000000000..cc0b65e95b --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/ebpf/common/ccnps.yaml @@ -0,0 +1,19 @@ +apiVersion: "cilium.io/v2" +kind: CiliumClusterwideNetworkPolicy +metadata: + name: block-azure-destinations +spec: + description: "Block TCP access to Azure destinations from all pods" + endpointSelector: {} # Applies to all pods in all namespaces + enableDefaultDeny: + egress: false + ingress: false + egressDeny: + - toCIDR: + - 168.63.129.16/32 # Azure DNS + toPorts: + - ports: + - port: "80" + protocol: TCP + - port: "32526" + protocol: TCP diff --git a/test/integration/manifests/cilium/v1.18/ebpf/common/cilium-agent-clusterrole.yaml b/test/integration/manifests/cilium/v1.18/ebpf/common/cilium-agent-clusterrole.yaml new file mode 100644 index 0000000000..30a5fecb72 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/ebpf/common/cilium-agent-clusterrole.yaml @@ -0,0 +1,125 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + app.kubernetes.io/part-of: cilium + name: cilium +rules: +- apiGroups: + - networking.k8s.io + resources: + - networkpolicies + verbs: + - get + - list + - watch +- apiGroups: + - discovery.k8s.io + resources: + - endpointslices + verbs: + - get + - list + - watch +- apiGroups: + - "" + resources: + - namespaces + - services + - pods + - endpoints + - nodes + verbs: + - get + - list + - watch +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - list + - watch + - get +- apiGroups: + - cilium.io + resources: + - ciliumbgppeeringpolicies + - ciliumclusterwideenvoyconfigs + - ciliumclusterwidenetworkpolicies + - ciliumegressgatewaypolicies + - ciliumendpoints + - ciliumendpointslices + - ciliumenvoyconfigs + - ciliumidentities + - ciliumlocalredirectpolicies + - ciliumnetworkpolicies + - ciliumnodes + - ciliumnodeconfigs + - ciliumloadbalancerippools + - ciliumcidrgroups + - ciliuml2announcementpolicies + - ciliumpodippools + - ciliumbgpnodeconfigs + - ciliumbgpadvertisements + - ciliumbgppeerconfigs + verbs: + - list + - watch +- apiGroups: + - cilium.io + resources: + - ciliumidentities + - ciliumendpoints + - ciliumnodes + verbs: + - create +- apiGroups: + - cilium.io + resources: + - ciliumidentities + verbs: + - update +- apiGroups: + - cilium.io + resources: + - ciliumendpoints + verbs: + - delete + - get +- apiGroups: + - cilium.io + resources: + - ciliumnodes + - ciliumnodes/status + verbs: + - get + - update +- apiGroups: + - cilium.io + resources: + - ciliumnetworkpolicies/status + - ciliumclusterwidenetworkpolicies/status + - ciliumendpoints/status + - ciliumendpoints + - ciliuml2announcementpolicies/status + - ciliumbgpnodeconfigs/status + verbs: + - patch +- apiGroups: + - "" + resources: + - events + verbs: + - create +- apiGroups: + - cilium.io + resources: + - ciliumnodes + verbs: + - patch diff --git a/test/integration/manifests/cilium/v1.18/ebpf/common/ciliumclusterwidenetworkpolicies.yaml b/test/integration/manifests/cilium/v1.18/ebpf/common/ciliumclusterwidenetworkpolicies.yaml new file mode 100644 index 0000000000..1027fc52ed --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/ebpf/common/ciliumclusterwidenetworkpolicies.yaml @@ -0,0 +1,7054 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.16.5 + eno.azure.io/disable-updates: "true" + name: ciliumclusterwidenetworkpolicies.cilium.io +spec: + group: cilium.io + names: + categories: + - cilium + - ciliumpolicy + kind: CiliumClusterwideNetworkPolicy + listKind: CiliumClusterwideNetworkPolicyList + plural: ciliumclusterwidenetworkpolicies + shortNames: + - ccnp + singular: ciliumclusterwidenetworkpolicy + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.conditions[?(@.type=='Valid')].status + name: Valid + type: string + name: v2 + schema: + openAPIV3Schema: + description: |- + CiliumClusterwideNetworkPolicy is a Kubernetes third-party resource with an + modified version of CiliumNetworkPolicy which is cluster scoped rather than + namespace scoped. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + anyOf: + - properties: + ingress: {} + required: + - ingress + - properties: + ingressDeny: {} + required: + - ingressDeny + - properties: + egress: {} + required: + - egress + - properties: + egressDeny: {} + required: + - egressDeny + description: Spec is the desired Cilium specific rule specification. + oneOf: + - properties: + endpointSelector: {} + required: + - endpointSelector + - properties: + nodeSelector: {} + required: + - nodeSelector + properties: + description: + description: |- + Description is a free form string, it can be used by the creator of + the rule to store human readable explanation of the purpose of this + rule. Rules cannot be identified by comment. + type: string + egress: + description: |- + Egress is a list of EgressRule which are enforced at egress. + If omitted or empty, this rule does not apply at egress. + items: + description: |- + EgressRule contains all rule types which can be applied at egress, i.e. + network traffic that originates inside the endpoint and exits the endpoint + selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception to this + rule is the ToRequires member; the effects of any Requires field in any + rule will apply to all other rules as well. + + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are + mutually exclusive. Only one of these members may be present within an + individual rule. + properties: + authentication: + description: Authentication is the required authentication type + for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode for + the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is allowed to connect to. + + Example: + Any endpoint with the label "app=httpd" is allowed to initiate + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should be + an 8bit code (0-255), or it's CamelCase name (for + example, \"EchoReply\").\nAllowed ICMP types are:\n + \ Ipv4: EchoReply | DestinationUnreachable | + Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest + | EchoReply | MulticastListenerQuery| MulticastListenerReport + |\n\t\t\t MulticastListenerDone | RouterSolicitation + | RouterAdvertisement | NeighborSolicitation |\n\t\t\t + NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toCIDR: + description: |- + ToCIDR is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections. Only connections destined for + outside of the cluster and not targeting the host will be subject + to CIDR rules. This will match on the destination IP address of + outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet + with no ExcludeCIDRs is equivalent. Overlaps are allowed between + ToCIDR and ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + toCIDRSet: + description: |- + ToCIDRSet is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections to in addition to connections + which are allowed via ToEndpoints, along with a list of subnets contained + within their corresponding IP block to which traffic should not be + allowed. This will match on the destination IP address of outgoing + connections. Adding a prefix into ToCIDR or into ToCIDRSet with no + ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and + ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + toEndpoints: + description: |- + ToEndpoints is a list of endpoints identified by an EndpointSelector to + which the endpoints subject to the rule are allowed to communicate. + + Example: + Any endpoint with the label "role=frontend" can communicate with any + endpoint carrying the label "role=backend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toEntities: + description: |- + ToEntities is a list of special entities to which the endpoint subject + to the rule is allowed to initiate connections. Supported entities are + `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, + `health`,`unmanaged` and `all`. + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toFQDNs: + description: |- + ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result + from DNS resolution of `ToFQDN.MatchName`s are added to the same + EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and + L7 rules within this EgressRule will also apply to these IPs. + The DNS -> IP mapping is re-resolved periodically from within the + cilium-agent, and the IPs in the DNS response are effected in the policy + for selected pods as-is (i.e. the list of IPs is not modified in any way). + Note: An explicit rule to allow for DNS traffic is needed for the pods, as + ToFQDN counts as an egress rule and will enforce egress policy when + PolicyEnforcment=default. + Note: If the resolved IPs are IPs within the kubernetes cluster, the + ToFQDN rule will not apply to that IP. + Note: ToFQDN cannot occur in the same policy as other To* rules. + items: + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + toGroups: + description: |- + ToGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + toGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toNodes: + description: |- + ToNodes is a list of nodes identified by an + EndpointSelector to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is allowed to + connect to. + + Example: + Any endpoint with the label "role=frontend" is allowed to initiate + connections to destination port 8080/tcp + items: + description: |- + PortRule is a list of ports/protocol combinations with optional Layer 7 + rules which must be met. + properties: + listener: + description: |- + listener specifies the name of a custom Envoy listener to which this traffic should be + redirected to. + properties: + envoyConfig: + description: |- + EnvoyConfig is a reference to the CEC or CCEC resource in which + the listener is defined. + properties: + kind: + description: |- + Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or + CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, + respectively. The only case this is currently explicitly needed is when referring to a + CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener + from a cluster scoped policy is not allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: |- + Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where + the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + priority: + description: |- + Priority for this Listener that is used when multiple rules would apply different + listeners to a policy map entry. Behavior of this is implementation dependent. + maximum: 100 + minimum: 1 + type: integer + required: + - envoyConfig + - name + type: object + originatingTLS: + description: |- + OriginatingTLS is the TLS context for the connections originated by + the L7 proxy. For egress policy this specifies the client-side TLS + parameters for the upstream connection originating from the L7 proxy + to the remote destination. For ingress policy this specifies the + client-side TLS parameters for the connection from the L7 proxy to + the local endpoint. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + maxItems: 40 + type: array + rules: + description: |- + Rules is a list of additional port level rules which must be met in + order for the PortRule to allow the traffic. If omitted or empty, + no layer 7 rules are enforced. + oneOf: + - properties: + http: {} + required: + - http + - properties: + kafka: {} + required: + - kafka + - properties: + dns: {} + required: + - dns + - properties: + l7proto: {} + required: + - l7proto + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed DNS + lookups. + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: |- + PortRuleHTTP is a list of HTTP protocol constraints. All fields are + optional, if all fields are empty or missing, the rule does not have any + effect. + + All fields of this type are extended POSIX regex as defined by IEEE Std + 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) + matched against the path of an incoming request. Currently it can contain + characters disallowed from the conventional "path" part of a URL as defined + by RFC 3986. + properties: + headerMatches: + description: |- + HeaderMatches is a list of HTTP headers which must be + present and match against the given values. Mismatch field can be used + to specify what to do when there is no match. + items: + description: |- + HeaderMatch extends the HeaderValue for matching requirement of a + named header field against an immediate string, a secret value, or + a regex. If none of the optional fields is present, then the + header value is not matched, only presence of the header is enough. + properties: + mismatch: + description: |- + Mismatch identifies what to do in case there is no match. The default is + to drop the request. Otherwise the overall rule is still considered as + matching, but the mismatches are logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + minLength: 1 + type: string + secret: + description: |- + Secret refers to a secret that contains the value to be matched against. + The secret must only contain one entry. If the referred secret does not + exist, and there is no "Value" specified, the match will fail. + properties: + name: + description: Name is the name of the + secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: |- + Value matches the exact value of the header. Can be specified either + alone or together with "Secret"; will be used as the header value if the + secret can not be found in the latter case. + type: string + required: + - name + type: object + type: array + headers: + description: |- + Headers is a list of HTTP headers which must be present in the + request. If omitted or empty, requests are allowed regardless of + headers present. + items: + type: string + type: array + host: + description: |- + Host is an extended POSIX regex matched against the host header of a + request. Examples: + + - foo.bar.com will match the host fooXbar.com or foo-bar.com + - foo\.bar\.com will only match the host foo.bar.com + + If omitted or empty, the value of the host header is ignored. + format: idn-hostname + type: string + method: + description: |- + Method is an extended POSIX regex matched against the method of a + request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... + + If omitted or empty, all methods are allowed. + type: string + path: + description: |- + Path is an extended POSIX regex matched against the path of a + request. Currently it can contain characters disallowed from the + conventional "path" part of a URL as defined by RFC 3986. + + If omitted or empty, all paths are all allowed. + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: |- + PortRule is a list of Kafka protocol constraints. All fields are + optional, if all fields are empty or missing, the rule will match all + Kafka messages. + properties: + apiKey: + description: |- + APIKey is a case-insensitive string matched against the key of a + request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al + Reference: https://kafka.apache.org/protocol#protocol_api_keys + + If omitted or empty, and if Role is not specified, then all keys are allowed. + type: string + apiVersion: + description: |- + APIVersion is the version matched against the api version of the + Kafka message. If set, it has to be a string representing a positive + integer. + + If omitted or empty, all versions are allowed. + type: string + clientID: + description: |- + ClientID is the client identifier as provided in the request. + + From Kafka protocol documentation: + This is a user supplied identifier for the client application. The + user can use any identifier they like and it will be used when + logging errors, monitoring aggregates, etc. For example, one might + want to monitor not just the requests per second overall, but the + number coming from each client application (each of which could + reside on multiple servers). This id acts as a logical grouping + across all requests from a particular client. + + If omitted or empty, all client identifiers are allowed. + type: string + role: + description: |- + Role is a case-insensitive string and describes a group of API keys + necessary to perform certain higher-level Kafka operations such as "produce" + or "consume". A Role automatically expands into all APIKeys required + to perform the specified higher-level operation. + + The following values are supported: + - "produce": Allow producing to the topics specified in the rule + - "consume": Allow consuming from the topics specified in the rule + + This field is incompatible with the APIKey field, i.e APIKey and Role + cannot both be specified in the same rule. + + If omitted or empty, and if APIKey is not specified, then all keys are + allowed. + enum: + - produce + - consume + type: string + topic: + description: |- + Topic is the topic name contained in the message. If a Kafka request + contains multiple topics, then all topics must be allowed or the + message will be rejected. + + This constraint is ignored if the matched request message type + doesn't contain any topic. Maximum size of Topic can be 249 + characters as per recent Kafka spec and allowed characters are + a-z, A-Z, 0-9, -, . and _. + + Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 + version the length was changed from 255 to 249. For compatibility + reasons we are using 255. + + If omitted or empty, all topics are allowed. + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: |- + PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as + protocol constraints. All fields are optional, if all fields are empty or + missing, the rule does not have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: |- + ServerNames is a list of allowed TLS SNI values. If not empty, then + TLS must be present and one of the provided SNIs must be indicated in the + TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: |- + TerminatingTLS is the TLS context for the connection terminated by + the L7 proxy. For egress policy this specifies the server-side TLS + parameters to be applied on the connections originated from the local + endpoint and terminated by the L7 proxy. For ingress policy this specifies + the server-side TLS parameters to be applied on the connections + originated from a remote source and terminated by the L7 proxy. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + toRequires: + description: |- + ToRequires is a list of additional constraints which must be met + in order for the selected endpoints to be able to connect to other + endpoints. These additional constraints do no by itself grant access + privileges and must always be accompanied with at least one matching + ToEndpoints. + + Example: + Any Endpoint with the label "team=A" requires any endpoint to which it + communicates to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toServices: + description: |- + ToServices is a list of services to which the endpoint subject + to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services. + items: + description: |- + Service selects policy targets that are bundled as part of a + logical load-balanced service. + + Currently only Kubernetes-based Services are supported. + properties: + k8sService: + description: K8sService selects service by name and namespace + pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by k8s + labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector for + k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + type: object + type: array + type: object + type: array + egressDeny: + description: |- + EgressDeny is a list of EgressDenyRule which are enforced at egress. + Any rule inserted here will be denied regardless of the allowed egress + rules in the 'egress' field. + If omitted or empty, this rule does not apply at egress. + items: + description: |- + EgressDenyRule contains all rule types which can be applied at egress, i.e. + network traffic that originates inside the endpoint and exits the endpoint + selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception to this + rule is the ToRequires member; the effects of any Requires field in any + rule will apply to all other rules as well. + + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are + mutually exclusive. Only one of these members may be present within an + individual rule. + properties: + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is not allowed to connect to. + + Example: + Any endpoint with the label "app=httpd" is not allowed to initiate + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should be + an 8bit code (0-255), or it's CamelCase name (for + example, \"EchoReply\").\nAllowed ICMP types are:\n + \ Ipv4: EchoReply | DestinationUnreachable | + Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest + | EchoReply | MulticastListenerQuery| MulticastListenerReport + |\n\t\t\t MulticastListenerDone | RouterSolicitation + | RouterAdvertisement | NeighborSolicitation |\n\t\t\t + NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toCIDR: + description: |- + ToCIDR is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections. Only connections destined for + outside of the cluster and not targeting the host will be subject + to CIDR rules. This will match on the destination IP address of + outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet + with no ExcludeCIDRs is equivalent. Overlaps are allowed between + ToCIDR and ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + toCIDRSet: + description: |- + ToCIDRSet is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections to in addition to connections + which are allowed via ToEndpoints, along with a list of subnets contained + within their corresponding IP block to which traffic should not be + allowed. This will match on the destination IP address of outgoing + connections. Adding a prefix into ToCIDR or into ToCIDRSet with no + ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and + ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + toEndpoints: + description: |- + ToEndpoints is a list of endpoints identified by an EndpointSelector to + which the endpoints subject to the rule are allowed to communicate. + + Example: + Any endpoint with the label "role=frontend" can communicate with any + endpoint carrying the label "role=backend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toEntities: + description: |- + ToEntities is a list of special entities to which the endpoint subject + to the rule is allowed to initiate connections. Supported entities are + `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, + `health`,`unmanaged` and `all`. + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toGroups: + description: |- + ToGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + toGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toNodes: + description: |- + ToNodes is a list of nodes identified by an + EndpointSelector to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is not allowed to connect + to. + + Example: + Any endpoint with the label "role=frontend" is not allowed to initiate + connections to destination port 8080/tcp + items: + description: |- + PortDenyRule is a list of ports/protocol that should be used for deny + policies. This structure lacks the L7Rules since it's not supported in deny + policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + toRequires: + description: |- + ToRequires is a list of additional constraints which must be met + in order for the selected endpoints to be able to connect to other + endpoints. These additional constraints do no by itself grant access + privileges and must always be accompanied with at least one matching + ToEndpoints. + + Example: + Any Endpoint with the label "team=A" requires any endpoint to which it + communicates to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toServices: + description: |- + ToServices is a list of services to which the endpoint subject + to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services. + items: + description: |- + Service selects policy targets that are bundled as part of a + logical load-balanced service. + + Currently only Kubernetes-based Services are supported. + properties: + k8sService: + description: K8sService selects service by name and namespace + pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by k8s + labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector for + k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + type: object + type: array + type: object + type: array + enableDefaultDeny: + description: |- + EnableDefaultDeny determines whether this policy configures the + subject endpoint(s) to have a default deny mode. If enabled, + this causes all traffic not explicitly allowed by a network policy + to be dropped. + + If not specified, the default is true for each traffic direction + that has rules, and false otherwise. For example, if a policy + only has Ingress or IngressDeny rules, then the default for + ingress is true and egress is false. + + If multiple policies apply to an endpoint, that endpoint's default deny + will be enabled if any policy requests it. + + This is useful for creating broad-based network policies that will not + cause endpoints to enter default-deny mode. + properties: + egress: + description: |- + Whether or not the endpoint should have a default-deny rule applied + to egress traffic. + type: boolean + ingress: + description: |- + Whether or not the endpoint should have a default-deny rule applied + to ingress traffic. + type: boolean + type: object + endpointSelector: + description: |- + EndpointSelector selects all endpoints which should be subject to + this rule. EndpointSelector and NodeSelector cannot be both empty and + are mutually exclusive. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + ingress: + description: |- + Ingress is a list of IngressRule which are enforced at ingress. + If omitted or empty, this rule does not apply at ingress. + items: + description: |- + IngressRule contains all rule types which can be applied at ingress, + i.e. network traffic that originates outside of the endpoint and + is entering the endpoint selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members are set, all of them need to match in order for + the rule to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all other + rules as well. + + - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually + exclusive. Only one of these members may be present within an individual + rule. + properties: + authentication: + description: Authentication is the required authentication type + for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode for + the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + fromCIDR: + description: |- + FromCIDR is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from. Only connections which + do *not* originate from the cluster or from the local host are subject + to CIDR rules. In order to allow in-cluster connectivity, use the + FromEndpoints field. This will match on the source IP address of + incoming connections. Adding a prefix into FromCIDR or into + FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are + allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.3.9.1 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + fromCIDRSet: + description: |- + FromCIDRSet is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from in addition to FromEndpoints, + along with a list of subnets contained within their corresponding IP block + from which traffic should not be allowed. + This will match on the source IP address of incoming connections. Adding + a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is + equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + fromEndpoints: + description: |- + FromEndpoints is a list of endpoints identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + + Example: + Any endpoint with the label "role=backend" can be consumed by any + endpoint carrying the label "role=frontend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromEntities: + description: |- + FromEntities is a list of special entities which the endpoint subject + to the rule is allowed to receive connections from. Supported entities are + `world`, `cluster` and `host` + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromGroups: + description: |- + FromGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + FromGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: |- + FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromRequires: + description: |- + FromRequires is a list of additional constraints which must be met + in order for the selected endpoints to be reachable. These + additional constraints do no by itself grant access privileges and + must always be accompanied with at least one matching FromEndpoints. + + Example: + Any Endpoint with the label "team=A" requires consuming endpoint + to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can only accept incoming + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should be + an 8bit code (0-255), or it's CamelCase name (for + example, \"EchoReply\").\nAllowed ICMP types are:\n + \ Ipv4: EchoReply | DestinationUnreachable | + Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest + | EchoReply | MulticastListenerQuery| MulticastListenerReport + |\n\t\t\t MulticastListenerDone | RouterSolicitation + | RouterAdvertisement | NeighborSolicitation |\n\t\t\t + NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can only accept incoming + connections on port 80/tcp. + items: + description: |- + PortRule is a list of ports/protocol combinations with optional Layer 7 + rules which must be met. + properties: + listener: + description: |- + listener specifies the name of a custom Envoy listener to which this traffic should be + redirected to. + properties: + envoyConfig: + description: |- + EnvoyConfig is a reference to the CEC or CCEC resource in which + the listener is defined. + properties: + kind: + description: |- + Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or + CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, + respectively. The only case this is currently explicitly needed is when referring to a + CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener + from a cluster scoped policy is not allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: |- + Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where + the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + priority: + description: |- + Priority for this Listener that is used when multiple rules would apply different + listeners to a policy map entry. Behavior of this is implementation dependent. + maximum: 100 + minimum: 1 + type: integer + required: + - envoyConfig + - name + type: object + originatingTLS: + description: |- + OriginatingTLS is the TLS context for the connections originated by + the L7 proxy. For egress policy this specifies the client-side TLS + parameters for the upstream connection originating from the L7 proxy + to the remote destination. For ingress policy this specifies the + client-side TLS parameters for the connection from the L7 proxy to + the local endpoint. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + maxItems: 40 + type: array + rules: + description: |- + Rules is a list of additional port level rules which must be met in + order for the PortRule to allow the traffic. If omitted or empty, + no layer 7 rules are enforced. + oneOf: + - properties: + http: {} + required: + - http + - properties: + kafka: {} + required: + - kafka + - properties: + dns: {} + required: + - dns + - properties: + l7proto: {} + required: + - l7proto + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed DNS + lookups. + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: |- + PortRuleHTTP is a list of HTTP protocol constraints. All fields are + optional, if all fields are empty or missing, the rule does not have any + effect. + + All fields of this type are extended POSIX regex as defined by IEEE Std + 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) + matched against the path of an incoming request. Currently it can contain + characters disallowed from the conventional "path" part of a URL as defined + by RFC 3986. + properties: + headerMatches: + description: |- + HeaderMatches is a list of HTTP headers which must be + present and match against the given values. Mismatch field can be used + to specify what to do when there is no match. + items: + description: |- + HeaderMatch extends the HeaderValue for matching requirement of a + named header field against an immediate string, a secret value, or + a regex. If none of the optional fields is present, then the + header value is not matched, only presence of the header is enough. + properties: + mismatch: + description: |- + Mismatch identifies what to do in case there is no match. The default is + to drop the request. Otherwise the overall rule is still considered as + matching, but the mismatches are logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + minLength: 1 + type: string + secret: + description: |- + Secret refers to a secret that contains the value to be matched against. + The secret must only contain one entry. If the referred secret does not + exist, and there is no "Value" specified, the match will fail. + properties: + name: + description: Name is the name of the + secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: |- + Value matches the exact value of the header. Can be specified either + alone or together with "Secret"; will be used as the header value if the + secret can not be found in the latter case. + type: string + required: + - name + type: object + type: array + headers: + description: |- + Headers is a list of HTTP headers which must be present in the + request. If omitted or empty, requests are allowed regardless of + headers present. + items: + type: string + type: array + host: + description: |- + Host is an extended POSIX regex matched against the host header of a + request. Examples: + + - foo.bar.com will match the host fooXbar.com or foo-bar.com + - foo\.bar\.com will only match the host foo.bar.com + + If omitted or empty, the value of the host header is ignored. + format: idn-hostname + type: string + method: + description: |- + Method is an extended POSIX regex matched against the method of a + request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... + + If omitted or empty, all methods are allowed. + type: string + path: + description: |- + Path is an extended POSIX regex matched against the path of a + request. Currently it can contain characters disallowed from the + conventional "path" part of a URL as defined by RFC 3986. + + If omitted or empty, all paths are all allowed. + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: |- + PortRule is a list of Kafka protocol constraints. All fields are + optional, if all fields are empty or missing, the rule will match all + Kafka messages. + properties: + apiKey: + description: |- + APIKey is a case-insensitive string matched against the key of a + request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al + Reference: https://kafka.apache.org/protocol#protocol_api_keys + + If omitted or empty, and if Role is not specified, then all keys are allowed. + type: string + apiVersion: + description: |- + APIVersion is the version matched against the api version of the + Kafka message. If set, it has to be a string representing a positive + integer. + + If omitted or empty, all versions are allowed. + type: string + clientID: + description: |- + ClientID is the client identifier as provided in the request. + + From Kafka protocol documentation: + This is a user supplied identifier for the client application. The + user can use any identifier they like and it will be used when + logging errors, monitoring aggregates, etc. For example, one might + want to monitor not just the requests per second overall, but the + number coming from each client application (each of which could + reside on multiple servers). This id acts as a logical grouping + across all requests from a particular client. + + If omitted or empty, all client identifiers are allowed. + type: string + role: + description: |- + Role is a case-insensitive string and describes a group of API keys + necessary to perform certain higher-level Kafka operations such as "produce" + or "consume". A Role automatically expands into all APIKeys required + to perform the specified higher-level operation. + + The following values are supported: + - "produce": Allow producing to the topics specified in the rule + - "consume": Allow consuming from the topics specified in the rule + + This field is incompatible with the APIKey field, i.e APIKey and Role + cannot both be specified in the same rule. + + If omitted or empty, and if APIKey is not specified, then all keys are + allowed. + enum: + - produce + - consume + type: string + topic: + description: |- + Topic is the topic name contained in the message. If a Kafka request + contains multiple topics, then all topics must be allowed or the + message will be rejected. + + This constraint is ignored if the matched request message type + doesn't contain any topic. Maximum size of Topic can be 249 + characters as per recent Kafka spec and allowed characters are + a-z, A-Z, 0-9, -, . and _. + + Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 + version the length was changed from 255 to 249. For compatibility + reasons we are using 255. + + If omitted or empty, all topics are allowed. + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: |- + PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as + protocol constraints. All fields are optional, if all fields are empty or + missing, the rule does not have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: |- + ServerNames is a list of allowed TLS SNI values. If not empty, then + TLS must be present and one of the provided SNIs must be indicated in the + TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: |- + TerminatingTLS is the TLS context for the connection terminated by + the L7 proxy. For egress policy this specifies the server-side TLS + parameters to be applied on the connections originated from the local + endpoint and terminated by the L7 proxy. For ingress policy this specifies + the server-side TLS parameters to be applied on the connections + originated from a remote source and terminated by the L7 proxy. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + type: object + type: array + ingressDeny: + description: |- + IngressDeny is a list of IngressDenyRule which are enforced at ingress. + Any rule inserted here will be denied regardless of the allowed ingress + rules in the 'ingress' field. + If omitted or empty, this rule does not apply at ingress. + items: + description: |- + IngressDenyRule contains all rule types which can be applied at ingress, + i.e. network traffic that originates outside of the endpoint and + is entering the endpoint selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members are set, all of them need to match in order for + the rule to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all other + rules as well. + + - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually + exclusive. Only one of these members may be present within an individual + rule. + properties: + fromCIDR: + description: |- + FromCIDR is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from. Only connections which + do *not* originate from the cluster or from the local host are subject + to CIDR rules. In order to allow in-cluster connectivity, use the + FromEndpoints field. This will match on the source IP address of + incoming connections. Adding a prefix into FromCIDR or into + FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are + allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.3.9.1 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + fromCIDRSet: + description: |- + FromCIDRSet is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from in addition to FromEndpoints, + along with a list of subnets contained within their corresponding IP block + from which traffic should not be allowed. + This will match on the source IP address of incoming connections. Adding + a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is + equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + fromEndpoints: + description: |- + FromEndpoints is a list of endpoints identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + + Example: + Any endpoint with the label "role=backend" can be consumed by any + endpoint carrying the label "role=frontend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromEntities: + description: |- + FromEntities is a list of special entities which the endpoint subject + to the rule is allowed to receive connections from. Supported entities are + `world`, `cluster` and `host` + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromGroups: + description: |- + FromGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + FromGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: |- + FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromRequires: + description: |- + FromRequires is a list of additional constraints which must be met + in order for the selected endpoints to be reachable. These + additional constraints do no by itself grant access privileges and + must always be accompanied with at least one matching FromEndpoints. + + Example: + Any Endpoint with the label "team=A" requires consuming endpoint + to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from + the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is not allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can not accept incoming + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should be + an 8bit code (0-255), or it's CamelCase name (for + example, \"EchoReply\").\nAllowed ICMP types are:\n + \ Ipv4: EchoReply | DestinationUnreachable | + Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest + | EchoReply | MulticastListenerQuery| MulticastListenerReport + |\n\t\t\t MulticastListenerDone | RouterSolicitation + | RouterAdvertisement | NeighborSolicitation |\n\t\t\t + NeighborAdvertisement | RedirectMessage | RouterRenumbering + | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse + | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement + |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is not allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can not accept incoming + connections on port 80/tcp. + items: + description: |- + PortDenyRule is a list of ports/protocol that should be used for deny + policies. This structure lacks the L7Rules since it's not supported in deny + policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + type: object + type: array + labels: + description: |- + Labels is a list of optional strings which can be used to + re-identify the rule or to store metadata. It is possible to lookup + or delete strings based on labels. Labels are not required to be + unique, multiple rules can have overlapping or identical labels. + items: + description: Label is the Cilium's representation of a container + label. + properties: + key: + type: string + source: + description: 'Source can be one of the above values (e.g.: LabelSourceContainer).' + type: string + value: + type: string + required: + - key + type: object + type: array + nodeSelector: + description: |- + NodeSelector selects all nodes which should be subject to this rule. + EndpointSelector and NodeSelector cannot be both empty and are mutually + exclusive. Can only be used in CiliumClusterwideNetworkPolicies. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + specs: + description: Specs is a list of desired Cilium specific rule specification. + items: + anyOf: + - properties: + ingress: {} + required: + - ingress + - properties: + ingressDeny: {} + required: + - ingressDeny + - properties: + egress: {} + required: + - egress + - properties: + egressDeny: {} + required: + - egressDeny + description: |- + Rule is a policy rule which must be applied to all endpoints which match the + labels contained in the endpointSelector + + Each rule is split into an ingress section which contains all rules + applicable at ingress, and an egress section applicable at egress. For rule + types such as `L4Rule` and `CIDR` which can be applied at both ingress and + egress, both ingress and egress side have to either specifically allow the + connection or one side has to be omitted. + + Either ingress, egress, or both can be provided. If both ingress and egress + are omitted, the rule has no effect. + oneOf: + - properties: + endpointSelector: {} + required: + - endpointSelector + - properties: + nodeSelector: {} + required: + - nodeSelector + properties: + description: + description: |- + Description is a free form string, it can be used by the creator of + the rule to store human readable explanation of the purpose of this + rule. Rules cannot be identified by comment. + type: string + egress: + description: |- + Egress is a list of EgressRule which are enforced at egress. + If omitted or empty, this rule does not apply at egress. + items: + description: |- + EgressRule contains all rule types which can be applied at egress, i.e. + network traffic that originates inside the endpoint and exits the endpoint + selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception to this + rule is the ToRequires member; the effects of any Requires field in any + rule will apply to all other rules as well. + + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are + mutually exclusive. Only one of these members may be present within an + individual rule. + properties: + authentication: + description: Authentication is the required authentication + type for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode + for the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is allowed to connect to. + + Example: + Any endpoint with the label "app=httpd" is allowed to initiate + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should + be an 8bit code (0-255), or it's CamelCase name + (for example, \"EchoReply\").\nAllowed ICMP + types are:\n Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t + EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport |\n\t\t\t MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation |\n\t\t\t NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement |\n\t\t\t + HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toCIDR: + description: |- + ToCIDR is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections. Only connections destined for + outside of the cluster and not targeting the host will be subject + to CIDR rules. This will match on the destination IP address of + outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet + with no ExcludeCIDRs is equivalent. Overlaps are allowed between + ToCIDR and ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + toCIDRSet: + description: |- + ToCIDRSet is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections to in addition to connections + which are allowed via ToEndpoints, along with a list of subnets contained + within their corresponding IP block to which traffic should not be + allowed. This will match on the destination IP address of outgoing + connections. Adding a prefix into ToCIDR or into ToCIDRSet with no + ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and + ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + toEndpoints: + description: |- + ToEndpoints is a list of endpoints identified by an EndpointSelector to + which the endpoints subject to the rule are allowed to communicate. + + Example: + Any endpoint with the label "role=frontend" can communicate with any + endpoint carrying the label "role=backend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toEntities: + description: |- + ToEntities is a list of special entities to which the endpoint subject + to the rule is allowed to initiate connections. Supported entities are + `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, + `health`,`unmanaged` and `all`. + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toFQDNs: + description: |- + ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result + from DNS resolution of `ToFQDN.MatchName`s are added to the same + EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and + L7 rules within this EgressRule will also apply to these IPs. + The DNS -> IP mapping is re-resolved periodically from within the + cilium-agent, and the IPs in the DNS response are effected in the policy + for selected pods as-is (i.e. the list of IPs is not modified in any way). + Note: An explicit rule to allow for DNS traffic is needed for the pods, as + ToFQDN counts as an egress rule and will enforce egress policy when + PolicyEnforcment=default. + Note: If the resolved IPs are IPs within the kubernetes cluster, the + ToFQDN rule will not apply to that IP. + Note: ToFQDN cannot occur in the same policy as other To* rules. + items: + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + toGroups: + description: |- + ToGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + toGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toNodes: + description: |- + ToNodes is a list of nodes identified by an + EndpointSelector to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is allowed to + connect to. + + Example: + Any endpoint with the label "role=frontend" is allowed to initiate + connections to destination port 8080/tcp + items: + description: |- + PortRule is a list of ports/protocol combinations with optional Layer 7 + rules which must be met. + properties: + listener: + description: |- + listener specifies the name of a custom Envoy listener to which this traffic should be + redirected to. + properties: + envoyConfig: + description: |- + EnvoyConfig is a reference to the CEC or CCEC resource in which + the listener is defined. + properties: + kind: + description: |- + Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or + CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, + respectively. The only case this is currently explicitly needed is when referring to a + CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener + from a cluster scoped policy is not allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: |- + Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where + the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + priority: + description: |- + Priority for this Listener that is used when multiple rules would apply different + listeners to a policy map entry. Behavior of this is implementation dependent. + maximum: 100 + minimum: 1 + type: integer + required: + - envoyConfig + - name + type: object + originatingTLS: + description: |- + OriginatingTLS is the TLS context for the connections originated by + the L7 proxy. For egress policy this specifies the client-side TLS + parameters for the upstream connection originating from the L7 proxy + to the remote destination. For ingress policy this specifies the + client-side TLS parameters for the connection from the L7 proxy to + the local endpoint. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + maxItems: 40 + type: array + rules: + description: |- + Rules is a list of additional port level rules which must be met in + order for the PortRule to allow the traffic. If omitted or empty, + no layer 7 rules are enforced. + oneOf: + - properties: + http: {} + required: + - http + - properties: + kafka: {} + required: + - kafka + - properties: + dns: {} + required: + - dns + - properties: + l7proto: {} + required: + - l7proto + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed + DNS lookups. + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: |- + PortRuleHTTP is a list of HTTP protocol constraints. All fields are + optional, if all fields are empty or missing, the rule does not have any + effect. + + All fields of this type are extended POSIX regex as defined by IEEE Std + 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) + matched against the path of an incoming request. Currently it can contain + characters disallowed from the conventional "path" part of a URL as defined + by RFC 3986. + properties: + headerMatches: + description: |- + HeaderMatches is a list of HTTP headers which must be + present and match against the given values. Mismatch field can be used + to specify what to do when there is no match. + items: + description: |- + HeaderMatch extends the HeaderValue for matching requirement of a + named header field against an immediate string, a secret value, or + a regex. If none of the optional fields is present, then the + header value is not matched, only presence of the header is enough. + properties: + mismatch: + description: |- + Mismatch identifies what to do in case there is no match. The default is + to drop the request. Otherwise the overall rule is still considered as + matching, but the mismatches are logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + minLength: 1 + type: string + secret: + description: |- + Secret refers to a secret that contains the value to be matched against. + The secret must only contain one entry. If the referred secret does not + exist, and there is no "Value" specified, the match will fail. + properties: + name: + description: Name is the name of + the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: |- + Value matches the exact value of the header. Can be specified either + alone or together with "Secret"; will be used as the header value if the + secret can not be found in the latter case. + type: string + required: + - name + type: object + type: array + headers: + description: |- + Headers is a list of HTTP headers which must be present in the + request. If omitted or empty, requests are allowed regardless of + headers present. + items: + type: string + type: array + host: + description: |- + Host is an extended POSIX regex matched against the host header of a + request. Examples: + + - foo.bar.com will match the host fooXbar.com or foo-bar.com + - foo\.bar\.com will only match the host foo.bar.com + + If omitted or empty, the value of the host header is ignored. + format: idn-hostname + type: string + method: + description: |- + Method is an extended POSIX regex matched against the method of a + request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... + + If omitted or empty, all methods are allowed. + type: string + path: + description: |- + Path is an extended POSIX regex matched against the path of a + request. Currently it can contain characters disallowed from the + conventional "path" part of a URL as defined by RFC 3986. + + If omitted or empty, all paths are all allowed. + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: |- + PortRule is a list of Kafka protocol constraints. All fields are + optional, if all fields are empty or missing, the rule will match all + Kafka messages. + properties: + apiKey: + description: |- + APIKey is a case-insensitive string matched against the key of a + request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al + Reference: https://kafka.apache.org/protocol#protocol_api_keys + + If omitted or empty, and if Role is not specified, then all keys are allowed. + type: string + apiVersion: + description: |- + APIVersion is the version matched against the api version of the + Kafka message. If set, it has to be a string representing a positive + integer. + + If omitted or empty, all versions are allowed. + type: string + clientID: + description: |- + ClientID is the client identifier as provided in the request. + + From Kafka protocol documentation: + This is a user supplied identifier for the client application. The + user can use any identifier they like and it will be used when + logging errors, monitoring aggregates, etc. For example, one might + want to monitor not just the requests per second overall, but the + number coming from each client application (each of which could + reside on multiple servers). This id acts as a logical grouping + across all requests from a particular client. + + If omitted or empty, all client identifiers are allowed. + type: string + role: + description: |- + Role is a case-insensitive string and describes a group of API keys + necessary to perform certain higher-level Kafka operations such as "produce" + or "consume". A Role automatically expands into all APIKeys required + to perform the specified higher-level operation. + + The following values are supported: + - "produce": Allow producing to the topics specified in the rule + - "consume": Allow consuming from the topics specified in the rule + + This field is incompatible with the APIKey field, i.e APIKey and Role + cannot both be specified in the same rule. + + If omitted or empty, and if APIKey is not specified, then all keys are + allowed. + enum: + - produce + - consume + type: string + topic: + description: |- + Topic is the topic name contained in the message. If a Kafka request + contains multiple topics, then all topics must be allowed or the + message will be rejected. + + This constraint is ignored if the matched request message type + doesn't contain any topic. Maximum size of Topic can be 249 + characters as per recent Kafka spec and allowed characters are + a-z, A-Z, 0-9, -, . and _. + + Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 + version the length was changed from 255 to 249. For compatibility + reasons we are using 255. + + If omitted or empty, all topics are allowed. + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: |- + PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as + protocol constraints. All fields are optional, if all fields are empty or + missing, the rule does not have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: |- + ServerNames is a list of allowed TLS SNI values. If not empty, then + TLS must be present and one of the provided SNIs must be indicated in the + TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: |- + TerminatingTLS is the TLS context for the connection terminated by + the L7 proxy. For egress policy this specifies the server-side TLS + parameters to be applied on the connections originated from the local + endpoint and terminated by the L7 proxy. For ingress policy this specifies + the server-side TLS parameters to be applied on the connections + originated from a remote source and terminated by the L7 proxy. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + toRequires: + description: |- + ToRequires is a list of additional constraints which must be met + in order for the selected endpoints to be able to connect to other + endpoints. These additional constraints do no by itself grant access + privileges and must always be accompanied with at least one matching + ToEndpoints. + + Example: + Any Endpoint with the label "team=A" requires any endpoint to which it + communicates to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toServices: + description: |- + ToServices is a list of services to which the endpoint subject + to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services. + items: + description: |- + Service selects policy targets that are bundled as part of a + logical load-balanced service. + + Currently only Kubernetes-based Services are supported. + properties: + k8sService: + description: K8sService selects service by name and + namespace pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by + k8s labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector + for k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + type: object + type: array + type: object + type: array + egressDeny: + description: |- + EgressDeny is a list of EgressDenyRule which are enforced at egress. + Any rule inserted here will be denied regardless of the allowed egress + rules in the 'egress' field. + If omitted or empty, this rule does not apply at egress. + items: + description: |- + EgressDenyRule contains all rule types which can be applied at egress, i.e. + network traffic that originates inside the endpoint and exits the endpoint + selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members of the structure are specified, then all members + must match in order for the rule to take effect. The exception to this + rule is the ToRequires member; the effects of any Requires field in any + rule will apply to all other rules as well. + + - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are + mutually exclusive. Only one of these members may be present within an + individual rule. + properties: + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is not allowed to connect to. + + Example: + Any endpoint with the label "app=httpd" is not allowed to initiate + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should + be an 8bit code (0-255), or it's CamelCase name + (for example, \"EchoReply\").\nAllowed ICMP + types are:\n Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t + EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport |\n\t\t\t MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation |\n\t\t\t NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement |\n\t\t\t + HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toCIDR: + description: |- + ToCIDR is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections. Only connections destined for + outside of the cluster and not targeting the host will be subject + to CIDR rules. This will match on the destination IP address of + outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet + with no ExcludeCIDRs is equivalent. Overlaps are allowed between + ToCIDR and ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + toCIDRSet: + description: |- + ToCIDRSet is a list of IP blocks which the endpoint subject to the rule + is allowed to initiate connections to in addition to connections + which are allowed via ToEndpoints, along with a list of subnets contained + within their corresponding IP block to which traffic should not be + allowed. This will match on the destination IP address of outgoing + connections. Adding a prefix into ToCIDR or into ToCIDRSet with no + ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and + ToCIDRSet. + + Example: + Any endpoint with the label "app=database-proxy" is allowed to + initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + toEndpoints: + description: |- + ToEndpoints is a list of endpoints identified by an EndpointSelector to + which the endpoints subject to the rule are allowed to communicate. + + Example: + Any endpoint with the label "role=frontend" can communicate with any + endpoint carrying the label "role=backend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toEntities: + description: |- + ToEntities is a list of special entities to which the endpoint subject + to the rule is allowed to initiate connections. Supported entities are + `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, + `health`,`unmanaged` and `all`. + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + toGroups: + description: |- + ToGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + toGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + toNodes: + description: |- + ToNodes is a list of nodes identified by an + EndpointSelector to which endpoints subject to the rule is allowed to communicate. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is not allowed to connect + to. + + Example: + Any endpoint with the label "role=frontend" is not allowed to initiate + connections to destination port 8080/tcp + items: + description: |- + PortDenyRule is a list of ports/protocol that should be used for deny + policies. This structure lacks the L7Rules since it's not supported in deny + policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + toRequires: + description: |- + ToRequires is a list of additional constraints which must be met + in order for the selected endpoints to be able to connect to other + endpoints. These additional constraints do no by itself grant access + privileges and must always be accompanied with at least one matching + ToEndpoints. + + Example: + Any Endpoint with the label "team=A" requires any endpoint to which it + communicates to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + toServices: + description: |- + ToServices is a list of services to which the endpoint subject + to the rule is allowed to initiate connections. + Currently Cilium only supports toServices for K8s services. + items: + description: |- + Service selects policy targets that are bundled as part of a + logical load-balanced service. + + Currently only Kubernetes-based Services are supported. + properties: + k8sService: + description: K8sService selects service by name and + namespace pair + properties: + namespace: + type: string + serviceName: + type: string + type: object + k8sServiceSelector: + description: K8sServiceSelector selects services by + k8s labels and namespace + properties: + namespace: + type: string + selector: + description: ServiceSelector is a label selector + for k8s services + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are + ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that + the selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the + value from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - selector + type: object + type: object + type: array + type: object + type: array + enableDefaultDeny: + description: |- + EnableDefaultDeny determines whether this policy configures the + subject endpoint(s) to have a default deny mode. If enabled, + this causes all traffic not explicitly allowed by a network policy + to be dropped. + + If not specified, the default is true for each traffic direction + that has rules, and false otherwise. For example, if a policy + only has Ingress or IngressDeny rules, then the default for + ingress is true and egress is false. + + If multiple policies apply to an endpoint, that endpoint's default deny + will be enabled if any policy requests it. + + This is useful for creating broad-based network policies that will not + cause endpoints to enter default-deny mode. + properties: + egress: + description: |- + Whether or not the endpoint should have a default-deny rule applied + to egress traffic. + type: boolean + ingress: + description: |- + Whether or not the endpoint should have a default-deny rule applied + to ingress traffic. + type: boolean + type: object + endpointSelector: + description: |- + EndpointSelector selects all endpoints which should be subject to + this rule. EndpointSelector and NodeSelector cannot be both empty and + are mutually exclusive. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + ingress: + description: |- + Ingress is a list of IngressRule which are enforced at ingress. + If omitted or empty, this rule does not apply at ingress. + items: + description: |- + IngressRule contains all rule types which can be applied at ingress, + i.e. network traffic that originates outside of the endpoint and + is entering the endpoint selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members are set, all of them need to match in order for + the rule to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all other + rules as well. + + - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually + exclusive. Only one of these members may be present within an individual + rule. + properties: + authentication: + description: Authentication is the required authentication + type for the allowed traffic, if any. + properties: + mode: + description: Mode is the required authentication mode + for the allowed traffic, if any. + enum: + - disabled + - required + - test-always-fail + type: string + required: + - mode + type: object + fromCIDR: + description: |- + FromCIDR is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from. Only connections which + do *not* originate from the cluster or from the local host are subject + to CIDR rules. In order to allow in-cluster connectivity, use the + FromEndpoints field. This will match on the source IP address of + incoming connections. Adding a prefix into FromCIDR or into + FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are + allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.3.9.1 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + fromCIDRSet: + description: |- + FromCIDRSet is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from in addition to FromEndpoints, + along with a list of subnets contained within their corresponding IP block + from which traffic should not be allowed. + This will match on the source IP address of incoming connections. Adding + a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is + equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + fromEndpoints: + description: |- + FromEndpoints is a list of endpoints identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + + Example: + Any endpoint with the label "role=backend" can be consumed by any + endpoint carrying the label "role=frontend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromEntities: + description: |- + FromEntities is a list of special entities which the endpoint subject + to the rule is allowed to receive connections from. Supported entities are + `world`, `cluster` and `host` + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromGroups: + description: |- + FromGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + FromGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: |- + FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromRequires: + description: |- + FromRequires is a list of additional constraints which must be met + in order for the selected endpoints to be reachable. These + additional constraints do no by itself grant access privileges and + must always be accompanied with at least one matching FromEndpoints. + + Example: + Any Endpoint with the label "team=A" requires consuming endpoint + to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can only accept incoming + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should + be an 8bit code (0-255), or it's CamelCase name + (for example, \"EchoReply\").\nAllowed ICMP + types are:\n Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t + EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport |\n\t\t\t MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation |\n\t\t\t NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement |\n\t\t\t + HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can only accept incoming + connections on port 80/tcp. + items: + description: |- + PortRule is a list of ports/protocol combinations with optional Layer 7 + rules which must be met. + properties: + listener: + description: |- + listener specifies the name of a custom Envoy listener to which this traffic should be + redirected to. + properties: + envoyConfig: + description: |- + EnvoyConfig is a reference to the CEC or CCEC resource in which + the listener is defined. + properties: + kind: + description: |- + Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or + CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, + respectively. The only case this is currently explicitly needed is when referring to a + CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener + from a cluster scoped policy is not allowed. + enum: + - CiliumEnvoyConfig + - CiliumClusterwideEnvoyConfig + type: string + name: + description: |- + Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where + the listener is defined in. + minLength: 1 + type: string + required: + - name + type: object + name: + description: Name is the name of the listener. + minLength: 1 + type: string + priority: + description: |- + Priority for this Listener that is used when multiple rules would apply different + listeners to a policy map entry. Behavior of this is implementation dependent. + maximum: 100 + minimum: 1 + type: integer + required: + - envoyConfig + - name + type: object + originatingTLS: + description: |- + OriginatingTLS is the TLS context for the connections originated by + the L7 proxy. For egress policy this specifies the client-side TLS + parameters for the upstream connection originating from the L7 proxy + to the remote destination. For ingress policy this specifies the + client-side TLS parameters for the connection from the L7 proxy to + the local endpoint. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + maxItems: 40 + type: array + rules: + description: |- + Rules is a list of additional port level rules which must be met in + order for the PortRule to allow the traffic. If omitted or empty, + no layer 7 rules are enforced. + oneOf: + - properties: + http: {} + required: + - http + - properties: + kafka: {} + required: + - kafka + - properties: + dns: {} + required: + - dns + - properties: + l7proto: {} + required: + - l7proto + properties: + dns: + description: DNS-specific rules. + items: + description: PortRuleDNS is a list of allowed + DNS lookups. + oneOf: + - properties: + matchName: {} + required: + - matchName + - properties: + matchPattern: {} + required: + - matchPattern + properties: + matchName: + description: |- + MatchName matches literal DNS names. A trailing "." is automatically added + when missing. + maxLength: 255 + pattern: ^([-a-zA-Z0-9_]+[.]?)+$ + type: string + matchPattern: + description: |- + MatchPattern allows using wildcards to match DNS names. All wildcards are + case insensitive. The wildcards are: + - "*" matches 0 or more DNS valid characters, and may occur anywhere in + the pattern. As a special case a "*" as the leftmost character, without a + following "." matches all subdomains as well as the name to the right. + A trailing "." is automatically added when missing. + + Examples: + `*.cilium.io` matches subomains of cilium at that level + www.cilium.io and blog.cilium.io match, cilium.io and google.com do not + `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" + except those containing "." separator, subcilium.io and sub-cilium.io match, + www.cilium.io and blog.cilium.io does not + sub*.cilium.io matches subdomains of cilium where the subdomain component + begins with "sub" + sub.cilium.io and subdomain.cilium.io match, www.cilium.io, + blog.cilium.io, cilium.io and google.com do not + maxLength: 255 + pattern: ^([-a-zA-Z0-9_*]+[.]?)+$ + type: string + type: object + type: array + http: + description: HTTP specific rules. + items: + description: |- + PortRuleHTTP is a list of HTTP protocol constraints. All fields are + optional, if all fields are empty or missing, the rule does not have any + effect. + + All fields of this type are extended POSIX regex as defined by IEEE Std + 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) + matched against the path of an incoming request. Currently it can contain + characters disallowed from the conventional "path" part of a URL as defined + by RFC 3986. + properties: + headerMatches: + description: |- + HeaderMatches is a list of HTTP headers which must be + present and match against the given values. Mismatch field can be used + to specify what to do when there is no match. + items: + description: |- + HeaderMatch extends the HeaderValue for matching requirement of a + named header field against an immediate string, a secret value, or + a regex. If none of the optional fields is present, then the + header value is not matched, only presence of the header is enough. + properties: + mismatch: + description: |- + Mismatch identifies what to do in case there is no match. The default is + to drop the request. Otherwise the overall rule is still considered as + matching, but the mismatches are logged in the access log. + enum: + - LOG + - ADD + - DELETE + - REPLACE + type: string + name: + description: Name identifies the header. + minLength: 1 + type: string + secret: + description: |- + Secret refers to a secret that contains the value to be matched against. + The secret must only contain one entry. If the referred secret does not + exist, and there is no "Value" specified, the match will fail. + properties: + name: + description: Name is the name of + the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + value: + description: |- + Value matches the exact value of the header. Can be specified either + alone or together with "Secret"; will be used as the header value if the + secret can not be found in the latter case. + type: string + required: + - name + type: object + type: array + headers: + description: |- + Headers is a list of HTTP headers which must be present in the + request. If omitted or empty, requests are allowed regardless of + headers present. + items: + type: string + type: array + host: + description: |- + Host is an extended POSIX regex matched against the host header of a + request. Examples: + + - foo.bar.com will match the host fooXbar.com or foo-bar.com + - foo\.bar\.com will only match the host foo.bar.com + + If omitted or empty, the value of the host header is ignored. + format: idn-hostname + type: string + method: + description: |- + Method is an extended POSIX regex matched against the method of a + request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ... + + If omitted or empty, all methods are allowed. + type: string + path: + description: |- + Path is an extended POSIX regex matched against the path of a + request. Currently it can contain characters disallowed from the + conventional "path" part of a URL as defined by RFC 3986. + + If omitted or empty, all paths are all allowed. + type: string + type: object + type: array + kafka: + description: Kafka-specific rules. + items: + description: |- + PortRule is a list of Kafka protocol constraints. All fields are + optional, if all fields are empty or missing, the rule will match all + Kafka messages. + properties: + apiKey: + description: |- + APIKey is a case-insensitive string matched against the key of a + request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al + Reference: https://kafka.apache.org/protocol#protocol_api_keys + + If omitted or empty, and if Role is not specified, then all keys are allowed. + type: string + apiVersion: + description: |- + APIVersion is the version matched against the api version of the + Kafka message. If set, it has to be a string representing a positive + integer. + + If omitted or empty, all versions are allowed. + type: string + clientID: + description: |- + ClientID is the client identifier as provided in the request. + + From Kafka protocol documentation: + This is a user supplied identifier for the client application. The + user can use any identifier they like and it will be used when + logging errors, monitoring aggregates, etc. For example, one might + want to monitor not just the requests per second overall, but the + number coming from each client application (each of which could + reside on multiple servers). This id acts as a logical grouping + across all requests from a particular client. + + If omitted or empty, all client identifiers are allowed. + type: string + role: + description: |- + Role is a case-insensitive string and describes a group of API keys + necessary to perform certain higher-level Kafka operations such as "produce" + or "consume". A Role automatically expands into all APIKeys required + to perform the specified higher-level operation. + + The following values are supported: + - "produce": Allow producing to the topics specified in the rule + - "consume": Allow consuming from the topics specified in the rule + + This field is incompatible with the APIKey field, i.e APIKey and Role + cannot both be specified in the same rule. + + If omitted or empty, and if APIKey is not specified, then all keys are + allowed. + enum: + - produce + - consume + type: string + topic: + description: |- + Topic is the topic name contained in the message. If a Kafka request + contains multiple topics, then all topics must be allowed or the + message will be rejected. + + This constraint is ignored if the matched request message type + doesn't contain any topic. Maximum size of Topic can be 249 + characters as per recent Kafka spec and allowed characters are + a-z, A-Z, 0-9, -, . and _. + + Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 + version the length was changed from 255 to 249. For compatibility + reasons we are using 255. + + If omitted or empty, all topics are allowed. + maxLength: 255 + type: string + type: object + type: array + l7: + description: Key-value pair rules. + items: + additionalProperties: + type: string + description: |- + PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as + protocol constraints. All fields are optional, if all fields are empty or + missing, the rule does not have any effect. + type: object + type: array + l7proto: + description: Name of the L7 protocol for which the + Key-value pair rules apply. + type: string + type: object + serverNames: + description: |- + ServerNames is a list of allowed TLS SNI values. If not empty, then + TLS must be present and one of the provided SNIs must be indicated in the + TLS handshake. + items: + type: string + type: array + terminatingTLS: + description: |- + TerminatingTLS is the TLS context for the connection terminated by + the L7 proxy. For egress policy this specifies the server-side TLS + parameters to be applied on the connections originated from the local + endpoint and terminated by the L7 proxy. For ingress policy this specifies + the server-side TLS parameters to be applied on the connections + originated from a remote source and terminated by the L7 proxy. + properties: + certificate: + description: |- + Certificate is the file name or k8s secret item name for the certificate + chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the + item must exist. + type: string + privateKey: + description: |- + PrivateKey is the file name or k8s secret item name for the private key + matching the certificate chain. If omitted, 'tls.key' is assumed, if it + exists. If given, the item must exist. + type: string + secret: + description: |- + Secret is the secret that contains the certificates and private key for + the TLS context. + By default, Cilium will search in this secret for the following items: + - 'ca.crt' - Which represents the trusted CA to verify remote source. + - 'tls.crt' - Which represents the public key certificate. + - 'tls.key' - Which represents the private key matching the public key + certificate. + properties: + name: + description: Name is the name of the secret. + type: string + namespace: + description: |- + Namespace is the namespace in which the secret exists. Context of use + determines the default value if left out (e.g., "default"). + type: string + required: + - name + type: object + trustedCA: + description: |- + TrustedCA is the file name or k8s secret item name for the trusted CA. + If omitted, 'ca.crt' is assumed, if it exists. If given, the item must + exist. + type: string + required: + - secret + type: object + type: object + type: array + type: object + type: array + ingressDeny: + description: |- + IngressDeny is a list of IngressDenyRule which are enforced at ingress. + Any rule inserted here will be denied regardless of the allowed ingress + rules in the 'ingress' field. + If omitted or empty, this rule does not apply at ingress. + items: + description: |- + IngressDenyRule contains all rule types which can be applied at ingress, + i.e. network traffic that originates outside of the endpoint and + is entering the endpoint selected by the endpointSelector. + + - All members of this structure are optional. If omitted or empty, the + member will have no effect on the rule. + + - If multiple members are set, all of them need to match in order for + the rule to take effect. The exception to this rule is FromRequires field; + the effects of any Requires field in any rule will apply to all other + rules as well. + + - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually + exclusive. Only one of these members may be present within an individual + rule. + properties: + fromCIDR: + description: |- + FromCIDR is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from. Only connections which + do *not* originate from the cluster or from the local host are subject + to CIDR rules. In order to allow in-cluster connectivity, use the + FromEndpoints field. This will match on the source IP address of + incoming connections. Adding a prefix into FromCIDR or into + FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are + allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.3.9.1 + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + fromCIDRSet: + description: |- + FromCIDRSet is a list of IP blocks which the endpoint subject to the + rule is allowed to receive connections from in addition to FromEndpoints, + along with a list of subnets contained within their corresponding IP block + from which traffic should not be allowed. + This will match on the source IP address of incoming connections. Adding + a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is + equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. + + Example: + Any endpoint with the label "app=my-legacy-pet" is allowed to receive + connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12. + items: + description: |- + CIDRRule is a rule that specifies a CIDR prefix to/from which outside + communication is allowed, along with an optional list of subnets within that + CIDR prefix to/from which outside communication is not allowed. + oneOf: + - properties: + cidr: {} + required: + - cidr + - properties: + cidrGroupRef: {} + required: + - cidrGroupRef + - properties: + cidrGroupSelector: {} + required: + - cidrGroupSelector + properties: + cidr: + description: CIDR is a CIDR prefix / IP Block. + format: cidr + type: string + cidrGroupRef: + description: |- + CIDRGroupRef is a reference to a CiliumCIDRGroup object. + A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to + the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive + connections from. + maxLength: 253 + pattern: ^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$ + type: string + cidrGroupSelector: + description: |- + CIDRGroupSelector selects CiliumCIDRGroups by their labels, + rather than by name. + properties: + matchExpressions: + description: matchExpressions is a list of label + selector requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the + selector applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + except: + description: |- + ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule + is not allowed to initiate connections to. These CIDR prefixes should be + contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not + supported yet. + These exceptions are only applied to the Cidr in this CIDRRule, and do not + apply to any other CIDR prefixes in any other CIDRRules. + items: + description: |- + CIDR specifies a block of IP addresses. + Example: 192.0.2.1/32 + format: cidr + type: string + type: array + type: object + type: array + fromEndpoints: + description: |- + FromEndpoints is a list of endpoints identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + + Example: + Any endpoint with the label "role=backend" can be consumed by any + endpoint carrying the label "role=frontend". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromEntities: + description: |- + FromEntities is a list of special entities which the endpoint subject + to the rule is allowed to receive connections from. Supported entities are + `world`, `cluster` and `host` + items: + description: |- + Entity specifies the class of receiver/sender endpoints that do not have + individual identities. Entities are used to describe "outside of cluster", + "host", etc. + enum: + - all + - world + - cluster + - host + - init + - ingress + - unmanaged + - remote-node + - health + - none + - kube-apiserver + type: string + type: array + fromGroups: + description: |- + FromGroups is a directive that allows the integration with multiple outside + providers. Currently, only AWS is supported, and the rule can select by + multiple sub directives: + + Example: + FromGroups: + - aws: + securityGroupsIds: + - 'sg-XXXXXXXXXXXXX' + items: + description: |- + Groups structure to store all kinds of new integrations that needs a new + derivative policy. + properties: + aws: + description: AWSGroup is an structure that can be used + to whitelisting information from AWS integration + properties: + labels: + additionalProperties: + type: string + type: object + region: + type: string + securityGroupsIds: + items: + type: string + type: array + securityGroupsNames: + items: + type: string + type: array + type: object + type: object + type: array + fromNodes: + description: |- + FromNodes is a list of nodes identified by an + EndpointSelector which are allowed to communicate with the endpoint + subject to the rule. + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + fromRequires: + description: |- + FromRequires is a list of additional constraints which must be met + in order for the selected endpoints to be reachable. These + additional constraints do no by itself grant access privileges and + must always be accompanied with at least one matching FromEndpoints. + + Example: + Any Endpoint with the label "team=A" requires consuming endpoint + to also carry the label "team=A". + items: + description: EndpointSelector is a wrapper for k8s LabelSelector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value + from the MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: array + icmps: + description: |- + ICMPs is a list of ICMP rule identified by type number + which the endpoint subject to the rule is not allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can not accept incoming + type 8 ICMP connections. + items: + description: ICMPRule is a list of ICMP fields. + properties: + fields: + description: Fields is a list of ICMP fields. + items: + description: ICMPField is a ICMP field. + properties: + family: + default: IPv4 + description: |- + Family is a IP address version. + Currently, we support `IPv4` and `IPv6`. + `IPv4` is set as default. + enum: + - IPv4 + - IPv6 + type: string + type: + anyOf: + - type: integer + - type: string + description: "Type is a ICMP-type.\nIt should + be an 8bit code (0-255), or it's CamelCase name + (for example, \"EchoReply\").\nAllowed ICMP + types are:\n Ipv4: EchoReply | DestinationUnreachable + | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement + | RouterSelection | TimeExceeded | ParameterProblem + |\n\t\t\t Timestamp | TimestampReply | Photuris + | ExtendedEcho Request | ExtendedEcho Reply\n + \ Ipv6: DestinationUnreachable | PacketTooBig + | TimeExceeded | ParameterProblem |\n\t\t\t + EchoRequest | EchoReply | MulticastListenerQuery| + MulticastListenerReport |\n\t\t\t MulticastListenerDone + | RouterSolicitation | RouterAdvertisement | + NeighborSolicitation |\n\t\t\t NeighborAdvertisement + | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery + |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation + | InverseNeighborDiscoveryAdvertisement |\n\t\t\t + HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply + | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement + | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix + |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply" + pattern: ^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho + Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$ + x-kubernetes-int-or-string: true + required: + - type + type: object + maxItems: 40 + type: array + type: object + type: array + toPorts: + description: |- + ToPorts is a list of destination ports identified by port number and + protocol which the endpoint subject to the rule is not allowed to + receive connections on. + + Example: + Any endpoint with the label "app=httpd" can not accept incoming + connections on port 80/tcp. + items: + description: |- + PortDenyRule is a list of ports/protocol that should be used for deny + policies. This structure lacks the L7Rules since it's not supported in deny + policies. + properties: + ports: + description: Ports is a list of L4 port/protocol + items: + description: PortProtocol specifies an L4 port with + an optional transport protocol + properties: + endPort: + description: EndPort can only be an L4 port number. + format: int32 + maximum: 65535 + minimum: 0 + type: integer + port: + description: |- + Port can be an L4 port number, or a name in the form of "http" + or "http-8080". + pattern: ^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$ + type: string + protocol: + description: |- + Protocol is the L4 protocol. If omitted or empty, any protocol + matches. Accepted values: "TCP", "UDP", "SCTP", "ANY" + + Matching on ICMP is not supported. + + Named port specified for a container may narrow this down, but may not + contradict this. + enum: + - TCP + - UDP + - SCTP + - ANY + type: string + required: + - port + type: object + type: array + type: object + type: array + type: object + type: array + labels: + description: |- + Labels is a list of optional strings which can be used to + re-identify the rule or to store metadata. It is possible to lookup + or delete strings based on labels. Labels are not required to be + unique, multiple rules can have overlapping or identical labels. + items: + description: Label is the Cilium's representation of a container + label. + properties: + key: + type: string + source: + description: 'Source can be one of the above values (e.g.: + LabelSourceContainer).' + type: string + value: + type: string + required: + - key + type: object + type: array + nodeSelector: + description: |- + NodeSelector selects all nodes which should be subject to this rule. + EndpointSelector and NodeSelector cannot be both empty and are mutually + exclusive. Can only be used in CiliumClusterwideNetworkPolicies. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + enum: + - In + - NotIn + - Exists + - DoesNotExist + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + description: MatchLabelsValue represents the value from the + MatchLabels {key,value} pair. + maxLength: 63 + pattern: ^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$ + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + status: + description: |- + Status is the status of the Cilium policy rule. + + The reason this field exists in this structure is due a bug in the k8s + code-generator that doesn't create a `UpdateStatus` method because the + field does not exist in the structure. + properties: + conditions: + items: + properties: + lastTransitionTime: + description: The last time the condition transitioned from one + status to another. + format: date-time + type: string + message: + description: A human readable message indicating details about + the transition. + type: string + reason: + description: The reason for the condition's last transition. + type: string + status: + description: The status of the condition, one of True, False, + or Unknown + type: string + type: + description: The type of the policy condition + type: string + required: + - status + - type + type: object + type: array + x-kubernetes-list-map-keys: + - type + x-kubernetes-list-type: map + derivativePolicies: + additionalProperties: + description: |- + CiliumNetworkPolicyNodeStatus is the status of a Cilium policy rule for a + specific node. + properties: + annotations: + additionalProperties: + type: string + description: |- + Annotations corresponds to the Annotations in the ObjectMeta of the CNP + that have been realized on the node for CNP. That is, if a CNP has been + imported and has been assigned annotation X=Y by the user, + Annotations in CiliumNetworkPolicyNodeStatus will be X=Y once the + CNP that was imported corresponding to Annotation X=Y has been realized on + the node. + type: object + enforcing: + description: |- + Enforcing is set to true once all endpoints present at the time the + policy has been imported are enforcing this policy. + type: boolean + error: + description: |- + Error describes any error that occurred when parsing or importing the + policy, or realizing the policy for the endpoints to which it applies + on the node. + type: string + lastUpdated: + description: LastUpdated contains the last time this status + was updated + format: date-time + type: string + localPolicyRevision: + description: |- + Revision is the policy revision of the repository which first implemented + this policy. + format: int64 + type: integer + ok: + description: |- + OK is true when the policy has been parsed and imported successfully + into the in-memory policy repository on the node. + type: boolean + type: object + description: |- + DerivativePolicies is the status of all policies derived from the Cilium + policy + type: object + type: object + required: + - metadata + type: object + served: true + storage: true + subresources: + status: {} diff --git a/test/integration/manifests/cilium/v1.18/ebpf/overlay/cilium.yaml b/test/integration/manifests/cilium/v1.18/ebpf/overlay/cilium.yaml new file mode 100644 index 0000000000..fde0f2bdf6 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/ebpf/overlay/cilium.yaml @@ -0,0 +1,538 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + k8s-app: cilium + kubernetes.azure.com/managedby: aks + name: cilium + namespace: kube-system +spec: + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: cilium + template: + metadata: + annotations: + prometheus.io/port: "9962" + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/managed-by: Eno + k8s-app: cilium + kubernetes.azure.com/ebpf-dataplane: cilium + kubernetes.azure.com/managedby: aks + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/os + operator: In + values: + - linux + automountServiceAccountToken: true + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + - name: KUBE_CLIENT_BACKOFF_BASE + value: "1" + - name: KUBE_CLIENT_BACKOFF_DURATION + value: "120" + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + - name: require-k8s-connectivity + value: "false" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-agent + ports: + - containerPort: 9962 + hostPort: 9962 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/proc/sys/net + name: host-proc-sys-net + - mountPath: /host/proc/sys/kernel + name: host-proc-sys-kernel + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns + - mountPath: /flowlog-config + name: hubble-flowlog-config + readOnly: true + - mountPath: /var/log/acns/hubble + name: networkflowlogs + - mountPath: /etc/config + name: azure-ip-masq-dir + readOnly: true + - command: + - /azure-iptables-monitor + - -v + - "3" + - -events=true + - -checkMap=true + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: azure-iptables-monitor + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/config + name: iptables-config + - mountPath: /azure-block-iptables-bpf-map + name: iptables-block-bpf-map + readOnly: true + - command: + - ./azure-ip-masq-merger + - -v + - "2" + image: $AZURE_IP_MASQ_MERGER_IMAGE_REGISTRY/azure-ip-masq-merger:$AZURE_IP_MASQ_MERGER_TAG + imagePullPolicy: IfNotPresent + name: azure-ip-masq-merger + resources: {} + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/config/ + name: azure-ip-masq-agent-config-volume + - mountPath: /etc/merged-config/ + name: azure-ip-masq-dir + dnsPolicy: ClusterFirst + hostNetwork: true + initContainers: + - command: + - /azure-block-iptables + - -mode=attach + - -overwrite=true + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: iptables-blocker-init + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /proc + name: hostproc + - command: + - /azure-iptables-monitor + - -v + - "3" + - -events=true + - -terminateOnSuccess=true + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: azure-iptables-monitor-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/config + name: iptables-config + - command: + - /install-plugin.sh + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: install-cni-binaries + resources: {} + securityContext: + capabilities: + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-mount /hostbin/cilium-mount; + nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; + rm /hostbin/cilium-mount + env: + - name: CGROUP_ROOT + value: /run/cilium/cgroupv2 + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-cgroup + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; + nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; + rm /hostbin/cilium-sysctlfix + env: + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: apply-sysctl-overwrites + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - args: + - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf + command: + - /bin/bash + - -c + - -- + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-bpf-fs + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-maps + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: clean-cilium-state + resources: + requests: + cpu: 100m + memory: 100Mi + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /run/cilium/cgroupv2 + mountPropagation: HostToContainer + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + priorityClassName: system-node-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: cilium + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists + volumes: + - hostPath: + path: /etc/systemd + type: DirectoryOrCreate + name: host-etc-systemd + - hostPath: + path: /lib/systemd + type: DirectoryOrCreate + name: host-lib-systemd + - hostPath: + path: /usr/lib + type: DirectoryOrCreate + name: host-usr-lib + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + - hostPath: + path: /proc + type: Directory + name: hostproc + - hostPath: + path: /run/cilium/cgroupv2 + type: DirectoryOrCreate + name: cilium-cgroup + - hostPath: + path: /opt/cni/bin + type: DirectoryOrCreate + name: cni-path + - hostPath: + path: /etc/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + - hostPath: + path: /lib/modules + type: "" + name: lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + - name: clustermesh-secrets + secret: + defaultMode: 256 + optional: true + secretName: cilium-clustermesh + - configMap: + defaultMode: 420 + name: cilium-config + name: cilium-config-path + - hostPath: + path: /proc/sys/net + type: Directory + name: host-proc-sys-net + - hostPath: + path: /proc/sys/kernel + type: Directory + name: host-proc-sys-kernel + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns + - configMap: + defaultMode: 420 + name: acns-flowlog-config + optional: true + name: hubble-flowlog-config + - hostPath: + path: /var/log/acns/hubble + type: DirectoryOrCreate + name: networkflowlogs + - configMap: + defaultMode: 420 + name: allowed-iptables-patterns + optional: true + name: iptables-config + - hostPath: + path: /sys/fs/bpf/azure-block-iptables + type: DirectoryOrCreate + name: iptables-block-bpf-map + - emptyDir: {} + name: azure-ip-masq-dir + - name: azure-ip-masq-agent-config-volume + projected: + defaultMode: 420 + sources: + - configMap: + items: + - key: ip-masq-agent + mode: 444 + path: ip-masq-agent + name: azure-ip-masq-agent-config + optional: true + - configMap: + items: + - key: ip-masq-agent-reconciled + mode: 444 + path: ip-masq-agent-reconciled + name: azure-ip-masq-agent-config-reconciled + optional: true + updateStrategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 5% + type: RollingUpdate diff --git a/test/integration/manifests/cilium/v1.18/ebpf/overlay/static/azure-ip-masq-agent-config-reconciled.yaml b/test/integration/manifests/cilium/v1.18/ebpf/overlay/static/azure-ip-masq-agent-config-reconciled.yaml new file mode 100644 index 0000000000..e6d8edca6a --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/ebpf/overlay/static/azure-ip-masq-agent-config-reconciled.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +data: + ip-masq-agent-reconciled: | + MasqLinkLocal: true + NonMasqueradeCIDRs: + - 192.168.0.0/16 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/managed-by: Eno + component: ip-masq-agent + name: azure-ip-masq-agent-config-reconciled + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/ebpf/overlay/static/cilium-config.yaml b/test/integration/manifests/cilium/v1.18/ebpf/overlay/static/cilium-config.yaml new file mode 100644 index 0000000000..ea1192adb6 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/ebpf/overlay/static/cilium-config.yaml @@ -0,0 +1,173 @@ +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s + auto-direct-node-routes: "false" + bpf-algorithm-annotation: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-external-clusterip: "false" + bpf-lb-map-max: "65536" + bpf-lb-mode: snat + bpf-lb-mode-annotation: "false" + bpf-lb-sock: "false" + bpf-lb-sock-hostns-only: "true" + bpf-lb-sock-terminate-pod-connections: "false" + bpf-lb-source-range-all-types: "false" + bpf-map-dynamic-size-ratio: "0.0025" + bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf + ces-slice-mode: fcfs + cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" + cluster-name: alewoverebpfcilcanary + cni-exclusive: "false" + cni-log-file: /var/run/cilium/cilium-cni.log + datapath-mode: veth + debug: "false" + direct-routing-skip-unreachable: "false" + disable-cnp-status-updates: "true" + disable-embedded-dns-proxy: "false" + disable-endpoint-crd: "false" + dnsproxy-enable-transparent-mode: "false" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bgp-control-plane: "false" + enable-bpf-clock-probe: "true" + enable-bpf-masquerade: "true" + enable-cilium-endpoint-slice: "true" + enable-endpoint-health-checking: "false" + enable-endpoint-lockdown-on-policy-overflow: "false" + enable-endpoint-routes: "true" + enable-experimental-lb: "false" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-legacy-routing: "false" + enable-hubble: "true" + enable-hubble-open-metrics: "false" + enable-internal-traffic-policy: "true" + enable-ip-masq-agent: "true" + enable-ipv4: "true" + enable-ipv4-big-tcp: "false" + enable-ipv4-masquerade: "true" + enable-ipv6: "false" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "false" + enable-k8s-networkpolicy: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" + enable-l7-proxy: "true" + enable-lb-ipam: "false" + enable-local-node-route: "false" + enable-local-redirect-policy: "true" + enable-masquerade-to-route-source: "false" + enable-metrics: "true" + enable-node-selector-labels: "false" + enable-non-default-deny-policies: "true" + enable-policy: default + enable-remote-node-identity: "true" + enable-remote-node-masquerade: "true" + enable-runtime-device-detection: "false" + enable-sctp: "false" + enable-session-affinity: "true" + enable-source-ip-verification: "false" + enable-standalone-dns-proxy: "true" + enable-svc-source-range-check: "true" + enable-tcx: "false" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-wireguard: "false" + enable-xt-socket-fallback: "true" + external-envoy-proxy: "false" + health-check-icmp-failure-threshold: "3" + hubble-disable-tls: "false" + hubble-event-buffer-capacity: "4095" + hubble-export-file-max-backups: "5" + hubble-export-file-max-size-mb: "10" + hubble-flowlogs-config-path: /flowlog-config/flowlogs.yaml + hubble-listen-address: :4244 + hubble-metrics: flow:sourceEgressContext=pod;destinationIngressContext=pod tcp:sourceEgressContext=pod;destinationIngressContext=pod + drop:sourceEgressContext=pod;destinationIngressContext=pod dns:sourceEgressContext=pod;destinationIngressContext=pod + hubble-metrics-server: :9965 + hubble-socket-path: /var/run/cilium/hubble.sock + hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt + hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt + hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key + identity-allocation-mode: crd + install-iptables-rules: "true" + install-no-conntrack-iptables-rules: "false" + ipam: delegated-plugin + ipam-cilium-node-update-rate: 15s + ipv4-native-routing-cidr: 192.168.0.0/16 + k8s-client-burst: "20" + k8s-client-qps: "10" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + kube-proxy-replacement: "true" + kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256 + local-router-ipv4: 169.254.23.0 + mesh-auth-enabled: "false" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" + metrics: +cilium_bpf_map_pressure +cilium_proxy_datapath_update_timeout_total + monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" + nodes-gc-interval: 5m0s + operator-api-serve-addr: 127.0.0.1:9234 + operator-prometheus-serve-addr: :9963 + preallocate-bpf-maps: "false" + procfs: /host/proc + prometheus-serve-addr: :9962 + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" + remove-cilium-node-taints: "true" + routing-mode: native + set-cilium-is-up-condition: "true" + set-cilium-node-taints: "true" + sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" + tofqdns-dns-reject-response-code: refused + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-min-ttl: "3600" + tofqdns-proxy-port: "40046" + tofqdns-proxy-response-max-delay: 100ms + tofqdns-server-port: "40045" + unmanaged-pod-watcher-interval: "0" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" + ## new values for 1.18 + # bpf-policy-stats-map-max specifies the maximum number of entries in global + # policy stats map + bpf-policy-stats-map-max: "65536" + identity-management-mode: "agent" + tofqdns-preallocate-identities: "true" + policy-default-local-cluster: "false" +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + name: cilium-config + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/ebpf/podsubnet/cilium.yaml b/test/integration/manifests/cilium/v1.18/ebpf/podsubnet/cilium.yaml new file mode 100644 index 0000000000..0760191fc2 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/ebpf/podsubnet/cilium.yaml @@ -0,0 +1,508 @@ +apiVersion: apps/v1 +kind: DaemonSet +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + k8s-app: cilium + kubernetes.azure.com/managedby: aks + name: cilium + namespace: kube-system +spec: + revisionHistoryLimit: 10 + selector: + matchLabels: + k8s-app: cilium + template: + metadata: + annotations: + prometheus.io/port: "9962" + prometheus.io/scrape: "true" + labels: + app.kubernetes.io/managed-by: Eno + k8s-app: cilium + kubernetes.azure.com/ebpf-dataplane: cilium + kubernetes.azure.com/managedby: aks + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.azure.com/cluster + operator: Exists + - key: type + operator: NotIn + values: + - virtual-kubelet + - key: kubernetes.io/os + operator: In + values: + - linux + automountServiceAccountToken: true + containers: + - args: + - --config-dir=/tmp/cilium/config-map + command: + - cilium-agent + env: + - name: K8S_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: CILIUM_K8S_NAMESPACE + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: metadata.namespace + - name: CILIUM_CLUSTERMESH_CONFIG + value: /var/lib/cilium/clustermesh/ + - name: KUBE_CLIENT_BACKOFF_BASE + value: "1" + - name: KUBE_CLIENT_BACKOFF_DURATION + value: "120" + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + livenessProbe: + failureThreshold: 10 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + - name: require-k8s-connectivity + value: "false" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + name: cilium-agent + ports: + - containerPort: 9962 + hostPort: 9962 + name: prometheus + protocol: TCP + readinessProbe: + failureThreshold: 3 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 30 + successThreshold: 1 + timeoutSeconds: 5 + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + startupProbe: + failureThreshold: 105 + httpGet: + host: 127.0.0.1 + httpHeaders: + - name: brief + value: "true" + path: /healthz + port: 9879 + scheme: HTTP + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 1 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/proc/sys/net + name: host-proc-sys-net + - mountPath: /host/proc/sys/kernel + name: host-proc-sys-kernel + - mountPath: /sys/fs/bpf + mountPropagation: HostToContainer + name: bpf-maps + - mountPath: /var/run/cilium + name: cilium-run + - mountPath: /host/etc/cni/net.d + name: etc-cni-netd + - mountPath: /var/lib/cilium/clustermesh + name: clustermesh-secrets + readOnly: true + - mountPath: /tmp/cilium/config-map + name: cilium-config-path + readOnly: true + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + - mountPath: /var/run/cilium/netns + mountPropagation: HostToContainer + name: cilium-netns + - mountPath: /flowlog-config + name: hubble-flowlog-config + readOnly: true + - mountPath: /var/log/acns/hubble + name: networkflowlogs + - mountPath: /etc/config + name: azure-ip-masq-dir + readOnly: true + - command: + - /azure-iptables-monitor + - -v + - "3" + - -events=true + - -checkMap=true + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: azure-iptables-monitor + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/config + name: iptables-config + - mountPath: /azure-block-iptables-bpf-map + name: iptables-block-bpf-map + readOnly: true + dnsPolicy: ClusterFirst + hostNetwork: true + initContainers: + - command: + - /azure-block-iptables + - -mode=attach + - -overwrite=true + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: iptables-blocker-init + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /proc + name: hostproc + - command: + - /azure-iptables-monitor + - -v + - "3" + - -events=true + - -terminateOnSuccess=true + env: + - name: NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + image: $AZURE_IPTABLES_MONITOR_IMAGE_REGISTRY/azure-iptables-monitor:$AZURE_IPTABLES_MONITOR_TAG + imagePullPolicy: IfNotPresent + name: azure-iptables-monitor-init + resources: {} + securityContext: + capabilities: + add: + - NET_ADMIN + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /etc/config + name: iptables-config + - command: + - /install-plugin.sh + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: install-cni-binaries + resources: {} + securityContext: + capabilities: + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-mount /hostbin/cilium-mount; + nsenter --cgroup=/hostproc/1/ns/cgroup --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-mount" $CGROUP_ROOT; + rm /hostbin/cilium-mount + env: + - name: CGROUP_ROOT + value: /run/cilium/cgroupv2 + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-cgroup + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - command: + - sh + - -ec + - | + cp /usr/bin/cilium-sysctlfix /hostbin/cilium-sysctlfix; + nsenter --mount=/hostproc/1/ns/mnt "${BIN_PATH}/cilium-sysctlfix"; + rm /hostbin/cilium-sysctlfix + env: + - name: BIN_PATH + value: /opt/cni/bin + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: apply-sysctl-overwrites + resources: {} + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - SYS_ADMIN + - SYS_CHROOT + - SYS_PTRACE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /hostproc + name: hostproc + - mountPath: /hostbin + name: cni-path + - args: + - mount | grep "/sys/fs/bpf type bpf" || mount -t bpf bpf /sys/fs/bpf + command: + - /bin/bash + - -c + - -- + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: mount-bpf-fs + resources: {} + securityContext: + privileged: true + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: FallbackToLogsOnError + volumeMounts: + - mountPath: /sys/fs/bpf + mountPropagation: Bidirectional + name: bpf-maps + - command: + - /init-container.sh + env: + - name: CILIUM_ALL_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-state + name: cilium-config + optional: true + - name: CILIUM_BPF_STATE + valueFrom: + configMapKeyRef: + key: clean-cilium-bpf-state + name: cilium-config + optional: true + image: $CILIUM_IMAGE_REGISTRY/cilium/cilium-distroless-init:$CILIUM_VERSION_TAG + imagePullPolicy: IfNotPresent + name: clean-cilium-state + resources: + requests: + cpu: 100m + memory: 100Mi + securityContext: + appArmorProfile: + type: Unconfined + capabilities: + add: + - NET_ADMIN + - SYS_MODULE + - SYS_ADMIN + - SYS_RESOURCE + drop: + - ALL + seLinuxOptions: + level: s0 + type: spc_t + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /sys/fs/bpf + name: bpf-maps + - mountPath: /run/cilium/cgroupv2 + mountPropagation: HostToContainer + name: cilium-cgroup + - mountPath: /var/run/cilium + name: cilium-run + priorityClassName: system-node-critical + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + serviceAccount: cilium + serviceAccountName: cilium + terminationGracePeriodSeconds: 1 + tolerations: + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists + volumes: + - hostPath: + path: /etc/systemd + type: DirectoryOrCreate + name: host-etc-systemd + - hostPath: + path: /lib/systemd + type: DirectoryOrCreate + name: host-lib-systemd + - hostPath: + path: /usr/lib + type: DirectoryOrCreate + name: host-usr-lib + - hostPath: + path: /var/run/cilium + type: DirectoryOrCreate + name: cilium-run + - hostPath: + path: /sys/fs/bpf + type: DirectoryOrCreate + name: bpf-maps + - hostPath: + path: /proc + type: Directory + name: hostproc + - hostPath: + path: /run/cilium/cgroupv2 + type: DirectoryOrCreate + name: cilium-cgroup + - hostPath: + path: /opt/cni/bin + type: DirectoryOrCreate + name: cni-path + - hostPath: + path: /etc/cni/net.d + type: DirectoryOrCreate + name: etc-cni-netd + - hostPath: + path: /lib/modules + type: "" + name: lib-modules + - hostPath: + path: /run/xtables.lock + type: FileOrCreate + name: xtables-lock + - name: clustermesh-secrets + secret: + defaultMode: 256 + optional: true + secretName: cilium-clustermesh + - configMap: + defaultMode: 420 + name: cilium-config + name: cilium-config-path + - hostPath: + path: /proc/sys/net + type: Directory + name: host-proc-sys-net + - hostPath: + path: /proc/sys/kernel + type: Directory + name: host-proc-sys-kernel + - hostPath: + path: /var/run/netns + type: DirectoryOrCreate + name: cilium-netns + - configMap: + defaultMode: 420 + name: acns-flowlog-config + optional: true + name: hubble-flowlog-config + - hostPath: + path: /var/log/acns/hubble + type: DirectoryOrCreate + name: networkflowlogs + - configMap: + defaultMode: 420 + name: allowed-iptables-patterns + optional: true + name: iptables-config + - hostPath: + path: /sys/fs/bpf/azure-block-iptables + type: DirectoryOrCreate + name: iptables-block-bpf-map + - configMap: + defaultMode: 420 + name: azure-dns-imds-ip-masq-agent-config + optional: true + name: azure-ip-masq-dir + updateStrategy: + rollingUpdate: + maxSurge: 0 + maxUnavailable: 5% + type: RollingUpdate diff --git a/test/integration/manifests/cilium/v1.18/ebpf/podsubnet/static/azure-dns-imds-ip-masq-agent-config.yaml b/test/integration/manifests/cilium/v1.18/ebpf/podsubnet/static/azure-dns-imds-ip-masq-agent-config.yaml new file mode 100644 index 0000000000..2613c3b265 --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/ebpf/podsubnet/static/azure-dns-imds-ip-masq-agent-config.yaml @@ -0,0 +1,26 @@ +apiVersion: v1 +data: + ip-masq-agent: "nonMasqueradeCIDRs:\n- 0.0.0.0/1\n- 128.0.0.0/3\n- 160.0.0.0/5\n- + 168.0.0.0/11\n- 168.32.0.0/12\n- 168.48.0.0/13\n- 168.56.0.0/14\n- 168.60.0.0/15\n- + 168.62.0.0/16\n- 168.63.0.0/17\n- 168.63.128.0/24\n- 168.63.129.0/29\n- 168.63.129.8/30\n- + 168.63.129.12/30\n- 168.63.129.17/32\n- 168.63.129.18/31\n- 168.63.129.20/30\n- + 168.63.129.24/29\n- 168.63.129.32/27\n- 168.63.129.64/26\n- 168.63.129.128/25\n- + 168.63.130.0/23\n- 168.63.132.0/22\n- 168.63.136.0/21\n- 168.63.144.0/20\n- 168.63.160.0/19\n- + 168.63.192.0/18\n- 168.64.0.0/10\n- 168.128.0.0/9\n- 169.0.0.0/9\n- 169.128.0.0/10\n- + 169.192.0.0/11\n- 169.224.0.0/12\n- 169.240.0.0/13\n- 169.248.0.0/14\n- 169.252.0.0/15\n- + 169.254.0.0/17\n- 169.254.128.0/19\n- 169.254.160.0/21\n- 169.254.168.0/24\n- + 169.254.169.0/25\n- 169.254.169.128/26\n- 169.254.169.192/27\n- 169.254.169.224/28\n- + 169.254.169.240/29\n- 169.254.169.248/30\n- 169.254.169.252/31\n- 169.254.169.255/32\n- + 169.254.170.0/23\n- 169.254.172.0/22\n- 169.254.176.0/20\n- 169.254.192.0/18\n- + 169.255.0.0/16\n- 170.0.0.0/7\n- 172.0.0.0/6\n- 176.0.0.0/4\n- 192.0.0.0/3\n- + 224.0.0.0/3\n \nmasqLinkLocal: true\nmasqLinkLocalIPv6: true\n" +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + name: azure-dns-imds-ip-masq-agent-config + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/ebpf/podsubnet/static/cilium-config.yaml b/test/integration/manifests/cilium/v1.18/ebpf/podsubnet/static/cilium-config.yaml new file mode 100644 index 0000000000..33438fb05c --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/ebpf/podsubnet/static/cilium-config.yaml @@ -0,0 +1,173 @@ +apiVersion: v1 +data: + agent-not-ready-taint-key: node.cilium.io/agent-not-ready + arping-refresh-period: 30s + auto-direct-node-routes: "false" + bpf-algorithm-annotation: "false" + bpf-events-drop-enabled: "true" + bpf-events-policy-verdict-enabled: "true" + bpf-events-trace-enabled: "true" + bpf-lb-acceleration: disabled + bpf-lb-external-clusterip: "false" + bpf-lb-map-max: "65536" + bpf-lb-mode: snat + bpf-lb-mode-annotation: "false" + bpf-lb-sock: "false" + bpf-lb-sock-hostns-only: "true" + bpf-lb-sock-terminate-pod-connections: "false" + bpf-lb-source-range-all-types: "false" + bpf-map-dynamic-size-ratio: "0.0025" + bpf-policy-map-max: "16384" + bpf-root: /sys/fs/bpf + ces-slice-mode: fcfs + cgroup-root: /run/cilium/cgroupv2 + cilium-endpoint-gc-interval: 5m0s + cluster-id: "0" + cluster-name: alewpodsubebpfcilcanary + cni-exclusive: "false" + cni-log-file: /var/run/cilium/cilium-cni.log + datapath-mode: veth + debug: "false" + direct-routing-skip-unreachable: "false" + disable-cnp-status-updates: "true" + disable-embedded-dns-proxy: "false" + disable-endpoint-crd: "false" + dnsproxy-enable-transparent-mode: "false" + egress-gateway-reconciliation-trigger-interval: 1s + enable-auto-protect-node-port-range: "true" + enable-bgp-control-plane: "false" + enable-bpf-clock-probe: "true" + enable-bpf-masquerade: "true" + enable-cilium-endpoint-slice: "true" + enable-endpoint-health-checking: "false" + enable-endpoint-lockdown-on-policy-overflow: "false" + enable-endpoint-routes: "true" + enable-experimental-lb: "false" + enable-health-check-loadbalancer-ip: "false" + enable-health-check-nodeport: "true" + enable-health-checking: "true" + enable-host-legacy-routing: "false" + enable-hubble: "true" + enable-hubble-open-metrics: "false" + enable-internal-traffic-policy: "true" + enable-ip-masq-agent: "true" + enable-ipv4: "true" + enable-ipv4-big-tcp: "false" + enable-ipv4-masquerade: "true" + enable-ipv6: "false" + enable-ipv6-big-tcp: "false" + enable-ipv6-masquerade: "false" + enable-k8s-networkpolicy: "true" + enable-k8s-terminating-endpoint: "true" + enable-l2-neigh-discovery: "true" + enable-l7-proxy: "true" + enable-lb-ipam: "false" + enable-local-node-route: "false" + enable-local-redirect-policy: "true" + enable-masquerade-to-route-source: "false" + enable-metrics: "true" + enable-node-selector-labels: "false" + enable-non-default-deny-policies: "true" + enable-policy: default + enable-remote-node-identity: "true" + enable-remote-node-masquerade: "false" + enable-runtime-device-detection: "false" + enable-sctp: "false" + enable-session-affinity: "true" + enable-source-ip-verification: "false" + enable-standalone-dns-proxy: "true" + enable-svc-source-range-check: "true" + enable-tcx: "false" + enable-vtep: "false" + enable-well-known-identities: "false" + enable-wireguard: "false" + enable-xt-socket-fallback: "true" + external-envoy-proxy: "false" + health-check-icmp-failure-threshold: "3" + hubble-disable-tls: "false" + hubble-event-buffer-capacity: "4095" + hubble-export-file-max-backups: "5" + hubble-export-file-max-size-mb: "10" + hubble-flowlogs-config-path: /flowlog-config/flowlogs.yaml + hubble-listen-address: :4244 + hubble-metrics: flow:sourceEgressContext=pod;destinationIngressContext=pod tcp:sourceEgressContext=pod;destinationIngressContext=pod + drop:sourceEgressContext=pod;destinationIngressContext=pod dns:sourceEgressContext=pod;destinationIngressContext=pod + hubble-metrics-server: :9965 + hubble-socket-path: /var/run/cilium/hubble.sock + hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt + hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt + hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key + identity-allocation-mode: crd + install-iptables-rules: "true" + install-no-conntrack-iptables-rules: "false" + ipam: delegated-plugin + ipam-cilium-node-update-rate: 15s + ipv4-native-routing-cidr: 10.241.0.0/16 + k8s-client-burst: "20" + k8s-client-qps: "10" + k8s-require-ipv4-pod-cidr: "false" + k8s-require-ipv6-pod-cidr: "false" + kube-proxy-replacement: "true" + kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256 + local-router-ipv4: 169.254.23.0 + mesh-auth-enabled: "false" + mesh-auth-gc-interval: 5m0s + mesh-auth-queue-size: "1024" + mesh-auth-rotated-identities-queue-size: "1024" + metrics: +cilium_bpf_map_pressure +cilium_proxy_datapath_update_timeout_total + monitor-aggregation: medium + monitor-aggregation-flags: all + monitor-aggregation-interval: 5s + nat-map-stats-entries: "32" + nat-map-stats-interval: 30s + node-port-bind-protection: "true" + nodeport-addresses: "" + nodes-gc-interval: 5m0s + operator-api-serve-addr: 127.0.0.1:9234 + operator-prometheus-serve-addr: :9963 + preallocate-bpf-maps: "false" + procfs: /host/proc + prometheus-serve-addr: :9962 + proxy-connect-timeout: "2" + proxy-idle-timeout-seconds: "60" + proxy-max-connection-duration-seconds: "0" + proxy-max-requests-per-connection: "0" + proxy-xff-num-trusted-hops-egress: "0" + proxy-xff-num-trusted-hops-ingress: "0" + remove-cilium-node-taints: "true" + routing-mode: native + set-cilium-is-up-condition: "true" + set-cilium-node-taints: "true" + sidecar-istio-proxy-image: cilium/istio_proxy + synchronize-k8s-nodes: "true" + tofqdns-dns-reject-response-code: refused + tofqdns-enable-dns-compression: "true" + tofqdns-endpoint-max-ip-per-hostname: "1000" + tofqdns-idle-connection-grace-period: 0s + tofqdns-max-deferred-connection-deletes: "10000" + tofqdns-min-ttl: "3600" + tofqdns-proxy-port: "40046" + tofqdns-proxy-response-max-delay: 100ms + tofqdns-server-port: "40045" + unmanaged-pod-watcher-interval: "0" + vtep-cidr: "" + vtep-endpoint: "" + vtep-mac: "" + vtep-mask: "" + ## new values for 1.18 + # bpf-policy-stats-map-max specifies the maximum number of entries in global + # policy stats map + bpf-policy-stats-map-max: "65536" + identity-management-mode: "agent" + tofqdns-preallocate-identities: "true" + policy-default-local-cluster: "false" +kind: ConfigMap +metadata: + annotations: + meta.helm.sh/release-name: cilium + meta.helm.sh/release-namespace: kube-system + labels: + app.kubernetes.io/actually-managed-by: Eno + app.kubernetes.io/managed-by: Helm + name: cilium-config + namespace: kube-system diff --git a/test/integration/manifests/cilium/v1.18/hubble/hubble-peer-svc.yaml b/test/integration/manifests/cilium/v1.18/hubble/hubble-peer-svc.yaml new file mode 100644 index 0000000000..6ba733885c --- /dev/null +++ b/test/integration/manifests/cilium/v1.18/hubble/hubble-peer-svc.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + labels: + k8s-app: cilium + name: hubble-peer + namespace: kube-system +spec: + internalTrafficPolicy: Cluster + ports: + - name: peer-service + port: 443 + protocol: TCP + targetPort: 4244 + selector: + k8s-app: cilium + sessionAffinity: None + type: ClusterIP