-
Notifications
You must be signed in to change notification settings - Fork 114
/
policy.proto
executable file
·243 lines (217 loc) · 9.15 KB
/
policy.proto
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
// Copyright (c) 2017 Cisco and/or its affiliates.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at:
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
syntax = "proto3";
// Package policy defines data model for Kubernetes Network Policy.
package policy;
// Policy describes what network traffic is allowed for a set of Pods.
message Policy {
// Name of the policy unique within the namespace.
// Cannot be updated.
string name = 1;
// Namespace the policy is inserted into.
// An empty namespace is equivalent to the "default" namespace, but "default"
// is the canonical representation used in the key for a key-value store.
// Cannot be updated.
string namespace = 2;
// Label is a key/value pair attached to an object (namespace in this case).
// Labels are used to organize and to select subsets of objects.
message Label {
string key = 1;
string value = 2;
}
// A list of labels attached to this policy.
// +optional
repeated Label label = 3;
// A label selector is a label query over a set of resources.
// The result of match_label-s and match_expression-s are ANDed.
// An empty label selector matches all objects. A null label selector matches
// no objects.
message LabelSelector {
// A list of labels that a resource needs to have attached in order to get
// selected.
// +optional
repeated Label match_label = 1;
// An expression that contains values, a label key, and an operator that
// relates the key and values.
message LabelExpression {
// Key is the label key that the expression applies to.
string key = 1;
// Operator represents a key's relationship to a set of values.
enum Operator {
IN = 0;
NOT_IN = 1;
EXISTS = 2;
DOES_NOT_EXIST = 3;
}
Operator operator = 2;
// An array of string values.
// If the operator is IN or NOT_IN, the values array must be non-empty.
// If the operator is EXISTS or DOES_NOT_EXIST, the values array
// must be empty.
// +optional
repeated string value = 3;
}
// A list of key-value expressions applied to labels.
// For a given resource and its labels, all expressions must evaluate
// to TRUE for the resource to get selected.
repeated LabelExpression match_expression = 2;
}
// Pods to which this policy applies. The array of ingress rules is applied
// to all pods selected by this field. Multiple network policies can select
// the same set of pods. In such case, the ingress rules for each are combined
// additively.
// This field is NOT optional and follows standard label selector semantics.
// An empty selector matches all pods in this namespace.
LabelSelector pods = 4;
// PolicyType selects the rule types that the network policy relates to.
// By default, rule types are determined based on the existence of Ingress or
// Egress rules: policies that contain an Egress section are assumed to affect
// Egress, and all policies (whether or not they contain an Ingress section)
// are assumed to affect Ingress.
// For example, policies are egress-only if and only if policyType is set
// to EGRESS.
// Likewise, policies blocking all egress traffic are either EGRESS
// or INGRESS_AND_EGRESS as they do not include an Egress section and would
// otherwise default to just INGRESS.
// This field is beta-level in Kubernetes 1.8.
// +optional
enum PolicyType {
DEFAULT = 0;
INGRESS = 1;
EGRESS = 2;
INGRESS_AND_EGRESS = 3;
}
PolicyType policy_type = 5;
// A port selector.
message Port {
// The protocol (TCP or UDP) which traffic must match.
// If not specified, this field defaults to TCP.
// +optional
enum Protocol {
TCP = 0;
UDP = 1;
}
Protocol protocol = 3;
// Numerical or named port.
message PortNameOrNumber {
// Port reference type.
enum Type {
NUMBER = 0;
NAME = 1;
}
Type type = 1;
// Port number from the range: 0 < x < 65536.
int32 number = 2;
// Port name as defined by containers in the pod.
string name = 3;
}
// If specified, the port on the given protocol.
// This can either be a numerical or named port on a pod.
// If this field is not provided, the rule matches all port names and
// numbers.
// If present, only traffic on the specified protocol AND port
// will be matched.
// +optional
PortNameOrNumber port = 1;
}
// A selector for a set of pods.
message Peer {
// Exactly one of the following is specified.
// This is a label selector which selects Pods in this namespace.
// If present but empty, this selector selects all pods in this namespace.
// +optional
LabelSelector pods = 1;
// Selects namespaces using cluster scoped-labels.
// This matches all pods in all namespaces selected by this label selector.
// If present but empty, this selector selects all namespaces.
// +optional
LabelSelector namespaces = 2;
// IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed
// to/from the pods selected for this network policy. The except entries
// describe CIDRs that should not be included within this rule.
message IPBlock {
// CIDR is a string representing the IP Block.
// Valid examples are "192.168.1.1/24".
string cidr = 1;
// Except is a slice of CIDRs that should not be included within an IP Block
// Valid examples are "192.168.1.1/24".
// Except values are inside the CIDR range.
// +optional
repeated string except = 2;
}
IPBlock ip_block = 3;
}
// Ingress rule matches traffic if and only if the traffic matches both port-s
// AND from.
message IngressRule {
// List of ports made accessible on the pods selected for this policy.
// Each item in this list is combined using a logical OR.
// If the array is empty or null, then this ingress rule matches all ports
// (traffic not restricted by port).
// If the array is non-empty, then this ingress rule allows traffic
// only if the traffic matches at least one port in the list.
// +optional
repeated Port port = 1;
// List of sources which are able to access the pods selected for this
// policy.
// Items in this list are combined using a logical OR operation.
// If the array is empty or null, then this ingress rule matches all sources
// (traffic not restricted by source).
// If the array is non-empty, then this ingress rule allows traffic only
// if the traffic matches at least one item in the from list.
// +optional
repeated Peer from = 2;
}
// List of ingress rules applied to the selected pods.
// Traffic is allowed to a pod if there are no network policies selecting the pod
// OR if the traffic source is the pod's local node,
// OR if the traffic matches at least one ingress rule across all of the network
// policies applied to the pod.
// If there are no ingress rules then this network policy does not allow
// any traffic (and serves solely to ensure that the selected pods are isolated
// by default).
// +optional
repeated IngressRule ingress_rule = 6;
// Egress rule matches traffic if and only if the traffic matches both port-s
// AND to.
// This field is beta-level in Kubernetes 1.8.
message EgressRule {
// List of destination ports for outgoing traffic.
// Each item in this list is combined using a logical OR.
// If the array is empty or null, then this egress rule matches all ports
// (traffic not restricted by port).
// If the array is non-empty, then this egress rule allows traffic
// only if the traffic matches at least one port in the list.
// +optional
repeated Port port = 1;
// List of destinations for outgoing traffic of pods selected for this policy.
// Items in this list are combined using a logical OR operation.
// If the array is empty or null, this egress rule matches all destinations
// (traffic not restricted by destination).
// If the array is non-empty, then this egress rule allows traffic only
// if the traffic matches at least one item in the to list.
// +optional
repeated Peer to = 2;
}
// List of egress rules to be applied to the selected pods.
// Outgoing traffic is allowed if there are no network policies selecting
// the pod OR if the traffic matches at least one egress rule across
// all of the network policies applied to the pod.
// If there are no egress rules then this network policy does not allow
// any outgoing traffic (and serves solely to ensure that the selected pods
// are isolated by default).
// This field is beta-level in Kubernetes 1.8.
// +optional
repeated EgressRule egress_rule = 7;
}