diff --git a/api/v1beta2/owner.go b/api/v1beta2/owner.go index fd746853..bd3797f8 100644 --- a/api/v1beta2/owner.go +++ b/api/v1beta2/owner.go @@ -3,6 +3,8 @@ package v1beta2 +import "github.com/projectcapsule/capsule/pkg/api" + type OwnerSpec struct { // Kind of tenant owner. Possible values are "User", "Group", and "ServiceAccount" Kind OwnerKind `json:"kind"` @@ -11,6 +13,8 @@ type OwnerSpec struct { // Defines additional cluster-roles for the specific Owner. // +kubebuilder:default={admin,capsule-namespace-deleter} ClusterRoles []string `json:"clusterRoles,omitempty"` + // Defines additional cluster-resources for the specific Owner. + ClusterResources []api.ClusterResource `json:"clusterResources,omitempty"` // Proxy settings for tenant owner. ProxyOperations []ProxySettings `json:"proxySettings,omitempty"` } diff --git a/api/v1beta2/zz_generated.deepcopy.go b/api/v1beta2/zz_generated.deepcopy.go index 119085f4..21cc2501 100644 --- a/api/v1beta2/zz_generated.deepcopy.go +++ b/api/v1beta2/zz_generated.deepcopy.go @@ -417,6 +417,13 @@ func (in *OwnerSpec) DeepCopyInto(out *OwnerSpec) { *out = make([]string, len(*in)) copy(*out, *in) } + if in.ClusterResources != nil { + in, out := &in.ClusterResources, &out.ClusterResources + *out = make([]api.ClusterResource, len(*in)) + for i := range *in { + (*in)[i].DeepCopyInto(&(*out)[i]) + } + } if in.ProxyOperations != nil { in, out := &in.ProxyOperations, &out.ProxyOperations *out = make([]ProxySettings, len(*in)) diff --git a/charts/capsule/crds/tenant-crd.yaml b/charts/capsule/crds/tenant-crd.yaml index 1ead3f3f..5dc0dfb9 100644 --- a/charts/capsule/crds/tenant-crd.yaml +++ b/charts/capsule/crds/tenant-crd.yaml @@ -4,174 +4,164 @@ kind: CustomResourceDefinition metadata: annotations: controller-gen.kubebuilder.io/version: v0.10.0 + creationTimestamp: null name: tenants.capsule.clastix.io spec: - conversion: - strategy: Webhook - webhook: - clientConfig: - service: - name: capsule-webhook-service - namespace: capsule-system - path: /convert - conversionReviewVersions: - - v1beta1 - - v1beta2 group: capsule.clastix.io names: kind: Tenant listKind: TenantList plural: tenants shortNames: - - tnt + - tnt singular: tenant scope: Cluster versions: - - additionalPrinterColumns: - - description: The actual state of the Tenant - jsonPath: .status.state - name: State - type: string - - description: The max amount of Namespaces can be created - jsonPath: .spec.namespaceOptions.quota - name: Namespace quota - type: integer - - description: The total amount of Namespaces in use - jsonPath: .status.size - name: Namespace count - type: integer - - description: Node Selector applied to Pods - jsonPath: .spec.nodeSelector - name: Node selector - type: string - - description: Age - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta1 - schema: - openAPIV3Schema: - description: Tenant is the Schema for the tenants API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + - additionalPrinterColumns: + - description: The actual state of the Tenant + jsonPath: .status.state + name: State + type: string + - description: The max amount of Namespaces can be created + jsonPath: .spec.namespaceOptions.quota + name: Namespace quota + type: integer + - description: The total amount of Namespaces in use + jsonPath: .status.size + name: Namespace count + type: integer + - description: Node Selector applied to Pods + jsonPath: .spec.nodeSelector + name: Node selector + type: string + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta1 + schema: + openAPIV3Schema: + description: Tenant is the Schema for the tenants API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TenantSpec defines the desired state of Tenant. - properties: - additionalRoleBindings: - description: Specifies additional RoleBindings assigned to the Tenant. - Capsule will ensure that all namespaces in the Tenant always contain - the RoleBinding for the given ClusterRole. Optional. - items: - properties: - clusterRoleName: - type: string - subjects: - description: kubebuilder:validation:Minimum=1 - items: - description: Subject contains a reference to the object or - user identities a role binding applies to. This can either - hold a direct API object reference, or a value for non-objects - such as user and group names. - properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and - Group subjects. - type: string - kind: - description: Kind of object being referenced. Values defined - by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, - the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. - type: string - namespace: - description: Namespace of the referenced object. If the - object kind is non-namespace, such as "User" or "Group", - and this value is not empty the Authorizer should report - an error. - type: string - required: - - kind - - name - type: object - x-kubernetes-map-type: atomic - type: array - required: - - clusterRoleName - - subjects - type: object - type: array - containerRegistries: - description: Specifies the trusted Image Registries assigned to the - Tenant. Capsule assures that all Pods resources created in the Tenant - can use only one of the allowed trusted registries. Optional. + type: string + metadata: + type: object + spec: + description: TenantSpec defines the desired state of Tenant. + properties: + additionalRoleBindings: + description: Specifies additional RoleBindings assigned to the Tenant. + Capsule will ensure that all namespaces in the Tenant always contain + the RoleBinding for the given ClusterRole. Optional. + items: properties: - allowed: + clusterRoleName: + type: string + subjects: + description: kubebuilder:validation:Minimum=1 items: - type: string + description: Subject contains a reference to the object or + user identities a role binding applies to. This can either + hold a direct API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and + Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined + by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, + the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the + object kind is non-namespace, such as "User" or "Group", + and this value is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic type: array - allowedRegex: - type: string + required: + - clusterRoleName + - subjects type: object - imagePullPolicies: - description: Specify the allowed values for the imagePullPolicies - option in Pod resources. Capsule assures that all Pod resources - created in the Tenant can use only one of the allowed policy. Optional. - items: - enum: - - Always - - Never - - IfNotPresent + type: array + containerRegistries: + description: Specifies the trusted Image Registries assigned to the + Tenant. Capsule assures that all Pods resources created in the Tenant + can use only one of the allowed trusted registries. Optional. + properties: + allowed: + items: + type: string + type: array + allowedRegex: type: string - type: array - ingressOptions: - description: Specifies options for the Ingress resources, such as - allowed hostnames and IngressClass. Optional. - properties: - allowedClasses: - description: Specifies the allowed IngressClasses assigned to - the Tenant. Capsule assures that all Ingress resources created - in the Tenant can use only one of the allowed IngressClasses. - Optional. - properties: - allowed: - items: - type: string - type: array - allowedRegex: + type: object + imagePullPolicies: + description: Specify the allowed values for the imagePullPolicies + option in Pod resources. Capsule assures that all Pod resources + created in the Tenant can use only one of the allowed policy. Optional. + items: + enum: + - Always + - Never + - IfNotPresent + type: string + type: array + ingressOptions: + description: Specifies options for the Ingress resources, such as + allowed hostnames and IngressClass. Optional. + properties: + allowedClasses: + description: Specifies the allowed IngressClasses assigned to + the Tenant. Capsule assures that all Ingress resources created + in the Tenant can use only one of the allowed IngressClasses. + Optional. + properties: + allowed: + items: type: string - type: object - allowedHostnames: - description: Specifies the allowed hostnames in Ingresses for - the given Tenant. Capsule assures that all Ingress resources - created in the Tenant can use only one of the allowed hostnames. - Optional. - properties: - allowed: - items: - type: string - type: array - allowedRegex: + type: array + allowedRegex: + type: string + type: object + allowedHostnames: + description: Specifies the allowed hostnames in Ingresses for + the given Tenant. Capsule assures that all Ingress resources + created in the Tenant can use only one of the allowed hostnames. + Optional. + properties: + allowed: + items: type: string - type: object - hostnameCollisionScope: - default: Disabled - description: "Defines the scope of hostname collision check performed + type: array + allowedRegex: + type: string + type: object + hostnameCollisionScope: + default: Disabled + description: "Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames. \n - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule. @@ -180,1113 +170,1119 @@ spec: Tenant. \n - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace. \n Optional." - enum: - - Cluster - - Tenant - - Namespace - - Disabled - type: string - type: object - limitRanges: - description: Specifies the resource min/max usage restrictions to - the Tenant. The assigned values are inherited by any namespace created - in the Tenant. Optional. - properties: + enum: + - Cluster + - Tenant + - Namespace + - Disabled + type: string + type: object + limitRanges: + description: Specifies the resource min/max usage restrictions to + the Tenant. The assigned values are inherited by any namespace created + in the Tenant. Optional. + properties: + items: items: - items: - description: LimitRangeSpec defines a min/max usage limit for - resources that match on kind. - properties: - limits: - description: Limits is the list of LimitRangeItem objects - that are enforced. - items: - description: LimitRangeItem defines a min/max usage limit - for any resource that matches on kind. - properties: - default: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Default resource requirement limit value - by resource name if resource limit is omitted. - type: object - defaultRequest: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: DefaultRequest is the default resource - requirement request value by resource name if resource - request is omitted. - type: object - max: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Max usage constraints on this kind by - resource name. - type: object - maxLimitRequestRatio: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: MaxLimitRequestRatio if specified, the - named resource must have a request and limit that - are both non-zero where limit divided by request - is less than or equal to the enumerated value; this - represents the max burst for the named resource. - type: object - min: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Min usage constraints on this kind by - resource name. - type: object - type: - description: Type of resource that this limit applies - to. - type: string - required: - - type - type: object - type: array - required: - - limits - type: object - type: array - type: object - namespaceOptions: - description: Specifies options for the Namespaces, such as additional - metadata or maximum number of namespaces allowed for that Tenant. - Once the namespace quota assigned to the Tenant has been reached, - the Tenant owner cannot create further namespaces. Optional. - properties: - additionalMetadata: - description: Specifies additional labels and annotations the Capsule - operator places on any Namespace resource in the Tenant. Optional. + description: LimitRangeSpec defines a min/max usage limit for + resources that match on kind. properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object + limits: + description: Limits is the list of LimitRangeItem objects + that are enforced. + items: + description: LimitRangeItem defines a min/max usage limit + for any resource that matches on kind. + properties: + default: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Default resource requirement limit value + by resource name if resource limit is omitted. + type: object + defaultRequest: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: DefaultRequest is the default resource + requirement request value by resource name if resource + request is omitted. + type: object + max: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Max usage constraints on this kind by + resource name. + type: object + maxLimitRequestRatio: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: MaxLimitRequestRatio if specified, the + named resource must have a request and limit that + are both non-zero where limit divided by request + is less than or equal to the enumerated value; this + represents the max burst for the named resource. + type: object + min: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Min usage constraints on this kind by + resource name. + type: object + type: + description: Type of resource that this limit applies + to. + type: string + required: + - type + type: object + type: array + required: + - limits type: object - quota: - description: Specifies the maximum number of namespaces allowed - for that Tenant. Once the namespace quota assigned to the Tenant - has been reached, the Tenant owner cannot create further namespaces. - Optional. - format: int32 - minimum: 1 - type: integer - type: object - networkPolicies: - description: Specifies the NetworkPolicies assigned to the Tenant. - The assigned NetworkPolicies are inherited by any namespace created - in the Tenant. Optional. - properties: + type: array + type: object + namespaceOptions: + description: Specifies options for the Namespaces, such as additional + metadata or maximum number of namespaces allowed for that Tenant. + Once the namespace quota assigned to the Tenant has been reached, + the Tenant owner cannot create further namespaces. Optional. + properties: + additionalMetadata: + description: Specifies additional labels and annotations the Capsule + operator places on any Namespace resource in the Tenant. Optional. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + quota: + description: Specifies the maximum number of namespaces allowed + for that Tenant. Once the namespace quota assigned to the Tenant + has been reached, the Tenant owner cannot create further namespaces. + Optional. + format: int32 + minimum: 1 + type: integer + type: object + networkPolicies: + description: Specifies the NetworkPolicies assigned to the Tenant. + The assigned NetworkPolicies are inherited by any namespace created + in the Tenant. Optional. + properties: + items: items: - items: - description: NetworkPolicySpec provides the specification of - a NetworkPolicy - properties: - egress: - description: List of egress rules to be applied to the selected - pods. Outgoing traffic is allowed if there are no NetworkPolicies - selecting the pod (and cluster policy otherwise allows - the traffic), OR if the traffic matches at least one egress - rule across all of the NetworkPolicy objects whose podSelector - matches the pod. If this field is empty then this NetworkPolicy - limits all outgoing traffic (and serves solely to ensure - that the pods it selects are isolated by default). This - field is beta-level in 1.8 - items: - description: NetworkPolicyEgressRule describes a particular - set of traffic that is allowed out of pods matched by - a NetworkPolicySpec's podSelector. The traffic must - match both ports and to. This type is beta-level in - 1.8 - properties: - ports: - description: List of destination ports for outgoing - traffic. Each item in this list is combined using - a logical OR. If this field is empty or missing, - this rule matches all ports (traffic not restricted - by port). If this field is present and contains - at least one item, then this rule allows traffic - only if the traffic matches at least one port in - the list. - items: - description: NetworkPolicyPort describes a port - to allow traffic on - properties: - endPort: - description: If set, indicates that the range - of ports from port to endPort, inclusive, - should be allowed by the policy. This field - cannot be defined if the port field is not - defined or if the port field is defined as - a named (string) port. The endPort must be - equal or greater than port. This feature is - in Beta state and is enabled by default. It - can be disabled using the Feature Gate "NetworkPolicyEndPort". - format: int32 - type: integer - port: - anyOf: - - type: integer - - type: string - description: The port on the given protocol. - This can either be a numerical or named port - on a pod. If this field is not provided, this - matches all port names and numbers. If present, - only traffic on the specified protocol AND - port will be matched. - x-kubernetes-int-or-string: true - protocol: - default: TCP - description: The protocol (TCP, UDP, or SCTP) - which traffic must match. If not specified, - this field defaults to TCP. - type: string - type: object - type: array - to: - description: List of destinations for outgoing traffic - of pods selected for this rule. Items in this list - are combined using a logical OR operation. If this - field is empty or missing, this rule matches all - destinations (traffic not restricted by destination). - If this field is present and contains at least one - item, this rule allows traffic only if the traffic - matches at least one item in the to list. - items: - description: NetworkPolicyPeer describes a peer - to allow traffic to/from. Only certain combinations - of fields are allowed - properties: - ipBlock: - description: IPBlock defines policy on a particular - IPBlock. If this field is set then neither - of the other fields can be. - properties: - cidr: - description: CIDR is a string representing - the IP Block Valid examples are "192.168.1.1/24" - or "2001:db9::/64" + description: NetworkPolicySpec provides the specification of + a NetworkPolicy + properties: + egress: + description: egress is a list of egress rules to be applied + to the selected pods. Outgoing traffic is allowed if there + are no NetworkPolicies selecting the pod (and cluster + policy otherwise allows the traffic), OR if the traffic + matches at least one egress rule across all of the NetworkPolicy + objects whose podSelector matches the pod. If this field + is empty then this NetworkPolicy limits all outgoing traffic + (and serves solely to ensure that the pods it selects + are isolated by default). This field is beta-level in + 1.8 + items: + description: NetworkPolicyEgressRule describes a particular + set of traffic that is allowed out of pods matched by + a NetworkPolicySpec's podSelector. The traffic must + match both ports and to. This type is beta-level in + 1.8 + properties: + ports: + description: ports is a list of destination ports + for outgoing traffic. Each item in this list is + combined using a logical OR. If this field is empty + or missing, this rule matches all ports (traffic + not restricted by port). If this field is present + and contains at least one item, then this rule allows + traffic only if the traffic matches at least one + port in the list. + items: + description: NetworkPolicyPort describes a port + to allow traffic on + properties: + endPort: + description: endPort indicates that the range + of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field + cannot be defined if the port field is not + defined or if the port field is defined as + a named (string) port. The endPort must be + equal or greater than port. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: port represents the port on the + given protocol. This can either be a numerical + or named port on a pod. If this field is not + provided, this matches all port names and + numbers. If present, only traffic on the specified + protocol AND port will be matched. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: protocol represents the protocol + (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: to is a list of destinations for outgoing + traffic of pods selected for this rule. Items in + this list are combined using a logical OR operation. + If this field is empty or missing, this rule matches + all destinations (traffic not restricted by destination). + If this field is present and contains at least one + item, this rule allows traffic only if the traffic + matches at least one item in the to list. + items: + description: NetworkPolicyPeer describes a peer + to allow traffic to/from. Only certain combinations + of fields are allowed + properties: + ipBlock: + description: ipBlock defines policy on a particular + IPBlock. If this field is set then neither + of the other fields can be. + properties: + cidr: + description: cidr is a string representing + the IPBlock Valid examples are "192.168.1.0/24" + or "2001:db8::/64" + type: string + except: + description: except is a slice of CIDRs + that should not be included within an + IPBlock Valid examples are "192.168.1.0/24" + or "2001:db8::/64" Except values will + be rejected if they are outside the cidr + range + items: type: string - except: - description: Except is a slice of CIDRs - that should not be included within an - IP Block Valid examples are "192.168.1.1/24" - or "2001:db9::/64" Except values will - be rejected if they are outside the CIDR - range - items: - type: string - type: array - required: - - cidr - type: object - namespaceSelector: - description: "Selects Namespaces using cluster-scoped - labels. This field follows standard label - selector semantics; if present but empty, - it selects all namespaces. \n If PodSelector - is also set, then the NetworkPolicyPeer as - a whole selects the Pods matching PodSelector - in the Namespaces selected by NamespaceSelector. - Otherwise it selects all Pods in the Namespaces - selected by NamespaceSelector." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. + type: array + required: + - cidr + type: object + namespaceSelector: + description: "namespaceSelector selects namespaces + using cluster-scoped labels. This field follows + standard label selector semantics; if present + but empty, it selects all namespaces. \n If + podSelector is also set, then the NetworkPolicyPeer + as a whole selects the pods matching podSelector + in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces + selected by namespaceSelector." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + type: array + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: "This is a label selector which - selects Pods. This field follows standard + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: "podSelector is a label selector + which selects pods. This field follows standard label selector semantics; if present but empty, - it selects all pods. \n If NamespaceSelector + it selects all pods. \n If namespaceSelector is also set, then the NetworkPolicyPeer as - a whole selects the Pods matching PodSelector + a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. - Otherwise it selects the Pods matching PodSelector - in the policy's own Namespace." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. + Otherwise it selects the pods matching podSelector + in the policy's own namespace." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + type: array + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: array - type: object - type: array - ingress: - description: List of ingress rules to be applied to the - selected pods. Traffic is allowed to a pod if there are - no NetworkPolicies selecting the pod (and cluster policy - otherwise allows the traffic), OR if the traffic source - is the pod's local node, OR if the traffic matches at - least one ingress rule across all of the NetworkPolicy - objects whose podSelector matches the pod. If this field - is empty then this NetworkPolicy does not allow any traffic - (and serves solely to ensure that the pods it selects - are isolated by default) - items: - description: NetworkPolicyIngressRule describes a particular - set of traffic that is allowed to the pods matched by - a NetworkPolicySpec's podSelector. The traffic must - match both ports and from. - properties: - from: - description: List of sources which should be able - to access the pods selected for this rule. Items - in this list are combined using a logical OR operation. - If this field is empty or missing, this rule matches - all sources (traffic not restricted by source). - If this field is present and contains at least one - item, this rule allows traffic only if the traffic - matches at least one item in the from list. - items: - description: NetworkPolicyPeer describes a peer - to allow traffic to/from. Only certain combinations - of fields are allowed - properties: - ipBlock: - description: IPBlock defines policy on a particular - IPBlock. If this field is set then neither - of the other fields can be. - properties: - cidr: - description: CIDR is a string representing - the IP Block Valid examples are "192.168.1.1/24" - or "2001:db9::/64" + type: array + matchLabels: + additionalProperties: type: string - except: - description: Except is a slice of CIDRs - that should not be included within an - IP Block Valid examples are "192.168.1.1/24" - or "2001:db9::/64" Except values will - be rejected if they are outside the CIDR - range - items: - type: string - type: array - required: - - cidr - type: object - namespaceSelector: - description: "Selects Namespaces using cluster-scoped - labels. This field follows standard label - selector semantics; if present but empty, - it selects all namespaces. \n If PodSelector - is also set, then the NetworkPolicyPeer as - a whole selects the Pods matching PodSelector - in the Namespaces selected by NamespaceSelector. - Otherwise it selects all Pods in the Namespaces - selected by NamespaceSelector." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + type: object + type: array + ingress: + description: ingress is a list of ingress rules to be applied + to the selected pods. Traffic is allowed to a pod if there + are no NetworkPolicies selecting the pod (and cluster + policy otherwise allows the traffic), OR if the traffic + source is the pod's local node, OR if the traffic matches + at least one ingress rule across all of the NetworkPolicy + objects whose podSelector matches the pod. If this field + is empty then this NetworkPolicy does not allow any traffic + (and serves solely to ensure that the pods it selects + are isolated by default) + items: + description: NetworkPolicyIngressRule describes a particular + set of traffic that is allowed to the pods matched by + a NetworkPolicySpec's podSelector. The traffic must + match both ports and from. + properties: + from: + description: from is a list of sources which should + be able to access the pods selected for this rule. + Items in this list are combined using a logical + OR operation. If this field is empty or missing, + this rule matches all sources (traffic not restricted + by source). If this field is present and contains + at least one item, this rule allows traffic only + if the traffic matches at least one item in the + from list. + items: + description: NetworkPolicyPeer describes a peer + to allow traffic to/from. Only certain combinations + of fields are allowed + properties: + ipBlock: + description: ipBlock defines policy on a particular + IPBlock. If this field is set then neither + of the other fields can be. + properties: + cidr: + description: cidr is a string representing + the IPBlock Valid examples are "192.168.1.0/24" + or "2001:db8::/64" + type: string + except: + description: except is a slice of CIDRs + that should not be included within an + IPBlock Valid examples are "192.168.1.0/24" + or "2001:db8::/64" Except values will + be rejected if they are outside the cidr + range + items: + type: string + type: array + required: + - cidr + type: object + namespaceSelector: + description: "namespaceSelector selects namespaces + using cluster-scoped labels. This field follows + standard label selector semantics; if present + but empty, it selects all namespaces. \n If + podSelector is also set, then the NetworkPolicyPeer + as a whole selects the pods matching podSelector + in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces + selected by namespaceSelector." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + type: array + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: "This is a label selector which - selects Pods. This field follows standard + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: "podSelector is a label selector + which selects pods. This field follows standard label selector semantics; if present but empty, - it selects all pods. \n If NamespaceSelector + it selects all pods. \n If namespaceSelector is also set, then the NetworkPolicyPeer as - a whole selects the Pods matching PodSelector + a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. - Otherwise it selects the Pods matching PodSelector - in the policy's own Namespace." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + Otherwise it selects the pods matching podSelector + in the policy's own namespace." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + type: array + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: array - ports: - description: List of ports which should be made accessible - on the pods selected for this rule. Each item in - this list is combined using a logical OR. If this - field is empty or missing, this rule matches all - ports (traffic not restricted by port). If this - field is present and contains at least one item, - then this rule allows traffic only if the traffic - matches at least one port in the list. - items: - description: NetworkPolicyPort describes a port - to allow traffic on - properties: - endPort: - description: If set, indicates that the range - of ports from port to endPort, inclusive, - should be allowed by the policy. This field - cannot be defined if the port field is not - defined or if the port field is defined as - a named (string) port. The endPort must be - equal or greater than port. This feature is - in Beta state and is enabled by default. It - can be disabled using the Feature Gate "NetworkPolicyEndPort". - format: int32 - type: integer - port: - anyOf: - - type: integer - - type: string - description: The port on the given protocol. - This can either be a numerical or named port - on a pod. If this field is not provided, this - matches all port names and numbers. If present, - only traffic on the specified protocol AND - port will be matched. - x-kubernetes-int-or-string: true - protocol: - default: TCP - description: The protocol (TCP, UDP, or SCTP) - which traffic must match. If not specified, - this field defaults to TCP. - type: string - type: object - type: array - type: object - type: array - podSelector: - description: Selects the pods to which this NetworkPolicy - object applies. The array of ingress rules is applied - to any pods selected by this field. Multiple network policies - can select the same set of pods. In this case, the ingress - rules for each are combined additively. This field is - NOT optional and follows standard label selector semantics. - An empty podSelector matches all pods in this namespace. - properties: - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + ports: + description: ports is a list of ports which should + be made accessible on the pods selected for this + rule. Each item in this list is combined using a + logical OR. If this field is empty or missing, this + rule matches all ports (traffic not restricted by + port). If this field is present and contains at + least one item, then this rule allows traffic only + if the traffic matches at least one port in the + list. items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that - relates the key and values. + description: NetworkPolicyPort describes a port + to allow traffic on properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, - NotIn, Exists and DoesNotExist. + endPort: + description: endPort indicates that the range + of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field + cannot be defined if the port field is not + defined or if the port field is defined as + a named (string) port. The endPort must be + equal or greater than port. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: port represents the port on the + given protocol. This can either be a numerical + or named port on a pod. If this field is not + provided, this matches all port names and + numbers. If present, only traffic on the specified + protocol AND port will be matched. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: protocol represents the protocol + (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. type: string - values: - description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator type: object type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. - A single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field - is "key", the operator is "In", and the values array - contains only "value". The requirements are ANDed. - type: object type: object - x-kubernetes-map-type: atomic - policyTypes: - description: List of rule types that the NetworkPolicy relates - to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", - "Egress"]. If this field is not specified, it will default - based on the existence of Ingress or Egress rules; policies - that contain an Egress section are assumed to affect Egress, - and all policies (whether or not they contain an Ingress - section) are assumed to affect Ingress. If you want to - write an egress-only policy, you must explicitly specify - policyTypes [ "Egress" ]. Likewise, if you want to write - a policy that specifies that no egress is allowed, you - must specify a policyTypes value that include "Egress" - (since such a policy would not include an Egress section - and would otherwise default to just [ "Ingress" ]). This - field is beta-level in 1.8 - items: - description: PolicyType string describes the NetworkPolicy - type This type is beta-level in 1.8 - type: string - type: array - required: - - podSelector - type: object - type: array - type: object - nodeSelector: - additionalProperties: - type: string - description: Specifies the label to control the placement of pods - on a given pool of worker nodes. All namespaces created within the - Tenant will have the node selector annotation. This annotation tells - the Kubernetes scheduler to place pods on the nodes having the selector - label. Optional. - type: object - owners: - description: Specifies the owners of the Tenant. Mandatory. - items: - properties: - kind: - description: Kind of tenant owner. Possible values are "User", - "Group", and "ServiceAccount" - enum: - - User - - Group - - ServiceAccount - type: string - name: - description: Name of tenant owner. - type: string - proxySettings: - description: Proxy settings for tenant owner. - items: + type: array + podSelector: + description: podSelector selects the pods to which this + NetworkPolicy object applies. The array of ingress rules + is applied to any pods selected by this field. Multiple + network policies can select the same set of pods. In this + case, the ingress rules for each are combined additively. + This field is NOT optional and follows standard label + selector semantics. An empty podSelector matches all pods + in this namespace. properties: - kind: - enum: - - Nodes - - StorageClasses - - IngressClasses - - PriorityClasses - type: string - operations: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - enum: - - List - - Update - - Delete - type: string + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object type: array - required: - - kind - - operations - type: object - type: array - required: - - kind - - name - type: object - type: array - podOptions: - description: Specifies options for the Pod, such as additional metadata. Optional. - properties: - additionalMetadata: - description: Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional. - properties: - annotations: - additionalProperties: - type: string + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object type: object - labels: - additionalProperties: + x-kubernetes-map-type: atomic + policyTypes: + description: policyTypes is a list of rule types that the + NetworkPolicy relates to. Valid options are ["Ingress"], + ["Egress"], or ["Ingress", "Egress"]. If this field is + not specified, it will default based on the existence + of ingress or egress rules; policies that contain an egress + section are assumed to affect egress, and all policies + (whether or not they contain an ingress section) are assumed + to affect ingress. If you want to write an egress-only + policy, you must explicitly specify policyTypes [ "Egress" + ]. Likewise, if you want to write a policy that specifies + that no egress is allowed, you must specify a policyTypes + value that include "Egress" (since such a policy would + not include an egress section and would otherwise default + to just [ "Ingress" ]). This field is beta-level in 1.8 + items: + description: PolicyType string describes the NetworkPolicy + type This type is beta-level in 1.8 type: string - type: object + type: array + required: + - podSelector type: object - type: object - priorityClasses: - description: Specifies the allowed priorityClasses assigned to the - Tenant. Capsule assures that all Pods resources created in the Tenant - can use only one of the allowed PriorityClasses. Optional. + type: array + type: object + nodeSelector: + additionalProperties: + type: string + description: Specifies the label to control the placement of pods + on a given pool of worker nodes. All namespaces created within the + Tenant will have the node selector annotation. This annotation tells + the Kubernetes scheduler to place pods on the nodes having the selector + label. Optional. + type: object + owners: + description: Specifies the owners of the Tenant. Mandatory. + items: properties: - allowed: - items: - type: string - type: array - allowedRegex: + kind: + description: Kind of tenant owner. Possible values are "User", + "Group", and "ServiceAccount" + enum: + - User + - Group + - ServiceAccount type: string - type: object - resourceQuotas: - description: Specifies a list of ResourceQuota resources assigned - to the Tenant. The assigned values are inherited by any namespace - created in the Tenant. The Capsule operator aggregates ResourceQuota - at Tenant level, so that the hard quota is never crossed for the - given Tenant. This permits the Tenant owner to consume resources - in the Tenant regardless of the namespace. Optional. - properties: - items: + name: + description: Name of tenant owner. + type: string + proxySettings: + description: Proxy settings for tenant owner. items: - description: ResourceQuotaSpec defines the desired hard limits - to enforce for Quota. properties: - hard: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'hard is the set of desired hard limits for - each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' - type: object - scopeSelector: - description: scopeSelector is also a collection of filters - like scopes that must match each object tracked by a quota - but expressed using ScopeSelectorOperator in combination - with possible values. For a resource to match, both scopes - AND scopeSelector (if specified in spec), must be matched. - properties: - matchExpressions: - description: A list of scope selector requirements by - scope of the resources. - items: - description: A scoped-resource selector requirement - is a selector that contains values, a scope name, - and an operator that relates the scope name and - values. - properties: - operator: - description: Represents a scope's relationship - to a set of values. Valid operators are In, - NotIn, Exists, DoesNotExist. - type: string - scopeName: - description: The name of the scope that the selector - applies to. - type: string - values: - description: An array of string values. If the - operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - operator - - scopeName - type: object - type: array - type: object - x-kubernetes-map-type: atomic - scopes: - description: A collection of filters that must match each - object tracked by a quota. If not specified, the quota - matches all objects. + kind: + enum: + - Nodes + - StorageClasses + - IngressClasses + - PriorityClasses + type: string + operations: items: - description: A ResourceQuotaScope defines a filter that - must match each object tracked by a quota + enum: + - List + - Update + - Delete type: string type: array + required: + - kind + - operations type: object type: array - scope: - default: Tenant - description: Define if the Resource Budget should compute resource - across all Namespaces in the Tenant or individually per cluster. - Default is Tenant - enum: - - Tenant - - Namespace - type: string + required: + - kind + - name type: object - serviceOptions: - description: Specifies options for the Service, such as additional - metadata or block of certain type of Services. Optional. - properties: - additionalMetadata: - description: Specifies additional labels and annotations the Capsule - operator places on any Service resource in the Tenant. Optional. + type: array + priorityClasses: + description: Specifies the allowed priorityClasses assigned to the + Tenant. Capsule assures that all Pods resources created in the Tenant + can use only one of the allowed PriorityClasses. Optional. + properties: + allowed: + items: + type: string + type: array + allowedRegex: + type: string + type: object + resourceQuotas: + description: Specifies a list of ResourceQuota resources assigned + to the Tenant. The assigned values are inherited by any namespace + created in the Tenant. The Capsule operator aggregates ResourceQuota + at Tenant level, so that the hard quota is never crossed for the + given Tenant. This permits the Tenant owner to consume resources + in the Tenant regardless of the namespace. Optional. + properties: + items: + items: + description: ResourceQuotaSpec defines the desired hard limits + to enforce for Quota. properties: - annotations: + hard: additionalProperties: - type: string + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'hard is the set of desired hard limits for + each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' type: object - labels: - additionalProperties: - type: string + scopeSelector: + description: scopeSelector is also a collection of filters + like scopes that must match each object tracked by a quota + but expressed using ScopeSelectorOperator in combination + with possible values. For a resource to match, both scopes + AND scopeSelector (if specified in spec), must be matched. + properties: + matchExpressions: + description: A list of scope selector requirements by + scope of the resources. + items: + description: A scoped-resource selector requirement + is a selector that contains values, a scope name, + and an operator that relates the scope name and + values. + properties: + operator: + description: Represents a scope's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. + type: string + scopeName: + description: The name of the scope that the selector + applies to. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - operator + - scopeName + type: object + type: array type: object - type: object - allowedServices: - description: Block or deny certain type of Services. Optional. - properties: - externalName: - default: true - description: Specifies if ExternalName service type resources - are allowed for the Tenant. Default is true. Optional. - type: boolean - loadBalancer: - default: true - description: Specifies if LoadBalancer service type resources - are allowed for the Tenant. Default is true. Optional. - type: boolean - nodePort: - default: true - description: Specifies if NodePort service type resources - are allowed for the Tenant. Default is true. Optional. - type: boolean - type: object - externalIPs: - description: Specifies the external IPs that can be used in Services - with type ClusterIP. An empty list means no IPs are allowed. - Optional. - properties: - allowed: + x-kubernetes-map-type: atomic + scopes: + description: A collection of filters that must match each + object tracked by a quota. If not specified, the quota + matches all objects. items: - pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$ + description: A ResourceQuotaScope defines a filter that + must match each object tracked by a quota type: string type: array - required: - - allowed type: object - type: object - storageClasses: - description: Specifies the allowed StorageClasses assigned to the - Tenant. Capsule assures that all PersistentVolumeClaim resources - created in the Tenant can use only one of the allowed StorageClasses. - Optional. - properties: - allowed: - items: + type: array + scope: + default: Tenant + description: Define if the Resource Budget should compute resource + across all Namespaces in the Tenant or individually per cluster. + Default is Tenant + enum: + - Tenant + - Namespace + type: string + type: object + serviceOptions: + description: Specifies options for the Service, such as additional + metadata or block of certain type of Services. Optional. + properties: + additionalMetadata: + description: Specifies additional labels and annotations the Capsule + operator places on any Service resource in the Tenant. Optional. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + allowedServices: + description: Block or deny certain type of Services. Optional. + properties: + externalName: + default: true + description: Specifies if ExternalName service type resources + are allowed for the Tenant. Default is true. Optional. + type: boolean + loadBalancer: + default: true + description: Specifies if LoadBalancer service type resources + are allowed for the Tenant. Default is true. Optional. + type: boolean + nodePort: + default: true + description: Specifies if NodePort service type resources + are allowed for the Tenant. Default is true. Optional. + type: boolean + type: object + externalIPs: + description: Specifies the external IPs that can be used in Services + with type ClusterIP. An empty list means no IPs are allowed. + Optional. + properties: + allowed: + items: + pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$ + type: string + type: array + required: + - allowed + type: object + forbiddenAnnotations: + description: Define the annotations that a Tenant Owner cannot + set for their Service resources. + properties: + denied: + items: + type: string + type: array + deniedRegex: type: string - type: array - allowedRegex: + type: object + forbiddenLabels: + description: Define the labels that a Tenant Owner cannot set + for their Service resources. + properties: + denied: + items: + type: string + type: array + deniedRegex: + type: string + type: object + type: object + storageClasses: + description: Specifies the allowed StorageClasses assigned to the + Tenant. Capsule assures that all PersistentVolumeClaim resources + created in the Tenant can use only one of the allowed StorageClasses. + Optional. + properties: + allowed: + items: type: string - type: object - required: - - owners - type: object - status: - description: Returns the observed state of the Tenant. - properties: - namespaces: - description: List of namespaces assigned to the Tenant. - items: + type: array + allowedRegex: type: string - type: array - size: - description: How many namespaces are assigned to the Tenant. - type: integer - state: - default: Active - description: The operational state of the Tenant. Possible values - are "Active", "Cordoned". - enum: - - Cordoned - - Active + type: object + required: + - owners + type: object + status: + description: Returns the observed state of the Tenant. + properties: + namespaces: + description: List of namespaces assigned to the Tenant. + items: type: string - required: - - size - - state - type: object - type: object - served: true - storage: false - subresources: - status: {} - - additionalPrinterColumns: - - description: The actual state of the Tenant - jsonPath: .status.state - name: State - type: string - - description: The max amount of Namespaces can be created - jsonPath: .spec.namespaceOptions.quota - name: Namespace quota - type: integer - - description: The total amount of Namespaces in use - jsonPath: .status.size - name: Namespace count - type: integer - - description: Node Selector applied to Pods - jsonPath: .spec.nodeSelector - name: Node selector - type: string - - description: Age - jsonPath: .metadata.creationTimestamp - name: Age - type: date - name: v1beta2 - schema: - openAPIV3Schema: - description: Tenant is the Schema for the tenants API. - properties: - apiVersion: - description: 'APIVersion defines the versioned schema of this representation + type: array + size: + description: How many namespaces are assigned to the Tenant. + type: integer + state: + default: Active + description: The operational state of the Tenant. Possible values + are "Active", "Cordoned". + enum: + - Cordoned + - Active + type: string + required: + - size + - state + type: object + type: object + served: true + storage: false + subresources: + status: {} + - additionalPrinterColumns: + - description: The actual state of the Tenant + jsonPath: .status.state + name: State + type: string + - description: The max amount of Namespaces can be created + jsonPath: .spec.namespaceOptions.quota + name: Namespace quota + type: integer + - description: The total amount of Namespaces in use + jsonPath: .status.size + name: Namespace count + type: integer + - description: Node Selector applied to Pods + jsonPath: .spec.nodeSelector + name: Node selector + type: string + - description: Age + jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1beta2 + schema: + openAPIV3Schema: + description: Tenant is the Schema for the tenants API. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' - type: string - kind: - description: 'Kind is a string value representing the REST resource this + type: string + kind: + description: 'Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' - type: string - metadata: - type: object - spec: - description: TenantSpec defines the desired state of Tenant. - properties: - additionalRoleBindings: - description: Specifies additional RoleBindings assigned to the Tenant. - Capsule will ensure that all namespaces in the Tenant always contain - the RoleBinding for the given ClusterRole. Optional. - items: + type: string + metadata: + type: object + spec: + description: TenantSpec defines the desired state of Tenant. + properties: + additionalRoleBindings: + description: Specifies additional RoleBindings assigned to the Tenant. + Capsule will ensure that all namespaces in the Tenant always contain + the RoleBinding for the given ClusterRole. Optional. + items: + properties: + clusterRoleName: + type: string + subjects: + description: kubebuilder:validation:Minimum=1 + items: + description: Subject contains a reference to the object or + user identities a role binding applies to. This can either + hold a direct API object reference, or a value for non-objects + such as user and group names. + properties: + apiGroup: + description: APIGroup holds the API group of the referenced + subject. Defaults to "" for ServiceAccount subjects. + Defaults to "rbac.authorization.k8s.io" for User and + Group subjects. + type: string + kind: + description: Kind of object being referenced. Values defined + by this API group are "User", "Group", and "ServiceAccount". + If the Authorizer does not recognized the kind value, + the Authorizer should report an error. + type: string + name: + description: Name of the object being referenced. + type: string + namespace: + description: Namespace of the referenced object. If the + object kind is non-namespace, such as "User" or "Group", + and this value is not empty the Authorizer should report + an error. + type: string + required: + - kind + - name + type: object + x-kubernetes-map-type: atomic + type: array + required: + - clusterRoleName + - subjects + type: object + type: array + containerRegistries: + description: Specifies the trusted Image Registries assigned to the + Tenant. Capsule assures that all Pods resources created in the Tenant + can use only one of the allowed trusted registries. Optional. + properties: + allowed: + items: + type: string + type: array + allowedRegex: + type: string + type: object + cordoned: + description: Toggling the Tenant resources cordoning, when enable + resources cannot be deleted. + type: boolean + imagePullPolicies: + description: Specify the allowed values for the imagePullPolicies + option in Pod resources. Capsule assures that all Pod resources + created in the Tenant can use only one of the allowed policy. Optional. + items: + enum: + - Always + - Never + - IfNotPresent + type: string + type: array + ingressOptions: + description: Specifies options for the Ingress resources, such as + allowed hostnames and IngressClass. Optional. + properties: + allowWildcardHostnames: + description: Toggles the ability for Ingress resources created + in a Tenant to have a hostname wildcard. + type: boolean + allowedClasses: + description: Specifies the allowed IngressClasses assigned to + the Tenant. Capsule assures that all Ingress resources created + in the Tenant can use only one of the allowed IngressClasses. + A default value can be specified, and all the Ingress resources + created will inherit the declared class. Optional. properties: - clusterRoleName: + allowed: + items: + type: string + type: array + allowedRegex: + type: string + default: type: string - subjects: - description: kubebuilder:validation:Minimum=1 + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. items: - description: Subject contains a reference to the object or - user identities a role binding applies to. This can either - hold a direct API object reference, or a value for non-objects - such as user and group names. + description: A label selector requirement is a selector + that contains values, a key, and an operator that relates + the key and values. properties: - apiGroup: - description: APIGroup holds the API group of the referenced - subject. Defaults to "" for ServiceAccount subjects. - Defaults to "rbac.authorization.k8s.io" for User and - Group subjects. - type: string - kind: - description: Kind of object being referenced. Values defined - by this API group are "User", "Group", and "ServiceAccount". - If the Authorizer does not recognized the kind value, - the Authorizer should report an error. - type: string - name: - description: Name of the object being referenced. + key: + description: key is the label key that the selector + applies to. type: string - namespace: - description: Namespace of the referenced object. If the - object kind is non-namespace, such as "User" or "Group", - and this value is not empty the Authorizer should report - an error. + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, NotIn, + Exists and DoesNotExist. type: string + values: + description: values is an array of string values. If + the operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced + during a strategic merge patch. + items: + type: string + type: array required: - - kind - - name + - key + - operator type: object - x-kubernetes-map-type: atomic type: array - required: - - clusterRoleName - - subjects - type: object - type: array - containerRegistries: - description: Specifies the trusted Image Registries assigned to the - Tenant. Capsule assures that all Pods resources created in the Tenant - can use only one of the allowed trusted registries. Optional. - properties: - allowed: - items: - type: string - type: array - allowedRegex: - type: string - type: object - cordoned: - description: Toggling the Tenant resources cordoning, when enable - resources cannot be deleted. - type: boolean - imagePullPolicies: - description: Specify the allowed values for the imagePullPolicies - option in Pod resources. Capsule assures that all Pod resources - created in the Tenant can use only one of the allowed policy. Optional. - items: - enum: - - Always - - Never - - IfNotPresent - type: string - type: array - ingressOptions: - description: Specifies options for the Ingress resources, such as - allowed hostnames and IngressClass. Optional. - properties: - allowWildcardHostnames: - description: Toggles the ability for Ingress resources created - in a Tenant to have a hostname wildcard. - type: boolean - allowedClasses: - description: Specifies the allowed IngressClasses assigned to - the Tenant. Capsule assures that all Ingress resources created - in the Tenant can use only one of the allowed IngressClasses. - A default value can be specified, and all the Ingress resources - created will inherit the declared class. Optional. - properties: - allowed: - items: - type: string - type: array - allowedRegex: + matchLabels: + additionalProperties: type: string - default: - type: string - matchExpressions: - description: matchExpressions is a list of label selector - requirements. The requirements are ANDed. - items: - description: A label selector requirement is a selector - that contains values, a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key that the selector - applies to. - type: string - operator: - description: operator represents a key's relationship - to a set of values. Valid operators are In, NotIn, - Exists and DoesNotExist. - type: string - values: - description: values is an array of string values. If - the operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is replaced - during a strategic merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A - single {key,value} in the matchLabels map is equivalent - to an element of matchExpressions, whose key field is "key", - the operator is "In", and the values array contains only - "value". The requirements are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - allowedHostnames: - description: Specifies the allowed hostnames in Ingresses for - the given Tenant. Capsule assures that all Ingress resources - created in the Tenant can use only one of the allowed hostnames. - Optional. - properties: - allowed: - items: - type: string - type: array - allowedRegex: + description: matchLabels is a map of {key,value} pairs. A + single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field is "key", + the operator is "In", and the values array contains only + "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + allowedHostnames: + description: Specifies the allowed hostnames in Ingresses for + the given Tenant. Capsule assures that all Ingress resources + created in the Tenant can use only one of the allowed hostnames. + Optional. + properties: + allowed: + items: type: string - type: object - hostnameCollisionScope: - default: Disabled - description: "Defines the scope of hostname collision check performed + type: array + allowedRegex: + type: string + type: object + hostnameCollisionScope: + default: Disabled + description: "Defines the scope of hostname collision check performed when Tenant Owners create Ingress with allowed hostnames. \n - Cluster: disallow the creation of an Ingress if the pair hostname and path is already used across the Namespaces managed by Capsule. @@ -1295,609 +1291,726 @@ spec: Tenant. \n - Namespace: disallow the creation of an Ingress if the pair hostname and path is already used in the Ingress Namespace. \n Optional." - enum: - - Cluster - - Tenant - - Namespace - - Disabled - type: string - type: object - limitRanges: - description: Specifies the resource min/max usage restrictions to - the Tenant. The assigned values are inherited by any namespace created - in the Tenant. Optional. - properties: + enum: + - Cluster + - Tenant + - Namespace + - Disabled + type: string + type: object + limitRanges: + description: Specifies the resource min/max usage restrictions to + the Tenant. The assigned values are inherited by any namespace created + in the Tenant. Optional. + properties: + items: items: - items: - description: LimitRangeSpec defines a min/max usage limit for - resources that match on kind. - properties: - limits: - description: Limits is the list of LimitRangeItem objects - that are enforced. - items: - description: LimitRangeItem defines a min/max usage limit - for any resource that matches on kind. - properties: - default: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Default resource requirement limit value - by resource name if resource limit is omitted. - type: object - defaultRequest: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: DefaultRequest is the default resource - requirement request value by resource name if resource - request is omitted. - type: object - max: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Max usage constraints on this kind by - resource name. - type: object - maxLimitRequestRatio: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: MaxLimitRequestRatio if specified, the - named resource must have a request and limit that - are both non-zero where limit divided by request - is less than or equal to the enumerated value; this - represents the max burst for the named resource. - type: object - min: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: Min usage constraints on this kind by - resource name. - type: object - type: - description: Type of resource that this limit applies - to. - type: string - required: - - type - type: object - type: array - required: - - limits - type: object - type: array - type: object - namespaceOptions: - description: Specifies options for the Namespaces, such as additional - metadata or maximum number of namespaces allowed for that Tenant. - Once the namespace quota assigned to the Tenant has been reached, - the Tenant owner cannot create further namespaces. Optional. - properties: - additionalMetadata: - description: Specifies additional labels and annotations the Capsule - operator places on any Namespace resource in the Tenant. Optional. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - forbiddenAnnotations: - description: Define the annotations that a Tenant Owner cannot - set for their Namespace resources. + description: LimitRangeSpec defines a min/max usage limit for + resources that match on kind. properties: - denied: + limits: + description: Limits is the list of LimitRangeItem objects + that are enforced. items: - type: string + description: LimitRangeItem defines a min/max usage limit + for any resource that matches on kind. + properties: + default: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Default resource requirement limit value + by resource name if resource limit is omitted. + type: object + defaultRequest: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: DefaultRequest is the default resource + requirement request value by resource name if resource + request is omitted. + type: object + max: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Max usage constraints on this kind by + resource name. + type: object + maxLimitRequestRatio: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: MaxLimitRequestRatio if specified, the + named resource must have a request and limit that + are both non-zero where limit divided by request + is less than or equal to the enumerated value; this + represents the max burst for the named resource. + type: object + min: + additionalProperties: + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: Min usage constraints on this kind by + resource name. + type: object + type: + description: Type of resource that this limit applies + to. + type: string + required: + - type + type: object type: array - deniedRegex: - type: string + required: + - limits type: object - forbiddenLabels: - description: Define the labels that a Tenant Owner cannot set - for their Namespace resources. - properties: - denied: - items: - type: string - type: array - deniedRegex: + type: array + type: object + namespaceOptions: + description: Specifies options for the Namespaces, such as additional + metadata or maximum number of namespaces allowed for that Tenant. + Once the namespace quota assigned to the Tenant has been reached, + the Tenant owner cannot create further namespaces. Optional. + properties: + additionalMetadata: + description: Specifies additional labels and annotations the Capsule + operator places on any Namespace resource in the Tenant. Optional. + properties: + annotations: + additionalProperties: type: string - type: object - quota: - description: Specifies the maximum number of namespaces allowed - for that Tenant. Once the namespace quota assigned to the Tenant - has been reached, the Tenant owner cannot create further namespaces. - Optional. - format: int32 - minimum: 1 - type: integer - type: object - networkPolicies: - description: Specifies the NetworkPolicies assigned to the Tenant. - The assigned NetworkPolicies are inherited by any namespace created - in the Tenant. Optional. - properties: + type: object + labels: + additionalProperties: + type: string + type: object + type: object + forbiddenAnnotations: + description: Define the annotations that a Tenant Owner cannot + set for their Namespace resources. + properties: + denied: + items: + type: string + type: array + deniedRegex: + type: string + type: object + forbiddenLabels: + description: Define the labels that a Tenant Owner cannot set + for their Namespace resources. + properties: + denied: + items: + type: string + type: array + deniedRegex: + type: string + type: object + quota: + description: Specifies the maximum number of namespaces allowed + for that Tenant. Once the namespace quota assigned to the Tenant + has been reached, the Tenant owner cannot create further namespaces. + Optional. + format: int32 + minimum: 1 + type: integer + type: object + networkPolicies: + description: Specifies the NetworkPolicies assigned to the Tenant. + The assigned NetworkPolicies are inherited by any namespace created + in the Tenant. Optional. + properties: + items: items: - items: - description: NetworkPolicySpec provides the specification of - a NetworkPolicy - properties: - egress: - description: List of egress rules to be applied to the selected - pods. Outgoing traffic is allowed if there are no NetworkPolicies - selecting the pod (and cluster policy otherwise allows - the traffic), OR if the traffic matches at least one egress - rule across all of the NetworkPolicy objects whose podSelector - matches the pod. If this field is empty then this NetworkPolicy - limits all outgoing traffic (and serves solely to ensure - that the pods it selects are isolated by default). This - field is beta-level in 1.8 - items: - description: NetworkPolicyEgressRule describes a particular - set of traffic that is allowed out of pods matched by - a NetworkPolicySpec's podSelector. The traffic must - match both ports and to. This type is beta-level in - 1.8 - properties: - ports: - description: List of destination ports for outgoing - traffic. Each item in this list is combined using - a logical OR. If this field is empty or missing, - this rule matches all ports (traffic not restricted - by port). If this field is present and contains - at least one item, then this rule allows traffic - only if the traffic matches at least one port in - the list. - items: - description: NetworkPolicyPort describes a port - to allow traffic on - properties: - endPort: - description: If set, indicates that the range - of ports from port to endPort, inclusive, - should be allowed by the policy. This field - cannot be defined if the port field is not - defined or if the port field is defined as - a named (string) port. The endPort must be - equal or greater than port. This feature is - in Beta state and is enabled by default. It - can be disabled using the Feature Gate "NetworkPolicyEndPort". - format: int32 - type: integer - port: - anyOf: - - type: integer - - type: string - description: The port on the given protocol. - This can either be a numerical or named port - on a pod. If this field is not provided, this - matches all port names and numbers. If present, - only traffic on the specified protocol AND - port will be matched. - x-kubernetes-int-or-string: true - protocol: - default: TCP - description: The protocol (TCP, UDP, or SCTP) - which traffic must match. If not specified, - this field defaults to TCP. - type: string - type: object - type: array - to: - description: List of destinations for outgoing traffic - of pods selected for this rule. Items in this list - are combined using a logical OR operation. If this - field is empty or missing, this rule matches all - destinations (traffic not restricted by destination). - If this field is present and contains at least one - item, this rule allows traffic only if the traffic - matches at least one item in the to list. - items: - description: NetworkPolicyPeer describes a peer - to allow traffic to/from. Only certain combinations - of fields are allowed - properties: - ipBlock: - description: IPBlock defines policy on a particular - IPBlock. If this field is set then neither - of the other fields can be. - properties: - cidr: - description: CIDR is a string representing - the IP Block Valid examples are "192.168.1.1/24" - or "2001:db9::/64" - type: string - except: - description: Except is a slice of CIDRs - that should not be included within an - IP Block Valid examples are "192.168.1.1/24" - or "2001:db9::/64" Except values will - be rejected if they are outside the CIDR - range - items: - type: string - type: array - required: - - cidr - type: object - namespaceSelector: - description: "Selects Namespaces using cluster-scoped - labels. This field follows standard label - selector semantics; if present but empty, - it selects all namespaces. \n If PodSelector - is also set, then the NetworkPolicyPeer as - a whole selects the Pods matching PodSelector - in the Namespaces selected by NamespaceSelector. - Otherwise it selects all Pods in the Namespaces - selected by NamespaceSelector." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: NetworkPolicySpec provides the specification of + a NetworkPolicy + properties: + egress: + description: egress is a list of egress rules to be applied + to the selected pods. Outgoing traffic is allowed if there + are no NetworkPolicies selecting the pod (and cluster + policy otherwise allows the traffic), OR if the traffic + matches at least one egress rule across all of the NetworkPolicy + objects whose podSelector matches the pod. If this field + is empty then this NetworkPolicy limits all outgoing traffic + (and serves solely to ensure that the pods it selects + are isolated by default). This field is beta-level in + 1.8 + items: + description: NetworkPolicyEgressRule describes a particular + set of traffic that is allowed out of pods matched by + a NetworkPolicySpec's podSelector. The traffic must + match both ports and to. This type is beta-level in + 1.8 + properties: + ports: + description: ports is a list of destination ports + for outgoing traffic. Each item in this list is + combined using a logical OR. If this field is empty + or missing, this rule matches all ports (traffic + not restricted by port). If this field is present + and contains at least one item, then this rule allows + traffic only if the traffic matches at least one + port in the list. + items: + description: NetworkPolicyPort describes a port + to allow traffic on + properties: + endPort: + description: endPort indicates that the range + of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field + cannot be defined if the port field is not + defined or if the port field is defined as + a named (string) port. The endPort must be + equal or greater than port. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: port represents the port on the + given protocol. This can either be a numerical + or named port on a pod. If this field is not + provided, this matches all port names and + numbers. If present, only traffic on the specified + protocol AND port will be matched. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: protocol represents the protocol + (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. + type: string + type: object + type: array + to: + description: to is a list of destinations for outgoing + traffic of pods selected for this rule. Items in + this list are combined using a logical OR operation. + If this field is empty or missing, this rule matches + all destinations (traffic not restricted by destination). + If this field is present and contains at least one + item, this rule allows traffic only if the traffic + matches at least one item in the to list. + items: + description: NetworkPolicyPeer describes a peer + to allow traffic to/from. Only certain combinations + of fields are allowed + properties: + ipBlock: + description: ipBlock defines policy on a particular + IPBlock. If this field is set then neither + of the other fields can be. + properties: + cidr: + description: cidr is a string representing + the IPBlock Valid examples are "192.168.1.0/24" + or "2001:db8::/64" + type: string + except: + description: except is a slice of CIDRs + that should not be included within an + IPBlock Valid examples are "192.168.1.0/24" + or "2001:db8::/64" Except values will + be rejected if they are outside the cidr + range + items: + type: string + type: array + required: + - cidr + type: object + namespaceSelector: + description: "namespaceSelector selects namespaces + using cluster-scoped labels. This field follows + standard label selector semantics; if present + but empty, it selects all namespaces. \n If + podSelector is also set, then the NetworkPolicyPeer + as a whole selects the pods matching podSelector + in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces + selected by namespaceSelector." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + type: array + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: "This is a label selector which - selects Pods. This field follows standard + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: "podSelector is a label selector + which selects pods. This field follows standard label selector semantics; if present but empty, - it selects all pods. \n If NamespaceSelector + it selects all pods. \n If namespaceSelector is also set, then the NetworkPolicyPeer as - a whole selects the Pods matching PodSelector + a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. - Otherwise it selects the Pods matching PodSelector - in the policy's own Namespace." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + Otherwise it selects the pods matching podSelector + in the policy's own namespace." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + type: array + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: array - type: object - type: array - ingress: - description: List of ingress rules to be applied to the - selected pods. Traffic is allowed to a pod if there are - no NetworkPolicies selecting the pod (and cluster policy - otherwise allows the traffic), OR if the traffic source - is the pod's local node, OR if the traffic matches at - least one ingress rule across all of the NetworkPolicy - objects whose podSelector matches the pod. If this field - is empty then this NetworkPolicy does not allow any traffic - (and serves solely to ensure that the pods it selects - are isolated by default) - items: - description: NetworkPolicyIngressRule describes a particular - set of traffic that is allowed to the pods matched by - a NetworkPolicySpec's podSelector. The traffic must - match both ports and from. - properties: - from: - description: List of sources which should be able - to access the pods selected for this rule. Items - in this list are combined using a logical OR operation. - If this field is empty or missing, this rule matches - all sources (traffic not restricted by source). - If this field is present and contains at least one - item, this rule allows traffic only if the traffic - matches at least one item in the from list. - items: - description: NetworkPolicyPeer describes a peer - to allow traffic to/from. Only certain combinations - of fields are allowed - properties: - ipBlock: - description: IPBlock defines policy on a particular - IPBlock. If this field is set then neither - of the other fields can be. - properties: - cidr: - description: CIDR is a string representing - the IP Block Valid examples are "192.168.1.1/24" - or "2001:db9::/64" + type: array + matchLabels: + additionalProperties: type: string - except: - description: Except is a slice of CIDRs - that should not be included within an - IP Block Valid examples are "192.168.1.1/24" - or "2001:db9::/64" Except values will - be rejected if they are outside the CIDR - range - items: - type: string - type: array - required: - - cidr - type: object - namespaceSelector: - description: "Selects Namespaces using cluster-scoped - labels. This field follows standard label - selector semantics; if present but empty, - it selects all namespaces. \n If PodSelector - is also set, then the NetworkPolicyPeer as - a whole selects the Pods matching PodSelector - in the Namespaces selected by NamespaceSelector. - Otherwise it selects all Pods in the Namespaces - selected by NamespaceSelector." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. - type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + type: object + type: array + ingress: + description: ingress is a list of ingress rules to be applied + to the selected pods. Traffic is allowed to a pod if there + are no NetworkPolicies selecting the pod (and cluster + policy otherwise allows the traffic), OR if the traffic + source is the pod's local node, OR if the traffic matches + at least one ingress rule across all of the NetworkPolicy + objects whose podSelector matches the pod. If this field + is empty then this NetworkPolicy does not allow any traffic + (and serves solely to ensure that the pods it selects + are isolated by default) + items: + description: NetworkPolicyIngressRule describes a particular + set of traffic that is allowed to the pods matched by + a NetworkPolicySpec's podSelector. The traffic must + match both ports and from. + properties: + from: + description: from is a list of sources which should + be able to access the pods selected for this rule. + Items in this list are combined using a logical + OR operation. If this field is empty or missing, + this rule matches all sources (traffic not restricted + by source). If this field is present and contains + at least one item, this rule allows traffic only + if the traffic matches at least one item in the + from list. + items: + description: NetworkPolicyPeer describes a peer + to allow traffic to/from. Only certain combinations + of fields are allowed + properties: + ipBlock: + description: ipBlock defines policy on a particular + IPBlock. If this field is set then neither + of the other fields can be. + properties: + cidr: + description: cidr is a string representing + the IPBlock Valid examples are "192.168.1.0/24" + or "2001:db8::/64" + type: string + except: + description: except is a slice of CIDRs + that should not be included within an + IPBlock Valid examples are "192.168.1.0/24" + or "2001:db8::/64" Except values will + be rejected if they are outside the cidr + range + items: + type: string + type: array + required: + - cidr + type: object + namespaceSelector: + description: "namespaceSelector selects namespaces + using cluster-scoped labels. This field follows + standard label selector semantics; if present + but empty, it selects all namespaces. \n If + podSelector is also set, then the NetworkPolicyPeer + as a whole selects the pods matching podSelector + in the namespaces selected by namespaceSelector. + Otherwise it selects all pods in the namespaces + selected by namespaceSelector." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + type: array + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - podSelector: - description: "This is a label selector which - selects Pods. This field follows standard + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + podSelector: + description: "podSelector is a label selector + which selects pods. This field follows standard label selector semantics; if present but empty, - it selects all pods. \n If NamespaceSelector + it selects all pods. \n If namespaceSelector is also set, then the NetworkPolicyPeer as - a whole selects the Pods matching PodSelector + a whole selects the pods matching podSelector in the Namespaces selected by NamespaceSelector. - Otherwise it selects the Pods matching PodSelector - in the policy's own Namespace." - properties: - matchExpressions: - description: matchExpressions is a list - of label selector requirements. The requirements - are ANDed. - items: - description: A label selector requirement - is a selector that contains values, - a key, and an operator that relates - the key and values. - properties: - key: - description: key is the label key - that the selector applies to. + Otherwise it selects the pods matching podSelector + in the policy's own namespace." + properties: + matchExpressions: + description: matchExpressions is a list + of label selector requirements. The requirements + are ANDed. + items: + description: A label selector requirement + is a selector that contains values, + a key, and an operator that relates + the key and values. + properties: + key: + description: key is the label key + that the selector applies to. + type: string + operator: + description: operator represents a + key's relationship to a set of values. + Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of + string values. If the operator is + In or NotIn, the values array must + be non-empty. If the operator is + Exists or DoesNotExist, the values + array must be empty. This array + is replaced during a strategic merge + patch. + items: type: string - operator: - description: operator represents a - key's relationship to a set of values. - Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of - string values. If the operator is - In or NotIn, the values array must - be non-empty. If the operator is - Exists or DoesNotExist, the values - array must be empty. This array - is replaced during a strategic merge - patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} - pairs. A single {key,value} in the matchLabels - map is equivalent to an element of matchExpressions, - whose key field is "key", the operator - is "In", and the values array contains - only "value". The requirements are ANDed. + type: array + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - type: object - type: array - ports: - description: List of ports which should be made accessible - on the pods selected for this rule. Each item in - this list is combined using a logical OR. If this - field is empty or missing, this rule matches all - ports (traffic not restricted by port). If this - field is present and contains at least one item, - then this rule allows traffic only if the traffic - matches at least one port in the list. - items: - description: NetworkPolicyPort describes a port - to allow traffic on - properties: - endPort: - description: If set, indicates that the range - of ports from port to endPort, inclusive, - should be allowed by the policy. This field - cannot be defined if the port field is not - defined or if the port field is defined as - a named (string) port. The endPort must be - equal or greater than port. This feature is - in Beta state and is enabled by default. It - can be disabled using the Feature Gate "NetworkPolicyEndPort". - format: int32 - type: integer - port: - anyOf: - - type: integer - - type: string - description: The port on the given protocol. - This can either be a numerical or named port - on a pod. If this field is not provided, this - matches all port names and numbers. If present, - only traffic on the specified protocol AND - port will be matched. - x-kubernetes-int-or-string: true - protocol: - default: TCP - description: The protocol (TCP, UDP, or SCTP) - which traffic must match. If not specified, - this field defaults to TCP. - type: string - type: object - type: array + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} + pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, + whose key field is "key", the operator + is "In", and the values array contains + only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + type: object + type: array + ports: + description: ports is a list of ports which should + be made accessible on the pods selected for this + rule. Each item in this list is combined using a + logical OR. If this field is empty or missing, this + rule matches all ports (traffic not restricted by + port). If this field is present and contains at + least one item, then this rule allows traffic only + if the traffic matches at least one port in the + list. + items: + description: NetworkPolicyPort describes a port + to allow traffic on + properties: + endPort: + description: endPort indicates that the range + of ports from port to endPort if set, inclusive, + should be allowed by the policy. This field + cannot be defined if the port field is not + defined or if the port field is defined as + a named (string) port. The endPort must be + equal or greater than port. + format: int32 + type: integer + port: + anyOf: + - type: integer + - type: string + description: port represents the port on the + given protocol. This can either be a numerical + or named port on a pod. If this field is not + provided, this matches all port names and + numbers. If present, only traffic on the specified + protocol AND port will be matched. + x-kubernetes-int-or-string: true + protocol: + default: TCP + description: protocol represents the protocol + (TCP, UDP, or SCTP) which traffic must match. + If not specified, this field defaults to TCP. + type: string + type: object + type: array + type: object + type: array + podSelector: + description: podSelector selects the pods to which this + NetworkPolicy object applies. The array of ingress rules + is applied to any pods selected by this field. Multiple + network policies can select the same set of pods. In this + case, the ingress rules for each are combined additively. + This field is NOT optional and follows standard label + selector semantics. An empty podSelector matches all pods + in this namespace. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values array + must be non-empty. If the operator is Exists + or DoesNotExist, the values array must be empty. + This array is replaced during a strategic merge + patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. type: object + type: object + x-kubernetes-map-type: atomic + policyTypes: + description: policyTypes is a list of rule types that the + NetworkPolicy relates to. Valid options are ["Ingress"], + ["Egress"], or ["Ingress", "Egress"]. If this field is + not specified, it will default based on the existence + of ingress or egress rules; policies that contain an egress + section are assumed to affect egress, and all policies + (whether or not they contain an ingress section) are assumed + to affect ingress. If you want to write an egress-only + policy, you must explicitly specify policyTypes [ "Egress" + ]. Likewise, if you want to write a policy that specifies + that no egress is allowed, you must specify a policyTypes + value that include "Egress" (since such a policy would + not include an egress section and would otherwise default + to just [ "Ingress" ]). This field is beta-level in 1.8 + items: + description: PolicyType string describes the NetworkPolicy + type This type is beta-level in 1.8 + type: string + type: array + required: + - podSelector + type: object + type: array + type: object + nodeSelector: + additionalProperties: + type: string + description: Specifies the label to control the placement of pods + on a given pool of worker nodes. All namespaces created within the + Tenant will have the node selector annotation. This annotation tells + the Kubernetes scheduler to place pods on the nodes having the selector + label. Optional. + type: object + owners: + description: Specifies the owners of the Tenant. Mandatory. + items: + properties: + clusterResources: + description: Defines additional cluster-resources for the specific + Owner. + items: + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that + contains the resources. If multiple API groups are specified, + any action requested against any resource listed will + be allowed. '*' represents all resources. Empty string + represents v1 api resources. + items: + type: string + type: array + operations: + default: + - List + description: Operations which can be executed on the selected + resources. + items: + enum: + - List + - Update + - Delete + type: string + type: array + resources: + description: Resources is a list of resources this rule + applies to. '*' represents all resources. + items: + type: string type: array - podSelector: - description: Selects the pods to which this NetworkPolicy - object applies. The array of ingress rules is applied - to any pods selected by this field. Multiple network policies - can select the same set of pods. In this case, the ingress - rules for each are combined additively. This field is - NOT optional and follows standard label selector semantics. - An empty podSelector matches all pods in this namespace. + selector: + description: Select all cluster scoped resources with + the given label selector. properties: matchExpressions: description: matchExpressions is a list of label selector @@ -1918,17 +2031,17 @@ spec: type: string values: description: values is an array of string values. - If the operator is In or NotIn, the values array - must be non-empty. If the operator is Exists - or DoesNotExist, the values array must be empty. - This array is replaced during a strategic merge - patch. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. items: type: string type: array required: - - key - - operator + - key + - operator type: object type: array matchLabels: @@ -1942,467 +2055,438 @@ spec: type: object type: object x-kubernetes-map-type: atomic - policyTypes: - description: List of rule types that the NetworkPolicy relates - to. Valid options are ["Ingress"], ["Egress"], or ["Ingress", - "Egress"]. If this field is not specified, it will default - based on the existence of Ingress or Egress rules; policies - that contain an Egress section are assumed to affect Egress, - and all policies (whether or not they contain an Ingress - section) are assumed to affect Ingress. If you want to - write an egress-only policy, you must explicitly specify - policyTypes [ "Egress" ]. Likewise, if you want to write - a policy that specifies that no egress is allowed, you - must specify a policyTypes value that include "Egress" - (since such a policy would not include an Egress section - and would otherwise default to just [ "Ingress" ]). This - field is beta-level in 1.8 - items: - description: PolicyType string describes the NetworkPolicy - type This type is beta-level in 1.8 - type: string - type: array required: - - podSelector + - apiGroups + - operations + - resources + - selector type: object type: array - type: object - nodeSelector: - additionalProperties: - type: string - description: Specifies the label to control the placement of pods - on a given pool of worker nodes. All namespaces created within the - Tenant will have the node selector annotation. This annotation tells - the Kubernetes scheduler to place pods on the nodes having the selector - label. Optional. - type: object - owners: - description: Specifies the owners of the Tenant. Mandatory. - items: - properties: - clusterRoles: - default: - - admin - - capsule-namespace-deleter - description: Defines additional cluster-roles for the specific - Owner. - items: - type: string - type: array - kind: - description: Kind of tenant owner. Possible values are "User", - "Group", and "ServiceAccount" - enum: - - User - - Group - - ServiceAccount - type: string - name: - description: Name of tenant owner. - type: string - proxySettings: - description: Proxy settings for tenant owner. - items: - properties: - kind: - enum: - - Nodes - - StorageClasses - - IngressClasses - - PriorityClasses - - RuntimeClasses - - PersistentVolumes - type: string - operations: - items: - enum: - - List - - Update - - Delete - type: string - type: array - required: - - kind - - operations - type: object - type: array - required: - - kind - - name - type: object - type: array - podOptions: - description: Specifies options for the Pod, such as additional metadata. Optional. - properties: - additionalMetadata: - description: Specifies additional labels and annotations the Capsule operator places on any Service resource in the Tenant. Optional. - properties: - annotations: - additionalProperties: - type: string - type: object - labels: - additionalProperties: - type: string - type: object - type: object - type: object - preventDeletion: - description: Prevent accidental deletion of the Tenant. When enabled, - the deletion request will be declined. - type: boolean - priorityClasses: - description: Specifies the allowed priorityClasses assigned to the - Tenant. Capsule assures that all Pods resources created in the Tenant - can use only one of the allowed PriorityClasses. A default value - can be specified, and all the Pod resources created will inherit - the declared class. Optional. - properties: - allowed: + clusterRoles: + default: + - admin + - capsule-namespace-deleter + description: Defines additional cluster-roles for the specific + Owner. items: type: string type: array - allowedRegex: + kind: + description: Kind of tenant owner. Possible values are "User", + "Group", and "ServiceAccount" + enum: + - User + - Group + - ServiceAccount type: string - default: + name: + description: Name of tenant owner. type: string - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. + proxySettings: + description: Proxy settings for tenant owner. items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + kind: + enum: + - Nodes + - StorageClasses + - IngressClasses + - PriorityClasses + - RuntimeClasses + - PersistentVolumes type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. + operations: items: + enum: + - List + - Update + - Delete type: string type: array required: - - key - - operator + - kind + - operations type: object type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object + required: + - kind + - name type: object - x-kubernetes-map-type: atomic - resourceQuotas: - description: Specifies a list of ResourceQuota resources assigned - to the Tenant. The assigned values are inherited by any namespace - created in the Tenant. The Capsule operator aggregates ResourceQuota - at Tenant level, so that the hard quota is never crossed for the - given Tenant. This permits the Tenant owner to consume resources - in the Tenant regardless of the namespace. Optional. - properties: - items: - items: - description: ResourceQuotaSpec defines the desired hard limits - to enforce for Quota. - properties: - hard: - additionalProperties: - anyOf: - - type: integer - - type: string - pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ - x-kubernetes-int-or-string: true - description: 'hard is the set of desired hard limits for - each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' - type: object - scopeSelector: - description: scopeSelector is also a collection of filters - like scopes that must match each object tracked by a quota - but expressed using ScopeSelectorOperator in combination - with possible values. For a resource to match, both scopes - AND scopeSelector (if specified in spec), must be matched. - properties: - matchExpressions: - description: A list of scope selector requirements by - scope of the resources. - items: - description: A scoped-resource selector requirement - is a selector that contains values, a scope name, - and an operator that relates the scope name and - values. - properties: - operator: - description: Represents a scope's relationship - to a set of values. Valid operators are In, - NotIn, Exists, DoesNotExist. - type: string - scopeName: - description: The name of the scope that the selector - applies to. - type: string - values: - description: An array of string values. If the - operator is In or NotIn, the values array must - be non-empty. If the operator is Exists or DoesNotExist, - the values array must be empty. This array is - replaced during a strategic merge patch. - items: - type: string - type: array - required: - - operator - - scopeName - type: object - type: array - type: object - x-kubernetes-map-type: atomic - scopes: - description: A collection of filters that must match each - object tracked by a quota. If not specified, the quota - matches all objects. - items: - description: A ResourceQuotaScope defines a filter that - must match each object tracked by a quota - type: string - type: array + type: array + podOptions: + description: Specifies options for the Pods deployed in the Tenant + namespaces, such as additional metadata. + properties: + additionalMetadata: + description: Specifies additional labels and annotations the Capsule + operator places on any Pod resource in the Tenant. Optional. + properties: + annotations: + additionalProperties: + type: string type: object - type: array - scope: - default: Tenant - description: Define if the Resource Budget should compute resource - across all Namespaces in the Tenant or individually per cluster. - Default is Tenant - enum: - - Tenant - - Namespace - type: string - type: object - runtimeClasses: - description: Specifies the allowed RuntimeClasses assigned to the - Tenant. Capsule assures that all Pods resources created in the Tenant - can use only one of the allowed RuntimeClasses. Optional. - properties: - allowed: - items: - type: string - type: array - allowedRegex: + labels: + additionalProperties: + type: string + type: object + type: object + type: object + preventDeletion: + description: Prevent accidental deletion of the Tenant. When enabled, + the deletion request will be declined. + type: boolean + priorityClasses: + description: Specifies the allowed priorityClasses assigned to the + Tenant. Capsule assures that all Pods resources created in the Tenant + can use only one of the allowed PriorityClasses. A default value + can be specified, and all the Pod resources created will inherit + the declared class. Optional. + properties: + allowed: + items: type: string - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. + type: array + allowedRegex: + type: string + default: + type: string + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. + properties: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. + items: type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. + type: array + required: + - key + - operator type: object - type: object - x-kubernetes-map-type: atomic - serviceOptions: - description: Specifies options for the Service, such as additional - metadata or block of certain type of Services. Optional. - properties: - additionalMetadata: - description: Specifies additional labels and annotations the Capsule - operator places on any Service resource in the Tenant. Optional. + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + resourceQuotas: + description: Specifies a list of ResourceQuota resources assigned + to the Tenant. The assigned values are inherited by any namespace + created in the Tenant. The Capsule operator aggregates ResourceQuota + at Tenant level, so that the hard quota is never crossed for the + given Tenant. This permits the Tenant owner to consume resources + in the Tenant regardless of the namespace. Optional. + properties: + items: + items: + description: ResourceQuotaSpec defines the desired hard limits + to enforce for Quota. properties: - annotations: + hard: additionalProperties: - type: string + anyOf: + - type: integer + - type: string + pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$ + x-kubernetes-int-or-string: true + description: 'hard is the set of desired hard limits for + each named resource. More info: https://kubernetes.io/docs/concepts/policy/resource-quotas/' type: object - labels: - additionalProperties: - type: string + scopeSelector: + description: scopeSelector is also a collection of filters + like scopes that must match each object tracked by a quota + but expressed using ScopeSelectorOperator in combination + with possible values. For a resource to match, both scopes + AND scopeSelector (if specified in spec), must be matched. + properties: + matchExpressions: + description: A list of scope selector requirements by + scope of the resources. + items: + description: A scoped-resource selector requirement + is a selector that contains values, a scope name, + and an operator that relates the scope name and + values. + properties: + operator: + description: Represents a scope's relationship + to a set of values. Valid operators are In, + NotIn, Exists, DoesNotExist. + type: string + scopeName: + description: The name of the scope that the selector + applies to. + type: string + values: + description: An array of string values. If the + operator is In or NotIn, the values array must + be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is + replaced during a strategic merge patch. + items: + type: string + type: array + required: + - operator + - scopeName + type: object + type: array type: object - type: object - forbiddenAnnotations: - description: Define the annotations that a Tenant Owner cannot - set for their Service resources. - properties: - denied: + x-kubernetes-map-type: atomic + scopes: + description: A collection of filters that must match each + object tracked by a quota. If not specified, the quota + matches all objects. items: + description: A ResourceQuotaScope defines a filter that + must match each object tracked by a quota type: string type: array - deniedRegex: - type: string type: object - forbiddenLabels: - description: Define the labels that a Tenant Owner cannot set - for their Service resources. + type: array + scope: + default: Tenant + description: Define if the Resource Budget should compute resource + across all Namespaces in the Tenant or individually per cluster. + Default is Tenant + enum: + - Tenant + - Namespace + type: string + type: object + runtimeClasses: + description: Specifies the allowed RuntimeClasses assigned to the + Tenant. Capsule assures that all Pods resources created in the Tenant + can use only one of the allowed RuntimeClasses. Optional. + properties: + allowed: + items: + type: string + type: array + allowedRegex: + type: string + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: - denied: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. items: type: string type: array - deniedRegex: - type: string - type: object - allowedServices: - description: Block or deny certain type of Services. Optional. - properties: - externalName: - default: true - description: Specifies if ExternalName service type resources - are allowed for the Tenant. Default is true. Optional. - type: boolean - loadBalancer: - default: true - description: Specifies if LoadBalancer service type resources - are allowed for the Tenant. Default is true. Optional. - type: boolean - nodePort: - default: true - description: Specifies if NodePort service type resources - are allowed for the Tenant. Default is true. Optional. - type: boolean + required: + - key + - operator type: object - externalIPs: - description: Specifies the external IPs that can be used in Services - with type ClusterIP. An empty list means no IPs are allowed. - Optional. + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + serviceOptions: + description: Specifies options for the Service, such as additional + metadata or block of certain type of Services. Optional. + properties: + additionalMetadata: + description: Specifies additional labels and annotations the Capsule + operator places on any Service resource in the Tenant. Optional. + properties: + annotations: + additionalProperties: + type: string + type: object + labels: + additionalProperties: + type: string + type: object + type: object + allowedServices: + description: Block or deny certain type of Services. Optional. + properties: + externalName: + default: true + description: Specifies if ExternalName service type resources + are allowed for the Tenant. Default is true. Optional. + type: boolean + loadBalancer: + default: true + description: Specifies if LoadBalancer service type resources + are allowed for the Tenant. Default is true. Optional. + type: boolean + nodePort: + default: true + description: Specifies if NodePort service type resources + are allowed for the Tenant. Default is true. Optional. + type: boolean + type: object + externalIPs: + description: Specifies the external IPs that can be used in Services + with type ClusterIP. An empty list means no IPs are allowed. + Optional. + properties: + allowed: + items: + pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$ + type: string + type: array + required: + - allowed + type: object + forbiddenAnnotations: + description: Define the annotations that a Tenant Owner cannot + set for their Service resources. + properties: + denied: + items: + type: string + type: array + deniedRegex: + type: string + type: object + forbiddenLabels: + description: Define the labels that a Tenant Owner cannot set + for their Service resources. + properties: + denied: + items: + type: string + type: array + deniedRegex: + type: string + type: object + type: object + storageClasses: + description: Specifies the allowed StorageClasses assigned to the + Tenant. Capsule assures that all PersistentVolumeClaim resources + created in the Tenant can use only one of the allowed StorageClasses. + A default value can be specified, and all the PersistentVolumeClaim + resources created will inherit the declared class. Optional. + properties: + allowed: + items: + type: string + type: array + allowedRegex: + type: string + default: + type: string + matchExpressions: + description: matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: A label selector requirement is a selector that + contains values, a key, and an operator that relates the key + and values. properties: - allowed: + key: + description: key is the label key that the selector applies + to. + type: string + operator: + description: operator represents a key's relationship to + a set of values. Valid operators are In, NotIn, Exists + and DoesNotExist. + type: string + values: + description: values is an array of string values. If the + operator is In or NotIn, the values array must be non-empty. + If the operator is Exists or DoesNotExist, the values + array must be empty. This array is replaced during a strategic + merge patch. items: - pattern: ^([0-9]{1,3}.){3}[0-9]{1,3}(/([0-9]|[1-2][0-9]|3[0-2]))?$ type: string type: array required: - - allowed + - key + - operator type: object - type: object - storageClasses: - description: Specifies the allowed StorageClasses assigned to the - Tenant. Capsule assures that all PersistentVolumeClaim resources - created in the Tenant can use only one of the allowed StorageClasses. - A default value can be specified, and all the PersistentVolumeClaim - resources created will inherit the declared class. Optional. - properties: - allowed: - items: - type: string - type: array - allowedRegex: + type: array + matchLabels: + additionalProperties: type: string - default: - type: string - matchExpressions: - description: matchExpressions is a list of label selector requirements. - The requirements are ANDed. - items: - description: A label selector requirement is a selector that - contains values, a key, and an operator that relates the key - and values. - properties: - key: - description: key is the label key that the selector applies - to. - type: string - operator: - description: operator represents a key's relationship to - a set of values. Valid operators are In, NotIn, Exists - and DoesNotExist. - type: string - values: - description: values is an array of string values. If the - operator is In or NotIn, the values array must be non-empty. - If the operator is Exists or DoesNotExist, the values - array must be empty. This array is replaced during a strategic - merge patch. - items: - type: string - type: array - required: - - key - - operator - type: object - type: array - matchLabels: - additionalProperties: - type: string - description: matchLabels is a map of {key,value} pairs. A single - {key,value} in the matchLabels map is equivalent to an element - of matchExpressions, whose key field is "key", the operator - is "In", and the values array contains only "value". The requirements - are ANDed. - type: object - type: object - x-kubernetes-map-type: atomic - required: - - owners - type: object - status: - description: Returns the observed state of the Tenant. - properties: - namespaces: - description: List of namespaces assigned to the Tenant. - items: - type: string - type: array - size: - description: How many namespaces are assigned to the Tenant. - type: integer - state: - default: Active - description: The operational state of the Tenant. Possible values - are "Active", "Cordoned". - enum: - - Cordoned - - Active + description: matchLabels is a map of {key,value} pairs. A single + {key,value} in the matchLabels map is equivalent to an element + of matchExpressions, whose key field is "key", the operator + is "In", and the values array contains only "value". The requirements + are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - owners + type: object + status: + description: Returns the observed state of the Tenant. + properties: + namespaces: + description: List of namespaces assigned to the Tenant. + items: type: string - required: - - size - - state - type: object - type: object - served: true - storage: true - subresources: - status: {} + type: array + size: + description: How many namespaces are assigned to the Tenant. + type: integer + state: + default: Active + description: The operational state of the Tenant. Possible values + are "Active", "Cordoned". + enum: + - Cordoned + - Active + type: string + required: + - size + - state + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/config/crd/bases/capsule.clastix.io_tenants.yaml b/config/crd/bases/capsule.clastix.io_tenants.yaml index 416c1295..5dc0dfb9 100644 --- a/config/crd/bases/capsule.clastix.io_tenants.yaml +++ b/config/crd/bases/capsule.clastix.io_tenants.yaml @@ -1976,6 +1976,92 @@ spec: description: Specifies the owners of the Tenant. Mandatory. items: properties: + clusterResources: + description: Defines additional cluster-resources for the specific + Owner. + items: + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that + contains the resources. If multiple API groups are specified, + any action requested against any resource listed will + be allowed. '*' represents all resources. Empty string + represents v1 api resources. + items: + type: string + type: array + operations: + default: + - List + description: Operations which can be executed on the selected + resources. + items: + enum: + - List + - Update + - Delete + type: string + type: array + resources: + description: Resources is a list of resources this rule + applies to. '*' represents all resources. + items: + type: string + type: array + selector: + description: Select all cluster scoped resources with + the given label selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector + requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector + that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: key is the label key that the selector + applies to. + type: string + operator: + description: operator represents a key's relationship + to a set of values. Valid operators are In, + NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. + If the operator is In or NotIn, the values + array must be non-empty. If the operator is + Exists or DoesNotExist, the values array must + be empty. This array is replaced during a + strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. + A single {key,value} in the matchLabels map is equivalent + to an element of matchExpressions, whose key field + is "key", the operator is "In", and the values array + contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - apiGroups + - operations + - resources + - selector + type: object + type: array clusterRoles: default: - admin diff --git a/config/install.yaml b/config/install.yaml index 816f999b..25ce4d51 100644 --- a/config/install.yaml +++ b/config/install.yaml @@ -1807,6 +1807,69 @@ spec: description: Specifies the owners of the Tenant. Mandatory. items: properties: + clusterResources: + description: Defines additional cluster-resources for the specific Owner. + items: + properties: + apiGroups: + description: APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. + items: + type: string + type: array + operations: + default: + - List + description: Operations which can be executed on the selected resources. + items: + enum: + - List + - Update + - Delete + type: string + type: array + resources: + description: Resources is a list of resources this rule applies to. '*' represents all resources. + items: + type: string + type: array + selector: + description: Select all cluster scoped resources with the given label selector. + properties: + matchExpressions: + description: matchExpressions is a list of label selector requirements. The requirements are ANDed. + items: + description: A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + properties: + key: + description: key is the label key that the selector applies to. + type: string + operator: + description: operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch. + items: + type: string + type: array + required: + - key + - operator + type: object + type: array + matchLabels: + additionalProperties: + type: string + description: matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + required: + - apiGroups + - operations + - resources + - selector + type: object + type: array clusterRoles: default: - admin diff --git a/docs/content/general/crds-apis.md b/docs/content/general/crds-apis.md index 32c04a44..d572de9e 100644 --- a/docs/content/general/crds-apis.md +++ b/docs/content/general/crds-apis.md @@ -1489,6 +1489,13 @@ TenantSpec defines the desired state of Tenant. Name of tenant owner.
true + + clusterResources + []object + + Defines additional cluster-resources for the specific Owner.
+ + false clusterRoles []string @@ -1509,6 +1516,128 @@ TenantSpec defines the desired state of Tenant. +### Tenant.spec.owners[index].clusterResources[index] + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
apiGroups[]string + APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources.
+ 		true
operations[]enum + Operations which can be executed on the selected resources.
+
+ Default: [List]
+ 		true
resources[]string + Resources is a list of resources this rule applies to. '*' represents all resources.
+ 		true
selectorobject + Select all cluster scoped resources with the given label selector.
+ 		true
+ + +### Tenant.spec.owners[index].clusterResources[index].selector + + + +Select all cluster scoped resources with the given label selector. + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
matchExpressions[]object + matchExpressions is a list of label selector requirements. The requirements are ANDed.
+ 		false
matchLabelsmap[string]string + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
+ 		false
+ + +### Tenant.spec.owners[index].clusterResources[index].selector.matchExpressions[index] + + + +A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values. + + + + + + + + + + + + + + + + + + + + + + + + + + +
NameTypeDescriptionRequired
keystring + key is the label key that the selector applies to.
+ 		true
operatorstring + operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
+ 		true
values[]string + values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
+ 		false
+ + ### Tenant.spec.owners[index].proxySettings[index] diff --git a/pkg/api/cluster_resource.go b/pkg/api/cluster_resource.go new file mode 100644 index 00000000..59a878a4 --- /dev/null +++ b/pkg/api/cluster_resource.go @@ -0,0 +1,33 @@ +// Copyright 2020-2023 Project Capsule Authors. +// SPDX-License-Identifier: Apache-2.0 + +package api + +import metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + +// +kubebuilder:validation:Enum=List;Update;Delete +type ClusterResourceOperation string + +func (p ClusterResourceOperation) String() string { + return string(p) +} + +const ( + ClusterResourceOperationList ClusterResourceOperation = "List" +) + +// +kubebuilder:object:generate=true +type ClusterResource struct { + // APIGroups is the name of the APIGroup that contains the resources. If multiple API groups are specified, any action requested against any resource listed will be allowed. '*' represents all resources. Empty string represents v1 api resources. + APIGroups []string `json:"apiGroups"` + + // Resources is a list of resources this rule applies to. '*' represents all resources. + Resources []string `json:"resources"` + + // Operations which can be executed on the selected resources. + // +kubebuilder:default={List} + Operations []ClusterResourceOperation `json:"operations"` + + // Select all cluster scoped resources with the given label selector. + Selector *metav1.LabelSelector `json:"selector"` +} diff --git a/pkg/api/zz_generated.deepcopy.go b/pkg/api/zz_generated.deepcopy.go index 41d1c96d..8661fc88 100644 --- a/pkg/api/zz_generated.deepcopy.go +++ b/pkg/api/zz_generated.deepcopy.go @@ -12,6 +12,7 @@ import ( corev1 "k8s.io/api/core/v1" networkingv1 "k8s.io/api/networking/v1" "k8s.io/api/rbac/v1" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" ) // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. @@ -113,6 +114,41 @@ func (in *AllowedServices) DeepCopy() *AllowedServices { return out } +// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. +func (in *ClusterResource) DeepCopyInto(out *ClusterResource) { + *out = *in + if in.APIGroups != nil { + in, out := &in.APIGroups, &out.APIGroups + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Resources != nil { + in, out := &in.Resources, &out.Resources + *out = make([]string, len(*in)) + copy(*out, *in) + } + if in.Operations != nil { + in, out := &in.Operations, &out.Operations + *out = make([]ClusterResourceOperation, len(*in)) + copy(*out, *in) + } + if in.Selector != nil { + in, out := &in.Selector, &out.Selector + *out = new(metav1.LabelSelector) + (*in).DeepCopyInto(*out) + } +} + +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterResource. +func (in *ClusterResource) DeepCopy() *ClusterResource { + if in == nil { + return nil + } + out := new(ClusterResource) + in.DeepCopyInto(out) + return out +} + // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. func (in *DefaultAllowedListSpec) DeepCopyInto(out *DefaultAllowedListSpec) { *out = *in