cilium: github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2 Index | Files

package v2

import "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2"

Package v2 is the v2 version of the API. +groupName=cilium.io

Index

Package Files

doc.go register.go types.go zz_generated.deepcopy.go

Constants

const (
    // CustomResourceDefinitionGroup is the name of the third party resource group
    CustomResourceDefinitionGroup = k8sconst.GroupName

    // CustomResourceDefinitionVersion is the current version of the resource
    CustomResourceDefinitionVersion = "v2"

    // CustomResourceDefinitionSchemaVersion is semver-conformant version of CRD schema
    // Used to determine if CRD needs to be updated in cluster
    CustomResourceDefinitionSchemaVersion = "1.14"

    // CustomResourceDefinitionSchemaVersionKey is key to label which holds the CRD schema version
    CustomResourceDefinitionSchemaVersionKey = "io.cilium.k8s.crd.schema.version"

    // CNPKindDefinition is the kind name for Cilium Network Policy
    CNPKindDefinition = "CiliumNetworkPolicy"
)
const EndpointStatusLogEntries = 5

EndpointStatusLogEntries is the maximum number of log entries in EndpointStatus.Log

Variables

var (
    // SchemeBuilder is needed by DeepCopy generator.
    SchemeBuilder runtime.SchemeBuilder

    // AddToScheme adds all types of this clientset into the given scheme.
    // This allows composition of clientsets, like in:
    //
    //   import (
    //     "k8s.io/client-go/kubernetes"
    //     clientsetscheme "k8s.io/client-go/kuberentes/scheme"
    //     aggregatorclientsetscheme "k8s.io/kube-aggregator/pkg/client/clientset_generated/clientset/scheme"
    //   )
    //
    //   kclientset, _ := kubernetes.NewForConfig(c)
    //   aggregatorclientsetscheme.AddToScheme(clientsetscheme.Scheme)
    AddToScheme = localSchemeBuilder.AddToScheme
)
var (
    CIDR = apiextensionsv1beta1.JSONSchemaProps{
        Description: "CIDR is a CIDR prefix / IP Block.",
        Type:        "string",
        OneOf: []apiextensionsv1beta1.JSONSchemaProps{
            {

                Type: "string",
                Pattern: `^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4]` +
                    `[0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$`,
            },
            {

                Type: "string",
                Pattern: `^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))` +
                    `|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)` +
                    `|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))` +
                    `|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))` +
                    `|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))` +
                    `|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))` +
                    `|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))` +
                    `|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))` +
                    `(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$`,
            },
        },
    }

    CIDRRule = apiextensionsv1beta1.JSONSchemaProps{
        Description: "CIDRRule is a rule that specifies a CIDR prefix to/from which outside " +
            "communication is allowed, along with an optional list of subnets within that CIDR " +
            "prefix to/from which outside communication is not allowed.",
        Required: []string{
            "cidr",
        },
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "cidr": CIDR,
            "except": {
                Description: "ExceptCIDRs is a list of IP blocks which the endpoint subject to " +
                    "the rule is not allowed to initiate connections to. These CIDR prefixes " +
                    "should be contained within Cidr. These exceptions are only applied to the " +
                    "Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any " +
                    "other CIDRRules.",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &CIDR,
                },
            },
        },
    }

    EgressRule = apiextensionsv1beta1.JSONSchemaProps{
        Description: "EgressRule contains all rule types which can be applied at egress, i.e. " +
            "network traffic that originates inside the endpoint and exits the endpoint " +
            "selected by the endpointSelector.\n\n- All members of this structure are optional. " +
            "If omitted or empty, the\n  member will have no effect on the rule.\n\n- For now, " +
            "combining ToPorts and ToCIDR in the same rule is not supported\n  and such rules " +
            "will be rejected. In the future, this will be supported and\n  if if multiple " +
            "members of the structure are specified, then all members\n  must match in order " +
            "for the rule to take effect.",
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "toCIDR": {
                Description: "ToCIDR is a list of IP blocks which the endpoint subject to the " +
                    "rule is allowed to initiate connections. This will match on the " +
                    "destination IP address of outgoing connections. Adding a prefix into " +
                    "ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are " +
                    "allowed between ToCIDR and ToCIDRSet.\n\nExample: Any endpoint with the " +
                    "label \"app=database-proxy\" is allowed to initiate connections to " +
                    "10.2.3.0/24",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &CIDR,
                },
            },
            "toCIDRSet": {
                Description: "ToCIDRSet is a list of IP blocks which the endpoint subject to " +
                    "the rule is allowed to initiate connections to in addition to connections " +
                    "which are allowed via FromEndpoints, along with a list of subnets " +
                    "contained within their corresponding IP block to which traffic should not " +
                    "be allowed. This will match on the destination IP address of outgoing " +
                    "connections. Adding a prefix into ToCIDR or into ToCIDRSet with no " +
                    "ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and " +
                    "ToCIDRSet.\n\nExample: Any endpoint with the label \"app=database-proxy\" " +
                    "is allowed to initiate connections to 10.2.3.0/24 except from IPs in " +
                    "subnet 10.2.3.0/28.",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &CIDRRule,
                },
            },
            "toEntities": {
                Description: "ToEntities is a list of special entities to which the endpoint " +
                    "subject to the rule is allowed to initiate connections. Supported " +
                    "entities are `world`, `cluster` and `host`",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &apiextensionsv1beta1.JSONSchemaProps{
                        Type: "string",
                    },
                },
            },
            "toPorts": {
                Description: "ToPorts is a list of destination ports identified by port number " +
                    "and protocol which the endpoint subject to the rule is allowed to connect " +
                    "to.\n\nExample: Any endpoint with the label \"role=frontend\" is allowed " +
                    "to initiate connections to destination port 8080/tcp",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &PortRule,
                },
            },
            "toServices": {
                Description: "ToServices is a list of services to which the endpoint subject " +
                    "to the rule is allowed to initiate connections.\n\nExample: Any endpoint " +
                    "with the label \"app=backend-app\" is allowed to initiate connections to " +
                    "all cidrs backing the \"external-service\" service",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &Service,
                },
            },
            "toEndpoints": {
                Description: "ToEndpoints is a list of endpoints identified by an " +
                    "EndpointSelector to which the endpoint subject to the rule" +
                    "is allowed to communicate.\n\nExample: Any endpoint with the label " +
                    "\"role=frontend\" can be consumed by any endpoint carrying the label " +
                    "\"role=backend\".",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &EndpointSelector,
                },
            },
            "toRequires": {
                Description: "ToRequires is a list of additional constraints which must be " +
                    "met in order for the selected endpoints to be able to reach other " +
                    "endpoints. These additional constraints do not by themselves grant access " +
                    "privileges and must always be accompanied with at least one matching " +
                    "FromEndpoints.\n\nExample: Any Endpoint with the label \"team=A\" " +
                    "requires any endpoint to which it communicates to also carry the label " +
                    "\"team=A\".",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &EndpointSelector,
                },
            },
            "toGroups": {
                Description: `ToGroups is a list of constraints that will
				gather data from third-party providers and create a new
				derived policy.`,
                Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
                    "AWS": AWSGroup,
                },
            },
            "toFQDNs": {
                Description: `ToFQDNs is a list of rules matching fqdns that endpoint
				is allowed to communicate with`,
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &FQDNRule,
                },
            },
        },
    }

    FQDNRule = apiextensionsv1beta1.JSONSchemaProps{
        Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`,
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "matchName":    MatchFQDNName,
            "matchPattern": MatchFQDNPattern,
        },
    }

    MatchFQDNName = apiextensionsv1beta1.JSONSchemaProps{
        Description: `MatchName matches fqdn name`,
        Type:        "string",
        Pattern:     fqdnNameRegex,
    }

    MatchFQDNPattern = apiextensionsv1beta1.JSONSchemaProps{
        Description: `MatchPattern matches fqdn by pattern`,
        Type:        "string",
        Pattern:     fqdnPatternRegex,
    }

    AWSGroup = apiextensionsv1beta1.JSONSchemaProps{
        Description: "",
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "SecurityGroupsIds": {
                Description: `SecurityGroupsIds is the list of AWS security
				group IDs that will filter the instances IPs from the AWS API`,
                Type: "array",
            },
            "SecurityGroupsNames": {
                Description: `SecurityGroupsNames is the list of  AWS security
				group names that will filter the instances IPs from the AWS API`,
                Type: "array",
            },
            "Region": {
                Description: `Region is the key that will filter the AWS EC2
				instances in the given region`,
                Type: "string",
            },
        },
    }
    EndpointSelector = *LabelSelector.DeepCopy()

    IngressRule = apiextensionsv1beta1.JSONSchemaProps{
        Description: "IngressRule contains all rule types which can be applied at ingress, " +
            "i.e. network traffic that originates outside of the endpoint and is entering " +
            "the endpoint selected by the endpointSelector.\n\n- All members of this structure " +
            "are optional. If omitted or empty, the\n  member will have no effect on the rule." +
            "\n\n- If multiple members are set, all of them need to match in order for\n  " +
            "the rule to take effect. The exception to this rule is FromRequires field;\n  " +
            "the effects of any Requires field in any rule will apply to all other\n  rules " +
            "as well.\n\n- For now, combining ToPorts, FromCIDR, and FromEndpoints in the same " +
            "rule\n  is not supported and any such rules will be rejected. In the future, " +
            "this\n  will be supported and if multiple members of this structure are specified," +
            "\n then all members must match in order for the rule to take effect. The\n  " +
            "exception to this rule is the Requires field, the effects of any Requires\n  " +
            "field in any rule will apply to all other rules as well.",
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "fromCIDR": {
                Description: "FromCIDR is a list of IP blocks which the endpoint subject to " +
                    "the rule is allowed to receive connections from. This will match on the " +
                    "source IP address of incoming connections. Adding  a prefix into FromCIDR " +
                    "or into FromCIDRSet with no ExcludeCIDRs is  equivalent. Overlaps are " +
                    "allowed between FromCIDR and FromCIDRSet.\n\nExample: Any endpoint with " +
                    "the label \"app=my-legacy-pet\" is allowed to receive connections from " +
                    "10.3.9.1",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &CIDR,
                },
            },
            "fromCIDRSet": {
                Description: "FromCIDRSet is a list of IP blocks which the endpoint subject to " +
                    "the rule is allowed to receive connections from in addition to " +
                    "FromEndpoints, along with a list of subnets contained within their " +
                    "corresponding IP block from which traffic should not be allowed. This " +
                    "will match on the source IP address of incoming connections. Adding a " +
                    "prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is " +
                    "equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet." +
                    "\n\nExample: Any endpoint with the label \"app=my-legacy-pet\" is allowed " +
                    "to receive connections from 10.0.0.0/8 except from IPs in subnet " +
                    "10.96.0.0/12.",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &CIDRRule,
                },
            },
            "fromEndpoints": {
                Description: "FromEndpoints is a list of endpoints identified by an " +
                    "EndpointSelector which are allowed to communicate with the endpoint " +
                    "subject to the rule.\n\nExample: Any endpoint with the label " +
                    "\"role=backend\" can be consumed by any endpoint carrying the label " +
                    "\"role=frontend\".",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &EndpointSelector,
                },
            },
            "fromEntities": {
                Description: "FromEntities is a list of special entities which the endpoint " +
                    "subject to the rule is allowed to receive connections from. Supported " +
                    "entities are `world`, `cluster`, `host`, and `init`",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &apiextensionsv1beta1.JSONSchemaProps{
                        Type: "string",
                    },
                },
            },
            "fromRequires": {
                Description: "FromRequires is a list of additional constraints which must be " +
                    "met in order for the selected endpoints to be reachable. These additional " +
                    "constraints do no by itself grant access privileges and must always be " +
                    "accompanied with at least one matching FromEndpoints.\n\nExample: Any " +
                    "Endpoint with the label \"team=A\" requires consuming endpoint to also " +
                    "carry the label \"team=A\".",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &EndpointSelector,
                },
            },
            "toPorts": {
                Description: "ToPorts is a list of destination ports identified by port number " +
                    "and protocol which the endpoint subject to the rule is allowed to receive " +
                    "connections on.\n\nExample: Any endpoint with the label \"app=httpd\" can " +
                    "only accept incoming connections on port 80/tcp.",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &PortRule,
                },
            },
        },
    }

    K8sServiceNamespace = apiextensionsv1beta1.JSONSchemaProps{
        Description: "K8sServiceNamespace is an abstraction for the k8s service + namespace " +
            "types.",
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "namespace": {
                Type: "string",
            },
            "serviceName": {
                Type: "string",
            },
        },
    }

    L7Rules = apiextensionsv1beta1.JSONSchemaProps{
        Description: "L7Rules is a union of port level rule types. Mixing of different port " +
            "level rule types is disallowed, so exactly one of the following must be set. If " +
            "none are specified, then no additional port level rules are applied.",
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "http": {
                Description: "HTTP specific rules.",
                Type:        "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &PortRuleHTTP,
                },
            },
            "kafka": {
                Description: "Kafka-specific rules.",
                Type:        "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &PortRuleKafka,
                },
            },
            "l7proto": {
                Description: "Parser type name that uses Key-Value pair rules.",
                Type:        "string",
            },
            "l7": {
                Description: "Generic Key-Value pair rules.",
                Type:        "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &PortRuleL7,
                },
            },
            "dns": {
                Description: "DNS specific rules",
                Type:        "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &PortRuleDNS,
                },
            },
        },
    }

    PortRuleDNS = apiextensionsv1beta1.JSONSchemaProps{
        Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`,
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "matchName":    MatchFQDNName,
            "matchPattern": MatchFQDNPattern,
        },
    }

    Label = apiextensionsv1beta1.JSONSchemaProps{
        Description: "Label is the cilium's representation of a container label.",
        Required: []string{
            "key",
        },
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "key": {
                Type: "string",
            },
            "source": {
                Description: "Source can be one of the values present in const.go " +
                    "(e.g.: LabelSourceContainer)",
                Type: "string",
            },
            "value": {
                Type: "string",
            },
        },
    }

    LabelSelector = apiextensionsv1beta1.JSONSchemaProps{
        Description: "A label selector is a label query over a set of resources. The result " +
            "of matchLabels and matchExpressions are ANDed. An empty label selector matches " +
            "all objects. A null label selector matches no objects.",
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "matchLabels": {
                Description: "matchLabels is a map of {key,value} pairs. A single {key,value} " +
                    "in the matchLabels map is equivalent to an element of matchExpressions, " +
                    "whose key field is \"key\", the operator is \"In\", and the values array " +
                    "contains only \"value\". The requirements are ANDed.",
                Type: "object",
            },
            "matchExpressions": {
                Description: "matchExpressions is a list of label selector requirements. " +
                    "The requirements are ANDed.",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &LabelSelectorRequirement,
                },
            },
        },
    }

    LabelSelectorRequirement = apiextensionsv1beta1.JSONSchemaProps{
        Description: "A label selector requirement is a selector that contains values, a key, " +
            "and an operator that relates the key and values.",
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "key": {
                Description: "key is the label key that the selector applies to.",
                Type:        "string",
            },
            "operator": {
                Description: "operator represents a key's relationship to a set of values. " +
                    "Valid operators are In, NotIn, Exists and DoesNotExist.",
                Type: "string",
                Enum: []apiextensionsv1beta1.JSON{
                    {
                        Raw: []byte(`"In"`),
                    },
                    {
                        Raw: []byte(`"NotIn"`),
                    },
                    {
                        Raw: []byte(`"Exists"`),
                    },
                    {
                        Raw: []byte(`"DoesNotExist"`),
                    },
                },
            },
            "values": {
                Description: "values is an array of string values. If the operator is In or " +
                    "NotIn, the values array must be non-empty. If the operator is Exists or " +
                    "DoesNotExist, the values array must be empty. This array is replaced " +
                    "during a strategic merge patch.",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &apiextensionsv1beta1.JSONSchemaProps{
                        Type: "string",
                    },
                },
            },
        },
        Required: []string{"key", "operator"},
    }

    PortProtocol = apiextensionsv1beta1.JSONSchemaProps{
        Description: "PortProtocol specifies an L4 port with an optional transport protocol",
        Required: []string{
            "port",
        },
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "port": {
                Description: "Port is an L4 port number. For now the string will be strictly " +
                    "parsed as a single uint16. In the future, this field may support ranges " +
                    "in the form \"1024-2048",
                Type: "string",

                Pattern: `^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|` +
                    `[1-5][0-9]{4}|[0-9]{1,4})$`,
            },
            "protocol": {
                Description: `Protocol is the L4 protocol. If omitted or empty, any protocol ` +
                    `matches. Accepted values: "TCP", "UDP", ""/"ANY"\n\nMatching on ` +
                    `ICMP is not supported.`,
                Type: "string",
                Enum: []apiextensionsv1beta1.JSON{
                    {
                        Raw: []byte(`"TCP"`),
                    },
                    {
                        Raw: []byte(`"UDP"`),
                    },
                    {
                        Raw: []byte(`"ANY"`),
                    },
                },
            },
        },
    }

    PortRule = apiextensionsv1beta1.JSONSchemaProps{
        Description: "PortRule is a list of ports/protocol combinations with optional Layer 7 " +
            "rules which must be met.",
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "ports": {
                Description: "Ports is a list of L4 port/protocol.",
                Type:        "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &PortProtocol,
                },
            },
            "rules": L7Rules,
        },
    }

    PortRuleHTTP = apiextensionsv1beta1.JSONSchemaProps{
        Description: "PortRuleHTTP is a list of HTTP protocol constraints. All fields are " +
            "optional, if all fields are empty or missing, the rule does not have any effect." +
            "\n\nAll fields of this type are extended POSIX regex as defined by " +
            "IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) " +
            "matched against the path of an incoming request. Currently it can contain " +
            "characters disallowed from the conventional \"path\" part of a URL as defined by " +
            "RFC 3986.",
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "headers": {
                Description: "Headers is a list of HTTP headers which must be present in the " +
                    "request. If omitted or empty, requests are allowed regardless of headers " +
                    "present.",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &apiextensionsv1beta1.JSONSchemaProps{
                        Type: "string",
                    },
                },
            },
            "host": {
                Description: "Host is an extended POSIX regex matched against the host header " +
                    "of a request, e.g. \"foo.com\"\n\nIf omitted or empty, the value of the " +
                    "host header is ignored.",
                Type:   "string",
                Format: "idn-hostname",
            },
            "method": {
                Description: "Method is an extended POSIX regex matched against the method of " +
                    "a request, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\n" +
                    "If omitted or empty, all methods are allowed.",
                Type: "string",
            },
            "path": {
                Description: "Path is an extended POSIX regex matched against the path of a " +
                    "request. Currently it can contain characters disallowed from the " +
                    "conventional \"path\" part of a URL as defined by RFC 3986.\n\n" +
                    "If omitted or empty, all paths are all allowed.",
                Type: "string",
            },
        },
    }

    PortRuleKafka = apiextensionsv1beta1.JSONSchemaProps{
        Description: "PortRuleKafka is a list of Kafka protocol constraints. All fields are " +
            "optional, if all fields are empty or missing, the rule will match all Kafka " +
            "messages.",
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "role": {
                Description: "Role is a case-insensitive string and describes a group of API keys" +
                    "necessary to perform certain higher level Kafka operations such as" +
                    "\"produce\" or \"consume\". An APIGroup automatically expands into all APIKeys" +
                    "required to perform the specified higher level operation." +
                    "The following values are supported:" +
                    "- \"produce\": Allow producing to the topics specified in the rule" +
                    "- \"consume\": Allow consuming from the topics specified in the rule" +
                    "This field is incompatible with the APIKey field, either APIKey or Role" +
                    "may be specified. If omitted or empty, the field has no effect and the " +
                    "logic of the APIKey field applies.",
                Type: "string",
                Enum: []apiextensionsv1beta1.JSON{
                    {
                        Raw: []byte(`"produce"`),
                    },
                    {
                        Raw: []byte(`"consume"`),
                    },
                },
            },
            "apiKey": {
                Description: "APIKey is a case-insensitive string matched against the key of " +
                    "a request, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", " +
                    "et al Reference: https://kafka.apache.org/protocol#protocol_api_keys\n\n" +
                    "If omitted or empty, all keys are allowed.",
                Type: "string",
            },
            "apiVersion": {
                Description: "APIVersion is the version matched against the api version of the " +
                    "Kafka message. If set, it has to be a string representing a positive " +
                    "integer.\n\nIf omitted or empty, all versions are allowed.",
                Type: "string",
            },
            "clientID": {
                Description: "ClientID is the client identifier as provided in the request.\n\n" +
                    "From Kafka protocol documentation: This is a user supplied identifier for " +
                    "the client application. The user can use any identifier they like and it " +
                    "will be used when logging errors, monitoring aggregates, etc. For " +
                    "example, one might want to monitor not just the requests per second " +
                    "overall, but the number coming from each client application (each of " +
                    "which could reside on multiple servers). This id acts as a logical " +
                    "grouping across all requests from a particular client.\n\nIf omitted or " +
                    "empty, all client identifiers are allowed.",
                Type: "string",
            },
            "topic": {
                Description: "Topic is the topic name contained in the message. If a Kafka " +
                    "request contains multiple topics, then all topics must be allowed or the " +
                    "message will be rejected.\n\nThis constraint is ignored if the matched " +
                    "request message type doesn't contain any topic. Maximum size of Topic can " +
                    "be 249 characters as per recent Kafka spec and allowed characters are " +
                    "a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths " +
                    "of 255, but in Kafka 0.10 version the length was changed from 255 to 249. " +
                    "For compatibility reasons we are using 255\n\nIf omitted or empty, all " +
                    "topics are allowed.",
                Type:      "string",
                MaxLength: getInt64(255),
            },
        },
    }

    PortRuleL7 = apiextensionsv1beta1.JSONSchemaProps{
        Description: "PortRuleL7 is a map of {key,value} pairs which is passed to the " +
            "parser referenced in l7proto. It is up to the parser to define what to " +
            "do with the map data. If omitted or empty, all requests are allowed. " +
            "Both keys and values must be strings.",
    }

    Rule = apiextensionsv1beta1.JSONSchemaProps{
        Description: "Rule is a policy rule which must be applied to all endpoints which match " +
            "the labels contained in the endpointSelector\n\nEach rule is split into an " +
            "ingress section which contains all rules applicable at ingress, and an egress " +
            "section applicable at egress. For rule types such as `L4Rule` and `CIDR` which " +
            "can be applied at both ingress and egress, both ingress and egress side have to " +
            "either specifically allow the connection or one side has to be omitted.\n\n" +
            "Either ingress, egress, or both can be provided. If both ingress and egress are " +
            "omitted, the rule has no effect.",
        Required: []string{
            "endpointSelector",
        },
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "Description": {
                Description: "Description is a free form string, it can be used by the creator " +
                    "of the rule to store human readable explanation of the purpose of this " +
                    "rule. Rules cannot be identified by comment.",
                Type: "string",
            },
            "egress": {
                Description: "Egress is a list of EgressRule which are enforced at egress. If " +
                    "omitted or empty, this rule does not apply at egress.",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &EgressRule,
                },
            },
            "endpointSelector": EndpointSelector,
            "ingress": {
                Description: "Ingress is a list of IngressRule which are enforced at ingress. " +
                    "If omitted or empty, this rule does not apply at ingress.",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &IngressRule,
                },
            },
            "labels": {
                Description: "Labels is a list of optional strings which can be used to " +
                    "re-identify the rule or to store metadata. It is possible to lookup or " +
                    "delete strings based on labels. Labels are not required to be unique, " +
                    "multiple rules can have overlapping or identical labels.",
                Type: "array",
                Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
                    Schema: &Label,
                },
            },
        },
    }

    Service = apiextensionsv1beta1.JSONSchemaProps{
        Description: "Service wraps around selectors for services",
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "k8sService":         K8sServiceNamespace,
            "k8sServiceSelector": ServiceSelector,
        },
    }

    ServiceSelector = apiextensionsv1beta1.JSONSchemaProps{
        Description: "ServiceSelector is a label selector for k8s services",
        Required: []string{
            "selector",
        },
        Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
            "selector": EndpointSelector,
            "namespace": {
                Type: "string",
            },
        },
    }
)
var SchemeGroupVersion = schema.GroupVersion{
    Group:   CustomResourceDefinitionGroup,
    Version: CustomResourceDefinitionVersion,
}

SchemeGroupVersion is group version used to register these objects

func CreateCustomResourceDefinitions Uses

func CreateCustomResourceDefinitions(clientset apiextensionsclient.Interface) error

CreateCustomResourceDefinitions creates our CRD objects in the kubernetes cluster

func Resource Uses

func Resource(resource string) schema.GroupResource

Resource takes an unqualified resource and returns a Group qualified GroupResource

type AddressPair Uses

type AddressPair struct {
    IPV4 string `json:"ipv4,omitempty"`
    IPV6 string `json:"ipv6,omitempty"`
}

AddressPair is is a par of IPv4 and/or IPv6 address +k8s:deepcopy-gen=false

type AddressPairList Uses

type AddressPairList []*AddressPair

AddressPairList is a list of address pairs +k8s:deepcopy-gen=false

func (AddressPairList) Sort Uses

func (a AddressPairList) Sort()

Sort sorts an AddressPairList by IPv4 and IPv6 address

type AllocationIP Uses

type AllocationIP struct {
    // Owner is the owner of the IP. This field is set if the IP has been
    // allocated. It will be set to the pod name or another identifier
    // representing the usage of the IP
    //
    // The owner field is left blank for an entry in Spec.IPAM.Pool and
    // filled out as the IP is used and also added to Status.IPAM.Used.
    //
    // +optional
    Owner string `json:"owner,omitempty"`

    // Resource is set for both available and allocated IPs, it represents
    // what resource the IP is associated with, e.g. in combination with
    // AWS ENI, this will refer to the ID of the ENI
    //
    // +optional
    Resource string `json:"resource,omitempty"`
}

AllocationIP is an IP which is available for allocation, or already has been allocated

func (*AllocationIP) DeepCopy Uses

func (in *AllocationIP) DeepCopy() *AllocationIP

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AllocationIP.

func (*AllocationIP) DeepCopyInto Uses

func (in *AllocationIP) DeepCopyInto(out *AllocationIP)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AllowedIdentityList Uses

type AllowedIdentityList []AllowedIdentityTuple

AllowedIdentityList is a list of AllowedIdentityTuple +k8s:deepcopy-gen=false

func (AllowedIdentityList) Sort Uses

func (a AllowedIdentityList) Sort()

Sort sorts a list AllowedIdentityTuple by numeric identity, port and protocol

type AllowedIdentityTuple Uses

type AllowedIdentityTuple struct {
    Identity       uint64            `json:"identity,omitempty"`
    IdentityLabels map[string]string `json:"identity-labels,omitempty"`
    DestPort       uint16            `json:"dest-port,omitempty"`
    Protocol       uint8             `json:"protocol,omitempty"`
}

AllowedIdentityTuple specifies an allowed peer by identity, destination port and protocol +k8s:deepcopy-gen=false

type AwsSubnet Uses

type AwsSubnet struct {
    // ID is the ID of the subnet
    ID  string `json:"id,omitempty"`

    // CIDR is the CIDR range associated with the subnet
    CIDR string `json:"cidr,omitempty"`
}

AwsSubnet stores information regarding an AWS subnet

func (*AwsSubnet) DeepCopy Uses

func (in *AwsSubnet) DeepCopy() *AwsSubnet

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsSubnet.

func (*AwsSubnet) DeepCopyInto Uses

func (in *AwsSubnet) DeepCopyInto(out *AwsSubnet)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type AwsVPC Uses

type AwsVPC struct {
    /// ID is the ID of a VPC
    ID  string `json:"id,omitempty"`

    // PrimaryCIDR is the primary CIDR of the VPC
    PrimaryCIDR string `json:"primary-cidr,omitempty"`

    // CIDRs is the list of CIDR ranges associated with the VPC
    CIDRs []string `json:"cidrs,omitempty"`
}

AwsVPC stores information regarding an AWS VPC

func (*AwsVPC) DeepCopy Uses

func (in *AwsVPC) DeepCopy() *AwsVPC

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AwsVPC.

func (*AwsVPC) DeepCopyInto Uses

func (in *AwsVPC) DeepCopyInto(out *AwsVPC)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CiliumEndpoint Uses

type CiliumEndpoint struct {
    // +k8s:openapi-gen=false
    metav1.TypeMeta `json:",inline"`
    // +k8s:openapi-gen=false
    metav1.ObjectMeta `json:"metadata"`

    Status EndpointStatus `json:"status"`
}

CiliumEndpoint is the status of a Cilium policy rule +k8s:openapi-gen=false

func (*CiliumEndpoint) DeepCopy Uses

func (in *CiliumEndpoint) DeepCopy() *CiliumEndpoint

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumEndpoint.

func (*CiliumEndpoint) DeepCopyInto Uses

func (in *CiliumEndpoint) DeepCopyInto(out *CiliumEndpoint)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumEndpoint) DeepCopyObject Uses

func (in *CiliumEndpoint) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumEndpointList Uses

type CiliumEndpointList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata"`

    // Items is a list of CiliumEndpoint
    Items []CiliumEndpoint `json:"items"`
}

CiliumEndpointList is a list of CiliumEndpoint objects +k8s:openapi-gen=false

func (*CiliumEndpointList) DeepCopy Uses

func (in *CiliumEndpointList) DeepCopy() *CiliumEndpointList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumEndpointList.

func (*CiliumEndpointList) DeepCopyInto Uses

func (in *CiliumEndpointList) DeepCopyInto(out *CiliumEndpointList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumEndpointList) DeepCopyObject Uses

func (in *CiliumEndpointList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumIdentity Uses

type CiliumIdentity struct {
    // +k8s:openapi-gen=false
    metav1.TypeMeta `json:",inline"`
    // +k8s:openapi-gen=false
    metav1.ObjectMeta `json:"metadata"`

    // SecurityLabels is the source-of-truth set of labels for this identity.
    SecurityLabels map[string]string `json:"security-labels"`

    Status IdentityStatus `json:"status"`
}

CiliumIdentity is a CRD that represents an identity managed by Cilium. It is intended as a backing store for identity allocation, acting as the global coordination backend, and can be used in place of a KVStore (such as etcd). The name of the CRD is the numeric identity and the labels on the CRD object are the the kubernetes sourced labels seen by cilium. This is currently the only label source possible when running under kubernetes. Non-kubernetes labels are filtered but all labels, from all sources, are places in the SecurityLabels field. These also include the source and are used to define the identity. The labels under metav1.ObjectMeta can be used when searching for CiliumIdentity instances that include particular labels. This can be done with invocations such as:

kubectl get ciliumid -l 'foo=bar'

Each node using a ciliumidentity updates the status field with it's name and a timestamp when it first allocates or uses an identity, and periodically after that. It deletes its entry when no longer using this identity. cilium-operator uses the list of nodes in status to reference count users of this identity, and to expire stale usage.

func (*CiliumIdentity) DeepCopy Uses

func (in *CiliumIdentity) DeepCopy() *CiliumIdentity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumIdentity.

func (*CiliumIdentity) DeepCopyInto Uses

func (in *CiliumIdentity) DeepCopyInto(out *CiliumIdentity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumIdentity) DeepCopyObject Uses

func (in *CiliumIdentity) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumIdentityList Uses

type CiliumIdentityList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata"`

    // Items is a list of CiliumIdentity
    Items []CiliumIdentity `json:"items"`
}

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

CiliumIdentityList is a list of CiliumIdentity objects

func (*CiliumIdentityList) DeepCopy Uses

func (in *CiliumIdentityList) DeepCopy() *CiliumIdentityList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumIdentityList.

func (*CiliumIdentityList) DeepCopyInto Uses

func (in *CiliumIdentityList) DeepCopyInto(out *CiliumIdentityList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumIdentityList) DeepCopyObject Uses

func (in *CiliumIdentityList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumNetworkPolicy Uses

type CiliumNetworkPolicy struct {
    // +k8s:openapi-gen=false
    metav1.TypeMeta `json:",inline"`
    // +k8s:openapi-gen=false
    metav1.ObjectMeta `json:"metadata"`

    // Spec is the desired Cilium specific rule specification.
    Spec *api.Rule `json:"spec,omitempty"`

    // Specs is a list of desired Cilium specific rule specification.
    Specs api.Rules `json:"specs,omitempty"`

    // Status is the status of the Cilium policy rule
    // +optional
    Status CiliumNetworkPolicyStatus `json:"status"`
}

CiliumNetworkPolicy is a Kubernetes third-party resource with an extended version of NetworkPolicy

func (*CiliumNetworkPolicy) AnnotationsEquals Uses

func (r *CiliumNetworkPolicy) AnnotationsEquals(o *CiliumNetworkPolicy) bool

AnnotationsEquals returns true if ObjectMeta.Annotations of each CiliumNetworkPolicy are equivalent (i.e., they contain equivalent key-value pairs).

func (*CiliumNetworkPolicy) DeepCopy Uses

func (in *CiliumNetworkPolicy) DeepCopy() *CiliumNetworkPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicy.

func (*CiliumNetworkPolicy) DeepCopyInto Uses

func (in *CiliumNetworkPolicy) DeepCopyInto(out *CiliumNetworkPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumNetworkPolicy) DeepCopyObject Uses

func (in *CiliumNetworkPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*CiliumNetworkPolicy) GetControllerName Uses

func (r *CiliumNetworkPolicy) GetControllerName() string

GetControllerName returns the unique name for the controller manager.

func (*CiliumNetworkPolicy) GetIdentityLabels Uses

func (r *CiliumNetworkPolicy) GetIdentityLabels() labels.LabelArray

GetIdentityLabels returns all rule labels in the CiliumNetworkPolicy.

func (*CiliumNetworkPolicy) GetPolicyStatus Uses

func (r *CiliumNetworkPolicy) GetPolicyStatus(nodeName string) CiliumNetworkPolicyNodeStatus

GetPolicyStatus returns the CiliumNetworkPolicyNodeStatus corresponding to nodeName in the provided CiliumNetworkPolicy. If Nodes within the rule's Status is nil, returns an empty CiliumNetworkPolicyNodeStatus.

func (*CiliumNetworkPolicy) Parse Uses

func (r *CiliumNetworkPolicy) Parse() (api.Rules, error)

Parse parses a CiliumNetworkPolicy and returns a list of cilium policy rules.

func (*CiliumNetworkPolicy) RequiresDerivative Uses

func (r *CiliumNetworkPolicy) RequiresDerivative() bool

RequiresDerivative return true if the CNP has any rule that will create a new derivative rule.

func (*CiliumNetworkPolicy) SetDerivedPolicyStatus Uses

func (r *CiliumNetworkPolicy) SetDerivedPolicyStatus(derivativePolicyName string, status CiliumNetworkPolicyNodeStatus)

SetDerivedPolicyStatus set the derivative policy status for the given derivative policy name.

func (*CiliumNetworkPolicy) SetPolicyStatus Uses

func (r *CiliumNetworkPolicy) SetPolicyStatus(nodeName string, cnpns CiliumNetworkPolicyNodeStatus)

SetPolicyStatus sets the given policy status for the given nodes' map

func (*CiliumNetworkPolicy) SpecEquals Uses

func (r *CiliumNetworkPolicy) SpecEquals(o *CiliumNetworkPolicy) bool

SpecEquals returns true if the spec and specs metadata is the sa

func (*CiliumNetworkPolicy) String Uses

func (r *CiliumNetworkPolicy) String() string

type CiliumNetworkPolicyList Uses

type CiliumNetworkPolicyList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata"`

    // Items is a list of CiliumNetworkPolicy
    Items []CiliumNetworkPolicy `json:"items"`
}

CiliumNetworkPolicyList is a list of CiliumNetworkPolicy objects +k8s:openapi-gen=false

func (*CiliumNetworkPolicyList) DeepCopy Uses

func (in *CiliumNetworkPolicyList) DeepCopy() *CiliumNetworkPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyList.

func (*CiliumNetworkPolicyList) DeepCopyInto Uses

func (in *CiliumNetworkPolicyList) DeepCopyInto(out *CiliumNetworkPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumNetworkPolicyList) DeepCopyObject Uses

func (in *CiliumNetworkPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumNetworkPolicyNodeStatus Uses

type CiliumNetworkPolicyNodeStatus struct {
    // OK is true when the policy has been parsed and imported successfully
    // into the in-memory policy repository on the node.
    OK  bool `json:"ok,omitempty"`

    // Error describes any error that occurred when parsing or importing the
    // policy, or realizing the policy for the endpoints to which it applies
    // on the node.
    Error string `json:"error,omitempty"`

    // LastUpdated contains the last time this status was updated
    LastUpdated Timestamp `json:"lastUpdated,omitempty"`

    // Revision is the policy revision of the repository which first implemented
    // this policy.
    Revision uint64 `json:"localPolicyRevision,omitempty"`

    // Enforcing is set to true once all endpoints present at the time the
    // policy has been imported are enforcing this policy.
    Enforcing bool `json:"enforcing,omitempty"`

    // Annotations corresponds to the Annotations in the ObjectMeta of the CNP
    // that have been realized on the node for CNP. That is, if a CNP has been
    // imported and has been assigned annotation X=Y by the user,
    // Annotations in CiliumNetworkPolicyNodeStatus will be X=Y once the
    // CNP that was imported corresponding to Annotation X=Y has been realized on
    // the node.
    Annotations map[string]string `json:"annotations,omitempty"`
}

CiliumNetworkPolicyNodeStatus is the status of a Cilium policy rule for a specific node

func (*CiliumNetworkPolicyNodeStatus) DeepCopy Uses

func (in *CiliumNetworkPolicyNodeStatus) DeepCopy() *CiliumNetworkPolicyNodeStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyNodeStatus.

func (*CiliumNetworkPolicyNodeStatus) DeepCopyInto Uses

func (in *CiliumNetworkPolicyNodeStatus) DeepCopyInto(out *CiliumNetworkPolicyNodeStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CiliumNetworkPolicyStatus Uses

type CiliumNetworkPolicyStatus struct {
    // Nodes is the Cilium policy status for each node
    Nodes map[string]CiliumNetworkPolicyNodeStatus `json:"nodes,omitempty"`

    // DerivativePolicies is the status of all policies derived from the Cilium
    // policy
    DerivativePolicies map[string]CiliumNetworkPolicyNodeStatus `json:"derivativePolicies,omitempty"`
}

CiliumNetworkPolicyStatus is the status of a Cilium policy rule

func (*CiliumNetworkPolicyStatus) DeepCopy Uses

func (in *CiliumNetworkPolicyStatus) DeepCopy() *CiliumNetworkPolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNetworkPolicyStatus.

func (*CiliumNetworkPolicyStatus) DeepCopyInto Uses

func (in *CiliumNetworkPolicyStatus) DeepCopyInto(out *CiliumNetworkPolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type CiliumNode Uses

type CiliumNode struct {
    // +k8s:openapi-gen=false
    metav1.TypeMeta `json:",inline"`
    // +k8s:openapi-gen=false
    metav1.ObjectMeta `json:"metadata"`

    // Spec defines the desired specification/configuration of the node
    Spec NodeSpec `json:"spec"`

    // Status defines the realized specification/configuration and status
    // of the node
    Status NodeStatus `json:"status"`
}

CiliumNode represents a node managed by Cilium. It contains a specification to control various node specific configuration aspects and a status section to represent the status of the node

func (*CiliumNode) DeepCopy Uses

func (in *CiliumNode) DeepCopy() *CiliumNode

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNode.

func (*CiliumNode) DeepCopyInto Uses

func (in *CiliumNode) DeepCopyInto(out *CiliumNode)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumNode) DeepCopyObject Uses

func (in *CiliumNode) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type CiliumNodeList Uses

type CiliumNodeList struct {
    metav1.TypeMeta `json:",inline"`
    metav1.ListMeta `json:"metadata"`

    // Items is a list of CiliumNode
    Items []CiliumNode `json:"items"`
}

+k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object

CiliumNodeList is a list of CiliumNode objects

func (*CiliumNodeList) DeepCopy Uses

func (in *CiliumNodeList) DeepCopy() *CiliumNodeList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CiliumNodeList.

func (*CiliumNodeList) DeepCopyInto Uses

func (in *CiliumNodeList) DeepCopyInto(out *CiliumNodeList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CiliumNodeList) DeepCopyObject Uses

func (in *CiliumNodeList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ControllerList Uses

type ControllerList []ControllerStatus

ControllerList is a list of ControllerStatus +k8s:deepcopy-gen=false

func (ControllerList) Sort Uses

func (c ControllerList) Sort()

Sort sorts the ControllerList by controller name

type ControllerStatus Uses

type ControllerStatus struct {
    // Name is the name of the controller
    Name string `json:"name,omitempty"`

    // Configuration is the controller configuration
    Configuration *models.ControllerStatusConfiguration `json:"configuration,omitempty"`

    // Status is the status of the controller
    Status ControllerStatusStatus `json:"status,omitempty"`

    // UUID is the UUID of the controller
    UUID string `json:"uuid,omitempty"`
}

ControllerStatus is the status of a failing controller +k8s:deepcopy-gen=false

type ControllerStatusStatus Uses

type ControllerStatusStatus struct {
    ConsecutiveFailureCount int64  `json:"consecutive-failure-count,omitempty"`
    FailureCount            int64  `json:"failure-count,omitempty"`
    LastFailureMsg          string `json:"last-failure-msg,omitempty"`
    LastFailureTimestamp    string `json:"last-failure-timestamp,omitempty"`
    LastSuccessTimestamp    string `json:"last-success-timestamp,omitempty"`
    SuccessCount            int64  `json:"success-count,omitempty"`
}

ControllerStatusStatus is the detailed status section of a controller +k8s:deepcopy-gen=false

type DeprecatedEndpointStatus Uses

type DeprecatedEndpointStatus struct {
    Controllers ControllerList                 `json:"controllers,omitempty"`
    Identity    *EndpointIdentity              `json:"identity,omitempty"`
    Log         []*models.EndpointStatusChange `json:"log,omitempty"`
    Networking  *EndpointNetworking            `json:"networking,omitempty"`
    State       string                         `json:"state,omitempty"`

    // These fields are no longer populated
    Realized            *deprecatedEndpointConfigurationSpec `json:"realized,omitempty"`
    Labels              *deprecatedLabelConfigurationStatus  `json:"labels,omitempty"`
    Policy              *models.EndpointPolicyStatus         `json:"policy,omitempty"`
    ExternalIdentifiers *models.EndpointIdentifiers          `json:"external-identifiers,omitempty"`
    Health              *models.EndpointHealth               `json:"health,omitempty"`
}

DeprecatedEndpointStatus is the original endpoint status provided for backwards compatibility.

See EndpointStatus for descriptions of fields +k8s:deepcopy-gen=false

type ENI Uses

type ENI struct {
    // ID is the ENI ID
    //
    // +optional
    ID  string `json:"id,omitempty"`

    // IP is the primary IP of the ENI
    //
    // +optional
    IP  string `json:"ip,omitempty"`

    // MAC is the mac address of the ENI
    //
    // +optional
    MAC string `json:"mac,omitempty"`

    // AvailabilityZone is the availability zone of the ENI
    //
    // +optional
    AvailabilityZone string `json:"availability-zone,omitempty"`

    // Description is the description field of the ENI
    //
    // +optional
    Description string `json:"description,omitempty"`

    // Number is the interface index, it used in combination with
    // FirstInterfaceIndex
    //
    // +optional
    Number int `json:"number,omitempty"`

    // Subnet is the subnet the ENI is associated with
    //
    // +optional
    Subnet AwsSubnet `json:"subnet,omitempty"`

    // VPC is the VPC information to which the ENI is attached to
    //
    // +optional
    VPC AwsVPC `json:"vpc,omitempty"`

    // Addresses is the list of all IPs associated with the ENI, including
    // all secondary addresses
    //
    // +optional
    Addresses []string `json:"addresses,omitempty"`

    // SecurityGroups are the security groups associated with the ENI
    SecurityGroups []string `json:"security-groups,omitempty"`
}

ENI represents an AWS Elastic Network Interface

More details: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

func (*ENI) DeepCopy Uses

func (in *ENI) DeepCopy() *ENI

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ENI.

func (*ENI) DeepCopyInto Uses

func (in *ENI) DeepCopyInto(out *ENI)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ENISpec Uses

type ENISpec struct {
    // InstanceID is the AWS InstanceId of the node. The InstanceID is used
    // to retrieve AWS metadata for the node.
    InstanceID string `json:"instance-id,omitempty"`

    // InstanceType is the AWS EC2 instance type, e.g. "m5.large"
    InstanceType string `json:"instance-type,omitempty"`

    // MinAllocate is the minimum number of IPs that must be allocated when
    // the node is first bootstrapped. It defines the minimum base socket
    // of addresses that must be available. After reaching this watermark,
    // the PreAllocate and MaxAboveWatermark logic takes over to continue
    // allocating IPs.
    //
    // +optional
    MinAllocate int `json:"min-allocate,omitempty"`

    // PreAllocate defines the number of IP addresses that must be
    // available for allocation in the IPAMspec. It defines the buffer of
    // addresses available immediately without requiring cilium-operator to
    // get involved.
    //
    // +optional
    PreAllocate int `json:"pre-allocate,omitempty"`

    // MaxAboveWatermark is the maximum number of addresses to allocate
    // beyond the addresses needed to reach the PreAllocate watermark.
    // Going above the watermark can help reduce the number of API calls to
    // allocate IPs, e.g. when a new ENI is allocated, as many secondary
    // IPs as possible are allocated. Limiting the amount can help reduce
    // waste of IPs.
    //
    // +optional
    MaxAboveWatermark int `json:"max-above-watermark,omitempty"`

    // FirstInterfaceIndex is the index of the first ENI to use for IP
    // allocation, e.g. if the node has eth0, eth1, eth2 and
    // FirstInterfaceIndex is set to 1, then only eth1 and eth2 will be
    // used for IP allocation, eth0 will be ignored for PodIP allocation.
    //
    // +optional
    FirstInterfaceIndex int `json:"first-interface-index,omitempty"`

    // SecurityGroups is the list of security groups to attach to any ENI
    // that is created and attached to the instance.
    //
    // +optional
    SecurityGroups []string `json:"security-groups,omitempty"`

    // SubnetTags is the list of tags to use when evaluating what AWS
    // subnets to use for ENI and IP allocation
    //
    // +optional
    SubnetTags map[string]string `json:"subnet-tags,omitempty"`

    // VpcID is the VPC ID to use when allocating ENIs
    VpcID string `json:"vpc-id,omitempty"`

    // AvailabilityZone is the availability zone to use when allocating
    // ENIs
    AvailabilityZone string `json:"availability-zone,omitempty"`

    // DeleteOnTermination defines that the ENI should be deleted when the
    // associated instance is terminated
    //
    // +optional
    DeleteOnTermination bool `json:"delete-on-termination,omitempty"`
}

ENISpec is the ENI specification of a node. This specification is considered by the cilium-operator to act as an IPAM operator and makes ENI IPs available via the IPAMSpec section.

The ENI specification can either be provided explicitly by the user or the cilium agent running on the node can be instructed to create the CiliumNode custom resource along with an ENI specification when the node registers itself to the Kubernetes cluster.

func (*ENISpec) DeepCopy Uses

func (in *ENISpec) DeepCopy() *ENISpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ENISpec.

func (*ENISpec) DeepCopyInto Uses

func (in *ENISpec) DeepCopyInto(out *ENISpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ENIStatus Uses

type ENIStatus struct {
    // ENIs is the list of ENIs on the node
    //
    // +optional
    ENIs map[string]ENI `json:"enis,omitempty"`
}

ENIStatus is the status of ENI addressing of the node

func (*ENIStatus) DeepCopy Uses

func (in *ENIStatus) DeepCopy() *ENIStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ENIStatus.

func (*ENIStatus) DeepCopyInto Uses

func (in *ENIStatus) DeepCopyInto(out *ENIStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EncryptionSpec Uses

type EncryptionSpec struct {
    // Key is the index to the key to use for encryption or 0 if encryption
    // is disabled
    //
    // +optional
    Key int `json:"key,omitempty"`
}

EncryptionSpec defines the encryption relevant configuration of a node

func (*EncryptionSpec) DeepCopy Uses

func (in *EncryptionSpec) DeepCopy() *EncryptionSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EncryptionSpec.

func (*EncryptionSpec) DeepCopyInto Uses

func (in *EncryptionSpec) DeepCopyInto(out *EncryptionSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EndpointIdentity Uses

type EndpointIdentity struct {
    // ID is the numeric identity of the endpoint
    ID  int64 `json:"id,omitempty"`

    // Labels is the list of labels associated with the identity
    Labels []string `json:"labels,omitempty"`

    // Deprecated fields
    LabelsSHA256 string `json:"labelsSHA256,omitempty"`
}

EndpointIdentity is the identity information of an endpoint

func (*EndpointIdentity) DeepCopy Uses

func (in *EndpointIdentity) DeepCopy() *EndpointIdentity

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointIdentity.

func (*EndpointIdentity) DeepCopyInto Uses

func (in *EndpointIdentity) DeepCopyInto(out *EndpointIdentity)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EndpointNetworking Uses

type EndpointNetworking struct {
    // IP4/6 addresses assigned to this Endpoint
    Addressing AddressPairList `json:"addressing"`

    // NodeIP is the IP of the node the endpoint is running on. The IP must
    // be reachable between nodes.
    NodeIP string `json:"node,omitempty"`

    // Deprecated fields
    HostAddressing *models.NodeAddressing `json:"host-addressing,omitempty"`
    HostMac        string                 `json:"host-mac,omitempty"`
    InterfaceIndex int64                  `json:"interface-index,omitempty"`
    InterfaceName  string                 `json:"interface-name,omitempty"`
    Mac            string                 `json:"mac,omitempty"`
}

EndpointNetworking is the addressing information of an endpoint

func (*EndpointNetworking) DeepCopy Uses

func (in *EndpointNetworking) DeepCopy() *EndpointNetworking

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointNetworking.

func (*EndpointNetworking) DeepCopyInto Uses

func (in *EndpointNetworking) DeepCopyInto(out *EndpointNetworking)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EndpointPolicy Uses

type EndpointPolicy struct {
    Ingress *EndpointPolicyDirection `json:"ingress,omitempty"`
    Egress  *EndpointPolicyDirection `json:"egress,omitempty"`
}

EndpointPolicy represents the endpoint's policy by listing all allowed ingress and egress identities in combination with L4 port and protocol +k8s:deepcopy-gen=false

type EndpointPolicyDirection Uses

type EndpointPolicyDirection struct {
    Enforcing bool                `json:"enforcing"`
    Allowed   AllowedIdentityList `json:"allowed,omitempty"`
    Removing  AllowedIdentityList `json:"removing,omitempty"`
    Adding    AllowedIdentityList `json:"adding,omitempty"`
}

EndpointPolicyDirection is the list of allowed identities per direction +k8s:deepcopy-gen=false

type EndpointStatus Uses

type EndpointStatus struct {
    // The cilium-agent-local ID of the endpoint
    ID  int64 `json:"id,omitempty"`

    // Controllers is the list of failing controllers for this endpoint
    Controllers ControllerList `json:"controllers,omitempty"`

    // ExternalIdentifiers is a set of identifiers to identify the endpoint
    // apart from the pod name. This includes container runtime IDs.
    ExternalIdentifiers *models.EndpointIdentifiers `json:"external-identifiers,omitempty"`

    // Summary overall endpoint & subcomponent health
    Health *models.EndpointHealth `json:"health,omitempty"`

    // Identity is the security identity associated with the endpoint
    Identity *EndpointIdentity `json:"identity,omitempty"`

    // Log is the list of the last few warning and error log entries
    Log []*models.EndpointStatusChange `json:"log,omitempty"`

    // Networking properties of the endpoint
    //
    // +optional
    Networking *EndpointNetworking `json:"networking,omitempty"`

    // Encryption is the encryption configuration of the node
    //
    // +optional
    Encryption EncryptionSpec `json:"encryption,omitempty"`

    Policy *EndpointPolicy `json:"policy,omitempty"`

    // State is the state of the endpoint
    //
    // States are:
    // - creating
    // - waiting-for-identity
    // - not-ready
    // - waiting-to-regenerate
    // - regenerating
    // - restoring
    // - ready
    // - disconnecting
    // - disconnected
    State string `json:"state,omitempty"`

    // Deprecated fields
    Spec   *deprecatedEndpointConfigurationSpec `json:"spec,omitempty"`
    Status *DeprecatedEndpointStatus            `json:"status,omitempty"`
}

EndpointStatus is the status of a Cilium endpoint The custom deepcopy function below is a workaround. We can generate a deepcopy for EndpointStatus but not for the various models.* types it includes. We can't generate functions for classes in other packages, nor can we change the models.Endpoint type to use proxy types we define here. +k8s:deepcopy-gen=false

func (*EndpointStatus) DeepCopyInto Uses

func (m *EndpointStatus) DeepCopyInto(out *EndpointStatus)

DeepCopyInto is an inefficient hack to allow reusing models.Endpoint in the CiliumEndpoint CRD.

func (*EndpointStatus) MarshalBinary Uses

func (m *EndpointStatus) MarshalBinary() ([]byte, error)

MarshalBinary interface implementation

func (*EndpointStatus) UnmarshalBinary Uses

func (m *EndpointStatus) UnmarshalBinary(b []byte) error

UnmarshalBinary interface implementation

type HealthAddressingSpec Uses

type HealthAddressingSpec struct {
    // IPv4 is the IPv4 address of the IPv4 health endpoint
    //
    // +optional
    IPv4 string `json:"ipv4,omitempty"`

    // IPv6 is the IPv6 address of the IPv4 health endpoint
    //
    // +optional
    IPv6 string `json:"ipv6,omitempty"`
}

HealthAddressingSpec is the addressing information required to do connectivity health checking

func (*HealthAddressingSpec) DeepCopy Uses

func (in *HealthAddressingSpec) DeepCopy() *HealthAddressingSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HealthAddressingSpec.

func (*HealthAddressingSpec) DeepCopyInto Uses

func (in *HealthAddressingSpec) DeepCopyInto(out *HealthAddressingSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IPAMSpec Uses

type IPAMSpec struct {
    // Pool is the list of IPs available to the node for allocation. When
    // an IP is used, the IP will remain on this list but will be added to
    // Status.IPAM.Used
    //
    // +optional
    Pool map[string]AllocationIP `json:"pool,omitempty"`

    // PodCIDRs is the list of CIDRs available to the node for allocation.
    // When an IP is used, the IP will be added to Status.IPAM.Used
    //
    // +optional
    PodCIDRs []string `json:"podCIDRs,omitempty"`
}

IPAMSpec is the IPAM specification of the node

func (*IPAMSpec) DeepCopy Uses

func (in *IPAMSpec) DeepCopy() *IPAMSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPAMSpec.

func (*IPAMSpec) DeepCopyInto Uses

func (in *IPAMSpec) DeepCopyInto(out *IPAMSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IPAMStatus Uses

type IPAMStatus struct {
    // Used lists all IPs out of Spec.IPAM.Pool which have been allocated
    // and are in use.
    //
    // +optional
    Used map[string]AllocationIP `json:"used,omitempty"`
}

IPAMStatus is the IPAM status of a node

func (*IPAMStatus) DeepCopy Uses

func (in *IPAMStatus) DeepCopy() *IPAMStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPAMStatus.

func (*IPAMStatus) DeepCopyInto Uses

func (in *IPAMStatus) DeepCopyInto(out *IPAMStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IdentityStatus Uses

type IdentityStatus struct {
    Nodes map[string]metav1.Time `json:"nodes,omitempty"`
}

IdentityStatus is the status of an identity

func (*IdentityStatus) DeepCopy Uses

func (in *IdentityStatus) DeepCopy() *IdentityStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IdentityStatus.

func (*IdentityStatus) DeepCopyInto Uses

func (in *IdentityStatus) DeepCopyInto(out *IdentityStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NodeAddress Uses

type NodeAddress struct {
    // Type is the type of the node address
    Type addressing.AddressType `json:"type,omitempty"`

    // IP is an IP of a node
    IP  string `json:"ip,omitempty"`
}

NodeAddress is a node address

func (*NodeAddress) DeepCopy Uses

func (in *NodeAddress) DeepCopy() *NodeAddress

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeAddress.

func (*NodeAddress) DeepCopyInto Uses

func (in *NodeAddress) DeepCopyInto(out *NodeAddress)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NodeSpec Uses

type NodeSpec struct {
    // Addresses is the list of all node addresses
    //
    // +optional
    Addresses []NodeAddress `json:"addresses,omitempty"`

    // HealthAddressing is the addressing information for health
    // connectivity checking
    //
    // +optional
    HealthAddressing HealthAddressingSpec `json:"health,omitempty"`

    // Encryption is the encryption configuration of the node
    //
    // +optional
    Encryption EncryptionSpec `json:"encryption,omitempty"`

    // ENI is the AWS ENI specific configuration
    //
    // +optional
    ENI ENISpec `json:"eni,omitempty"`

    // IPAM is the address management specification. This section can be
    // populated by a user or it can be automatically populated by an IPAM
    // operator
    //
    // +optional
    IPAM IPAMSpec `json:"ipam,omitempty"`
}

NodeSpec is the configuration specific to a node

func (*NodeSpec) DeepCopy Uses

func (in *NodeSpec) DeepCopy() *NodeSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeSpec.

func (*NodeSpec) DeepCopyInto Uses

func (in *NodeSpec) DeepCopyInto(out *NodeSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type NodeStatus Uses

type NodeStatus struct {
    // ENI is the AWS ENi specific status of the node
    //
    // +optional
    ENI ENIStatus `json:"eni,omitempty"`

    // IPAM is the IPAM status of the node
    //
    // +optional
    IPAM IPAMStatus `json:"ipam,omitempty"`
}

NodeStatus is the status of a node

func (*NodeStatus) DeepCopy Uses

func (in *NodeStatus) DeepCopy() *NodeStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NodeStatus.

func (*NodeStatus) DeepCopyInto Uses

func (in *NodeStatus) DeepCopyInto(out *NodeStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Timestamp Uses

type Timestamp struct {
    time.Time
}

Timestamp is a wrapper of time.Time so that we can create our own implementation of DeepCopyInto.

func NewTimestamp Uses

func NewTimestamp() Timestamp

NewTimestamp creates a new Timestamp with the current time.Now()

func (*Timestamp) DeepCopy Uses

func (in *Timestamp) DeepCopy() *Timestamp

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Timestamp.

func (*Timestamp) DeepCopyInto Uses

func (t *Timestamp) DeepCopyInto(out *Timestamp)

DeepCopyInto creates a deep-copy of the Time value. The underlying time.Time type is effectively immutable in the time API, so it is safe to copy-by-assign, despite the presence of (unexported) Pointer fields.

Package v2 imports 24 packages (graph) and is imported by 28 packages. Updated 2019-09-12. Refresh now. Tools for package owners.