apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: '{"apiVersion":"apiextensions.k8s.io/v1","kind":"CustomResourceDefinition","metadata":{"annotations":{},"name":"networkpolicies.crd.projectcalico.org"},"spec":{"group":"crd.projectcalico.org","names":{"kind":"NetworkPolicy","listKind":"NetworkPolicyList","plural":"networkpolicies","singular":"networkpolicy"},"scope":"Namespaced","versions":[{"name":"v1","schema":{"openAPIV3Schema":{"properties":{"apiVersion":{"description":"APIVersion
defines the versioned schema of this representation of an object. Servers should
convert recognized schemas to the latest internal value, and may reject unrecognized
values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources","type":"string"},"kind":{"description":"Kind
is a string value representing the REST resource this object represents. Servers
may infer this from the endpoint the client submits requests to. Cannot be updated.
In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds","type":"string"},"metadata":{"type":"object"},"spec":{"properties":{"egress":{"description":"The
ordered set of egress rules. Each rule contains a set of packet match criteria
and a corresponding action to apply.","items":{"description":"A Rule encapsulates
a set of match criteria and an action. Both selector-based security Policy
and security Profiles reference rules - separated out as a list of rules for
both ingress and egress packet matching. \n Each positive match criteria has
a negated version, prefixed with \"Not\". All the match criteria within a rule
must be satisfied for a packet to match. A single rule can contain the positive
and negative version of a match and both must be satisfied for the rule to match.","properties":{"action":{"type":"string"},"destination":{"description":"Destination
contains the match criteria that apply to destination entity.","properties":{"namespaceSelector":{"description":"NamespaceSelector
is an optional field that contains a selector expression. Only traffic that
originates from (or terminates at) endpoints within the selected namespaces
will be matched. When both NamespaceSelector and Selector are defined on the
same rule, then only workload endpoints that are matched by both selectors will
be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies
that the Selector is limited to selecting only workload endpoints in the same
namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector
implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint.
\n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector
applies to workload endpoints across all namespaces.","type":"string"},"nets":{"description":"Nets
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) IP addresses in any of the given subnets.","items":{"type":"string"},"type":"array"},"notNets":{"description":"NotNets
is the negated version of the Nets field.","items":{"type":"string"},"type":"array"},"notPorts":{"description":"NotPorts
is the negated version of the Ports field. Since only some protocols have ports,
if any ports are specified it requires the Protocol match in the Rule to be
set to \"TCP\" or \"UDP\".","items":{"anyOf":[{"type":"integer"},{"type":"string"}],"pattern":"^.*","x-kubernetes-int-or-string":true},"type":"array"},"notSelector":{"description":"NotSelector
is the negated version of the Selector field. See Selector field for subtleties
with negated selectors.","type":"string"},"ports":{"description":"Ports is an
optional field that restricts the rule to only apply to traffic that has a source
(destination) port that matches one of these ranges/values. This value is a
list of integers or strings that represent ranges of ports. \n Since only some
protocols have ports, if any ports are specified it requires the Protocol match
in the Rule to be set to \"TCP\" or \"UDP\".","items":{"anyOf":[{"type":"integer"},{"type":"string"}],"pattern":"^.*","x-kubernetes-int-or-string":true},"type":"array"},"selector":{"description":"Selector
is an optional field that contains a selector expression (see Policy for sample
syntax). Only traffic that originates from (terminates at) endpoints matching
the selector will be matched. \n Note that: in addition to the negated version
of the Selector (see NotSelector below), the selector expression syntax itself
supports negation. The two types of negation are subtly different. One negates
the set of matched endpoints, the other negates the whole match: \n \tSelector
= \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints
that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\"
matches packets that are not from Calico-controlled \tendpoints that do have
the label \"my_label\". \n The effect is that the latter will accept packets
from non-Calico sources whereas the former is limited to packets from Calico-controlled
endpoints.","type":"string"},"serviceAccounts":{"description":"ServiceAccounts
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a matching service account.","properties":{"names":{"description":"Names
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service account whose name is in
the list.","items":{"type":"string"},"type":"array"},"selector":{"description":"Selector
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service account that matches the
given label selector. If both Names and Selector are specified then they are
AND''ed.","type":"string"}},"type":"object"}},"type":"object"},"http":{"description":"HTTP
contains match criteria that apply to HTTP requests.","properties":{"methods":{"description":"Methods
is an optional field that restricts the rule to apply only to HTTP requests
that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods
are OR''d together.","items":{"type":"string"},"type":"array"},"paths":{"description":"Paths
is an optional field that restricts the rule to apply to HTTP requests that
use one of the listed HTTP Paths. Multiple paths are OR''d together. e.g: -
exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact`
or a `prefix` match. The validator will check for it.","items":{"description":"HTTPPath
specifies an HTTP path to match. It may be either of the form: exact: \u003cpath\u003e:
which matches the path exactly or prefix: \u003cpath-prefix\u003e: which matches
the path prefix","properties":{"exact":{"type":"string"},"prefix":{"type":"string"}},"type":"object"},"type":"array"}},"type":"object"},"icmp":{"description":"ICMP
is an optional field that restricts the rule to apply to a specific type and
code of ICMP traffic. This should only be specified if the Protocol field is
set to \"ICMP\" or \"ICMPv6\".","properties":{"code":{"description":"Match on
a specific ICMP code. If specified, the Type value must also be specified.
This is a technical limitation imposed by the kernel''s iptables firewall, which
Calico uses to enforce the rule.","type":"integer"},"type":{"description":"Match
on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
(i.e. pings).","type":"integer"}},"type":"object"},"ipVersion":{"description":"IPVersion
is an optional field that restricts the rule to only match a specific IP version.","type":"integer"},"metadata":{"description":"Metadata
contains additional information for this rule","properties":{"annotations":{"additionalProperties":{"type":"string"},"description":"Annotations
is a set of key value pairs that give extra information about the rule","type":"object"}},"type":"object"},"notICMP":{"description":"NotICMP
is the negated version of the ICMP field.","properties":{"code":{"description":"Match
on a specific ICMP code. If specified, the Type value must also be specified.
This is a technical limitation imposed by the kernel''s iptables firewall, which
Calico uses to enforce the rule.","type":"integer"},"type":{"description":"Match
on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
(i.e. pings).","type":"integer"}},"type":"object"},"notProtocol":{"anyOf":[{"type":"integer"},{"type":"string"}],"description":"NotProtocol
is the negated version of the Protocol field.","pattern":"^.*","x-kubernetes-int-or-string":true},"protocol":{"anyOf":[{"type":"integer"},{"type":"string"}],"description":"Protocol
is an optional field that restricts the rule to only apply to traffic of a specific
IP protocol. Required if any of the EntityRules contain Ports (because ports
only apply to certain protocols). \n Must be one of these string values: \"TCP\",
\"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range
1-255.","pattern":"^.*","x-kubernetes-int-or-string":true},"source":{"description":"Source
contains the match criteria that apply to source entity.","properties":{"namespaceSelector":{"description":"NamespaceSelector
is an optional field that contains a selector expression. Only traffic that
originates from (or terminates at) endpoints within the selected namespaces
will be matched. When both NamespaceSelector and Selector are defined on the
same rule, then only workload endpoints that are matched by both selectors will
be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies
that the Selector is limited to selecting only workload endpoints in the same
namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector
implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint.
\n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector
applies to workload endpoints across all namespaces.","type":"string"},"nets":{"description":"Nets
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) IP addresses in any of the given subnets.","items":{"type":"string"},"type":"array"},"notNets":{"description":"NotNets
is the negated version of the Nets field.","items":{"type":"string"},"type":"array"},"notPorts":{"description":"NotPorts
is the negated version of the Ports field. Since only some protocols have ports,
if any ports are specified it requires the Protocol match in the Rule to be
set to \"TCP\" or \"UDP\".","items":{"anyOf":[{"type":"integer"},{"type":"string"}],"pattern":"^.*","x-kubernetes-int-or-string":true},"type":"array"},"notSelector":{"description":"NotSelector
is the negated version of the Selector field. See Selector field for subtleties
with negated selectors.","type":"string"},"ports":{"description":"Ports is an
optional field that restricts the rule to only apply to traffic that has a source
(destination) port that matches one of these ranges/values. This value is a
list of integers or strings that represent ranges of ports. \n Since only some
protocols have ports, if any ports are specified it requires the Protocol match
in the Rule to be set to \"TCP\" or \"UDP\".","items":{"anyOf":[{"type":"integer"},{"type":"string"}],"pattern":"^.*","x-kubernetes-int-or-string":true},"type":"array"},"selector":{"description":"Selector
is an optional field that contains a selector expression (see Policy for sample
syntax). Only traffic that originates from (terminates at) endpoints matching
the selector will be matched. \n Note that: in addition to the negated version
of the Selector (see NotSelector below), the selector expression syntax itself
supports negation. The two types of negation are subtly different. One negates
the set of matched endpoints, the other negates the whole match: \n \tSelector
= \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints
that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\"
matches packets that are not from Calico-controlled \tendpoints that do have
the label \"my_label\". \n The effect is that the latter will accept packets
from non-Calico sources whereas the former is limited to packets from Calico-controlled
endpoints.","type":"string"},"serviceAccounts":{"description":"ServiceAccounts
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a matching service account.","properties":{"names":{"description":"Names
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service account whose name is in
the list.","items":{"type":"string"},"type":"array"},"selector":{"description":"Selector
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service account that matches the
given label selector. If both Names and Selector are specified then they are
AND''ed.","type":"string"}},"type":"object"}},"type":"object"}},"required":["action"],"type":"object"},"type":"array"},"ingress":{"description":"The
ordered set of ingress rules. Each rule contains a set of packet match criteria
and a corresponding action to apply.","items":{"description":"A Rule encapsulates
a set of match criteria and an action. Both selector-based security Policy
and security Profiles reference rules - separated out as a list of rules for
both ingress and egress packet matching. \n Each positive match criteria has
a negated version, prefixed with \"Not\". All the match criteria within a rule
must be satisfied for a packet to match. A single rule can contain the positive
and negative version of a match and both must be satisfied for the rule to match.","properties":{"action":{"type":"string"},"destination":{"description":"Destination
contains the match criteria that apply to destination entity.","properties":{"namespaceSelector":{"description":"NamespaceSelector
is an optional field that contains a selector expression. Only traffic that
originates from (or terminates at) endpoints within the selected namespaces
will be matched. When both NamespaceSelector and Selector are defined on the
same rule, then only workload endpoints that are matched by both selectors will
be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies
that the Selector is limited to selecting only workload endpoints in the same
namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector
implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint.
\n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector
applies to workload endpoints across all namespaces.","type":"string"},"nets":{"description":"Nets
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) IP addresses in any of the given subnets.","items":{"type":"string"},"type":"array"},"notNets":{"description":"NotNets
is the negated version of the Nets field.","items":{"type":"string"},"type":"array"},"notPorts":{"description":"NotPorts
is the negated version of the Ports field. Since only some protocols have ports,
if any ports are specified it requires the Protocol match in the Rule to be
set to \"TCP\" or \"UDP\".","items":{"anyOf":[{"type":"integer"},{"type":"string"}],"pattern":"^.*","x-kubernetes-int-or-string":true},"type":"array"},"notSelector":{"description":"NotSelector
is the negated version of the Selector field. See Selector field for subtleties
with negated selectors.","type":"string"},"ports":{"description":"Ports is an
optional field that restricts the rule to only apply to traffic that has a source
(destination) port that matches one of these ranges/values. This value is a
list of integers or strings that represent ranges of ports. \n Since only some
protocols have ports, if any ports are specified it requires the Protocol match
in the Rule to be set to \"TCP\" or \"UDP\".","items":{"anyOf":[{"type":"integer"},{"type":"string"}],"pattern":"^.*","x-kubernetes-int-or-string":true},"type":"array"},"selector":{"description":"Selector
is an optional field that contains a selector expression (see Policy for sample
syntax). Only traffic that originates from (terminates at) endpoints matching
the selector will be matched. \n Note that: in addition to the negated version
of the Selector (see NotSelector below), the selector expression syntax itself
supports negation. The two types of negation are subtly different. One negates
the set of matched endpoints, the other negates the whole match: \n \tSelector
= \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints
that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\"
matches packets that are not from Calico-controlled \tendpoints that do have
the label \"my_label\". \n The effect is that the latter will accept packets
from non-Calico sources whereas the former is limited to packets from Calico-controlled
endpoints.","type":"string"},"serviceAccounts":{"description":"ServiceAccounts
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a matching service account.","properties":{"names":{"description":"Names
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service account whose name is in
the list.","items":{"type":"string"},"type":"array"},"selector":{"description":"Selector
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service account that matches the
given label selector. If both Names and Selector are specified then they are
AND''ed.","type":"string"}},"type":"object"}},"type":"object"},"http":{"description":"HTTP
contains match criteria that apply to HTTP requests.","properties":{"methods":{"description":"Methods
is an optional field that restricts the rule to apply only to HTTP requests
that use one of the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple methods
are OR''d together.","items":{"type":"string"},"type":"array"},"paths":{"description":"Paths
is an optional field that restricts the rule to apply to HTTP requests that
use one of the listed HTTP Paths. Multiple paths are OR''d together. e.g: -
exact: /foo - prefix: /bar NOTE: Each entry may ONLY specify either a `exact`
or a `prefix` match. The validator will check for it.","items":{"description":"HTTPPath
specifies an HTTP path to match. It may be either of the form: exact: \u003cpath\u003e:
which matches the path exactly or prefix: \u003cpath-prefix\u003e: which matches
the path prefix","properties":{"exact":{"type":"string"},"prefix":{"type":"string"}},"type":"object"},"type":"array"}},"type":"object"},"icmp":{"description":"ICMP
is an optional field that restricts the rule to apply to a specific type and
code of ICMP traffic. This should only be specified if the Protocol field is
set to \"ICMP\" or \"ICMPv6\".","properties":{"code":{"description":"Match on
a specific ICMP code. If specified, the Type value must also be specified.
This is a technical limitation imposed by the kernel''s iptables firewall, which
Calico uses to enforce the rule.","type":"integer"},"type":{"description":"Match
on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
(i.e. pings).","type":"integer"}},"type":"object"},"ipVersion":{"description":"IPVersion
is an optional field that restricts the rule to only match a specific IP version.","type":"integer"},"metadata":{"description":"Metadata
contains additional information for this rule","properties":{"annotations":{"additionalProperties":{"type":"string"},"description":"Annotations
is a set of key value pairs that give extra information about the rule","type":"object"}},"type":"object"},"notICMP":{"description":"NotICMP
is the negated version of the ICMP field.","properties":{"code":{"description":"Match
on a specific ICMP code. If specified, the Type value must also be specified.
This is a technical limitation imposed by the kernel''s iptables firewall, which
Calico uses to enforce the rule.","type":"integer"},"type":{"description":"Match
on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request
(i.e. pings).","type":"integer"}},"type":"object"},"notProtocol":{"anyOf":[{"type":"integer"},{"type":"string"}],"description":"NotProtocol
is the negated version of the Protocol field.","pattern":"^.*","x-kubernetes-int-or-string":true},"protocol":{"anyOf":[{"type":"integer"},{"type":"string"}],"description":"Protocol
is an optional field that restricts the rule to only apply to traffic of a specific
IP protocol. Required if any of the EntityRules contain Ports (because ports
only apply to certain protocols). \n Must be one of these string values: \"TCP\",
\"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", \"UDPLite\" or an integer in the range
1-255.","pattern":"^.*","x-kubernetes-int-or-string":true},"source":{"description":"Source
contains the match criteria that apply to source entity.","properties":{"namespaceSelector":{"description":"NamespaceSelector
is an optional field that contains a selector expression. Only traffic that
originates from (or terminates at) endpoints within the selected namespaces
will be matched. When both NamespaceSelector and Selector are defined on the
same rule, then only workload endpoints that are matched by both selectors will
be selected by the rule. \n For NetworkPolicy, an empty NamespaceSelector implies
that the Selector is limited to selecting only workload endpoints in the same
namespace as the NetworkPolicy. \n For NetworkPolicy, `global()` NamespaceSelector
implies that the Selector is limited to selecting only GlobalNetworkSet or HostEndpoint.
\n For GlobalNetworkPolicy, an empty NamespaceSelector implies the Selector
applies to workload endpoints across all namespaces.","type":"string"},"nets":{"description":"Nets
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) IP addresses in any of the given subnets.","items":{"type":"string"},"type":"array"},"notNets":{"description":"NotNets
is the negated version of the Nets field.","items":{"type":"string"},"type":"array"},"notPorts":{"description":"NotPorts
is the negated version of the Ports field. Since only some protocols have ports,
if any ports are specified it requires the Protocol match in the Rule to be
set to \"TCP\" or \"UDP\".","items":{"anyOf":[{"type":"integer"},{"type":"string"}],"pattern":"^.*","x-kubernetes-int-or-string":true},"type":"array"},"notSelector":{"description":"NotSelector
is the negated version of the Selector field. See Selector field for subtleties
with negated selectors.","type":"string"},"ports":{"description":"Ports is an
optional field that restricts the rule to only apply to traffic that has a source
(destination) port that matches one of these ranges/values. This value is a
list of integers or strings that represent ranges of ports. \n Since only some
protocols have ports, if any ports are specified it requires the Protocol match
in the Rule to be set to \"TCP\" or \"UDP\".","items":{"anyOf":[{"type":"integer"},{"type":"string"}],"pattern":"^.*","x-kubernetes-int-or-string":true},"type":"array"},"selector":{"description":"Selector
is an optional field that contains a selector expression (see Policy for sample
syntax). Only traffic that originates from (terminates at) endpoints matching
the selector will be matched. \n Note that: in addition to the negated version
of the Selector (see NotSelector below), the selector expression syntax itself
supports negation. The two types of negation are subtly different. One negates
the set of matched endpoints, the other negates the whole match: \n \tSelector
= \"!has(my_label)\" matches packets that are from other Calico-controlled \tendpoints
that do not have the label \"my_label\". \n \tNotSelector = \"has(my_label)\"
matches packets that are not from Calico-controlled \tendpoints that do have
the label \"my_label\". \n The effect is that the latter will accept packets
from non-Calico sources whereas the former is limited to packets from Calico-controlled
endpoints.","type":"string"},"serviceAccounts":{"description":"ServiceAccounts
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a matching service account.","properties":{"names":{"description":"Names
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service account whose name is in
the list.","items":{"type":"string"},"type":"array"},"selector":{"description":"Selector
is an optional field that restricts the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service account that matches the
given label selector. If both Names and Selector are specified then they are
AND''ed.","type":"string"}},"type":"object"}},"type":"object"}},"required":["action"],"type":"object"},"type":"array"},"order":{"description":"Order
is an optional field that specifies the order in which the policy is applied.
Policies with higher \"order\" are applied after those with lower order. If
the order is omitted, it may be considered to be \"infinite\" - i.e. the policy
will be applied last. Policies with identical order will be applied in alphanumerical
order based on the Policy \"Name\".","type":"number"},"selector":{"description":"The
selector is an expression used to pick pick out the endpoints that the policy
should be applied to. \n Selector expressions follow this syntax: \n \tlabel
== \"string_literal\" -\u003e comparison, e.g. my_label == \"foo bar\" \tlabel
!= \"string_literal\" -\u003e not equal; also matches if label is not present
\tlabel in { \"a\", \"b\", \"c\", ... } -\u003e true if the value of label
X is one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", ... } -\u003e true
if the value of label X is not one of \"a\", \"b\", \"c\" \thas(label_name) -\u003e
True if that label is present \t! expr -\u003e negation of expr \texpr \u0026\u0026
expr -\u003e Short-circuit and \texpr || expr -\u003e Short-circuit or \t(
expr ) -\u003e parens for grouping \tall() or the empty selector -\u003e matches
all endpoints. \n Label names are allowed to contain alphanumerics, -, _ and
/. String literals are more permissive but they do not support escape characters.
\n Examples (with made-up labels): \n \ttype == \"webserver\" \u0026\u0026 deployment
== \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != \"dev\" \t!
has(label_name)","type":"string"},"serviceAccountSelector":{"description":"ServiceAccountSelector
is an optional field for an expression used to select a pod based on service
accounts.","type":"string"},"types":{"description":"Types indicates whether
this policy applies to ingress, or to egress, or to both. When not explicitly
specified (and so the value on creation is empty or nil), Calico defaults Types
according to what Ingress and Egress are present in the policy. The default
is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including the
case where there are also no Ingress rules) \n - [ PolicyTypeEgress ], if
there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, PolicyTypeEgress
], if there are both Ingress and Egress rules. \n When the policy is read back
again, Types will always be one of these values, never empty or nil.","items":{"description":"PolicyType
enumerates the possible values of the PolicySpec Types field.","type":"string"},"type":"array"}},"type":"object"}},"type":"object"}},"served":true,"storage":true}]},"status":{"acceptedNames":{"kind":"","plural":""},"conditions":[],"storedVersions":[]}}
'
creationTimestamp: '2021-08-30T18:56:44Z'
generation: 1
managedFields:
- apiVersion: apiextensions.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:status:
f:acceptedNames:
f:kind: {}
f:listKind: {}
f:plural: {}
f:singular: {}
f:conditions:
k:{"type":"Established"}:
.: {}
f:lastTransitionTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
k:{"type":"NamesAccepted"}:
.: {}
f:lastTransitionTime: {}
f:message: {}
f:reason: {}
f:status: {}
f:type: {}
manager: k3s
operation: Update
time: '2021-08-30T18:56:44Z'
- apiVersion: apiextensions.k8s.io/v1
fieldsType: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.: {}
f:kubectl.kubernetes.io/last-applied-configuration: {}
f:spec:
f:conversion:
.: {}
f:strategy: {}
f:group: {}
f:names:
f:kind: {}
f:listKind: {}
f:plural: {}
f:singular: {}
f:scope: {}
f:versions: {}
manager: kubectl-client-side-apply
operation: Update
time: '2021-08-30T18:56:44Z'
name: networkpolicies.crd.projectcalico.org
resourceVersion: '3263'
uid: 1978fd03-a39c-4c63-902d-6903705ee934
spec:
conversion:
strategy: None
group: crd.projectcalico.org
names:
kind: NetworkPolicy
listKind: NetworkPolicyList
plural: networkpolicies
singular: networkpolicy
scope: Namespaced
versions:
- name: v1
schema:
openAPIV3Schema:
properties:
apiVersion:
description: 'APIVersion defines the versioned schema of this representation
of an object. Servers should convert recognized schemas to the latest
internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
type: string
kind:
description: 'Kind is a string value representing the REST resource this
object represents. Servers may infer this from the endpoint the client
submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
type: string
metadata:
type: object
spec:
properties:
egress:
description: The ordered set of egress rules. Each rule contains
a set of packet match criteria and a corresponding action to apply.
items:
description: "A Rule encapsulates a set of match criteria and an\
\ action. Both selector-based security Policy and security Profiles\
\ reference rules - separated out as a list of rules for both\
\ ingress and egress packet matching. \n Each positive match criteria\
\ has a negated version, prefixed with \"Not\". All the match\
\ criteria within a rule must be satisfied for a packet to match.\
\ A single rule can contain the positive and negative version\
\ of a match and both must be satisfied for the rule to match."
properties:
action:
type: string
destination:
description: Destination contains the match criteria that apply
to destination entity.
properties:
namespaceSelector:
description: "NamespaceSelector is an optional field that\
\ contains a selector expression. Only traffic that originates\
\ from (or terminates at) endpoints within the selected\
\ namespaces will be matched. When both NamespaceSelector\
\ and Selector are defined on the same rule, then only\
\ workload endpoints that are matched by both selectors\
\ will be selected by the rule. \n For NetworkPolicy,\
\ an empty NamespaceSelector implies that the Selector\
\ is limited to selecting only workload endpoints in the\
\ same namespace as the NetworkPolicy. \n For NetworkPolicy,\
\ `global()` NamespaceSelector implies that the Selector\
\ is limited to selecting only GlobalNetworkSet or HostEndpoint.\
\ \n For GlobalNetworkPolicy, an empty NamespaceSelector\
\ implies the Selector applies to workload endpoints across\
\ all namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
rule to only apply to traffic that originates from (or
terminates at) IP addresses in any of the given subnets.
items:
type: string
type: array
notNets:
description: NotNets is the negated version of the Nets
field.
items:
type: string
type: array
notPorts:
description: NotPorts is the negated version of the Ports
field. Since only some protocols have ports, if any ports
are specified it requires the Protocol match in the Rule
to be set to "TCP" or "UDP".
items:
anyOf:
- type: integer
- type: string
pattern: ^.*
x-kubernetes-int-or-string: true
type: array
notSelector:
description: NotSelector is the negated version of the Selector
field. See Selector field for subtleties with negated
selectors.
type: string
ports:
description: "Ports is an optional field that restricts\
\ the rule to only apply to traffic that has a source\
\ (destination) port that matches one of these ranges/values.\
\ This value is a list of integers or strings that represent\
\ ranges of ports. \n Since only some protocols have ports,\
\ if any ports are specified it requires the Protocol\
\ match in the Rule to be set to \"TCP\" or \"UDP\"."
items:
anyOf:
- type: integer
- type: string
pattern: ^.*
x-kubernetes-int-or-string: true
type: array
selector:
description: "Selector is an optional field that contains\
\ a selector expression (see Policy for sample syntax).\
\ Only traffic that originates from (terminates at) endpoints\
\ matching the selector will be matched. \n Note that:\
\ in addition to the negated version of the Selector (see\
\ NotSelector below), the selector expression syntax itself\
\ supports negation. The two types of negation are subtly\
\ different. One negates the set of matched endpoints,\
\ the other negates the whole match: \n \tSelector = \"\
!has(my_label)\" matches packets that are from other Calico-controlled\
\ \tendpoints that do not have the label \"my_label\"\
. \n \tNotSelector = \"has(my_label)\" matches packets\
\ that are not from Calico-controlled \tendpoints that\
\ do have the label \"my_label\". \n The effect is that\
\ the latter will accept packets from non-Calico sources\
\ whereas the former is limited to packets from Calico-controlled\
\ endpoints."
type: string
serviceAccounts:
description: ServiceAccounts is an optional field that restricts
the rule to only apply to traffic that originates from
(or terminates at) a pod running as a matching service
account.
properties:
names:
description: Names is an optional field that restricts
the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service
account whose name is in the list.
items:
type: string
type: array
selector:
description: Selector is an optional field that restricts
the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service
account that matches the given label selector. If
both Names and Selector are specified then they are
AND'ed.
type: string
type: object
type: object
http:
description: HTTP contains match criteria that apply to HTTP
requests.
properties:
methods:
description: Methods is an optional field that restricts
the rule to apply only to HTTP requests that use one of
the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
methods are OR'd together.
items:
type: string
type: array
paths:
description: 'Paths is an optional field that restricts
the rule to apply to HTTP requests that use one of the
listed HTTP Paths. Multiple paths are OR''d together.
e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
ONLY specify either a `exact` or a `prefix` match. The
validator will check for it.'
items:
description: 'HTTPPath specifies an HTTP path to match.
It may be either of the form: exact: <path>: which matches
the path exactly or prefix: <path-prefix>: which matches
the path prefix'
properties:
exact:
type: string
prefix:
type: string
type: object
type: array
type: object
icmp:
description: ICMP is an optional field that restricts the rule
to apply to a specific type and code of ICMP traffic. This
should only be specified if the Protocol field is set to "ICMP"
or "ICMPv6".
properties:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
description: Match on a specific ICMP type. For example
a value of 8 refers to ICMP Echo Request (i.e. pings).
type: integer
type: object
ipVersion:
description: IPVersion is an optional field that restricts the
rule to only match a specific IP version.
type: integer
metadata:
description: Metadata contains additional information for this
rule
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a set of key value pairs that
give extra information about the rule
type: object
type: object
notICMP:
description: NotICMP is the negated version of the ICMP field.
properties:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
description: Match on a specific ICMP type. For example
a value of 8 refers to ICMP Echo Request (i.e. pings).
type: integer
type: object
notProtocol:
anyOf:
- type: integer
- type: string
description: NotProtocol is the negated version of the Protocol
field.
pattern: ^.*
x-kubernetes-int-or-string: true
protocol:
anyOf:
- type: integer
- type: string
description: "Protocol is an optional field that restricts the\
\ rule to only apply to traffic of a specific IP protocol.\
\ Required if any of the EntityRules contain Ports (because\
\ ports only apply to certain protocols). \n Must be one of\
\ these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\"\
, \"SCTP\", \"UDPLite\" or an integer in the range 1-255."
pattern: ^.*
x-kubernetes-int-or-string: true
source:
description: Source contains the match criteria that apply to
source entity.
properties:
namespaceSelector:
description: "NamespaceSelector is an optional field that\
\ contains a selector expression. Only traffic that originates\
\ from (or terminates at) endpoints within the selected\
\ namespaces will be matched. When both NamespaceSelector\
\ and Selector are defined on the same rule, then only\
\ workload endpoints that are matched by both selectors\
\ will be selected by the rule. \n For NetworkPolicy,\
\ an empty NamespaceSelector implies that the Selector\
\ is limited to selecting only workload endpoints in the\
\ same namespace as the NetworkPolicy. \n For NetworkPolicy,\
\ `global()` NamespaceSelector implies that the Selector\
\ is limited to selecting only GlobalNetworkSet or HostEndpoint.\
\ \n For GlobalNetworkPolicy, an empty NamespaceSelector\
\ implies the Selector applies to workload endpoints across\
\ all namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
rule to only apply to traffic that originates from (or
terminates at) IP addresses in any of the given subnets.
items:
type: string
type: array
notNets:
description: NotNets is the negated version of the Nets
field.
items:
type: string
type: array
notPorts:
description: NotPorts is the negated version of the Ports
field. Since only some protocols have ports, if any ports
are specified it requires the Protocol match in the Rule
to be set to "TCP" or "UDP".
items:
anyOf:
- type: integer
- type: string
pattern: ^.*
x-kubernetes-int-or-string: true
type: array
notSelector:
description: NotSelector is the negated version of the Selector
field. See Selector field for subtleties with negated
selectors.
type: string
ports:
description: "Ports is an optional field that restricts\
\ the rule to only apply to traffic that has a source\
\ (destination) port that matches one of these ranges/values.\
\ This value is a list of integers or strings that represent\
\ ranges of ports. \n Since only some protocols have ports,\
\ if any ports are specified it requires the Protocol\
\ match in the Rule to be set to \"TCP\" or \"UDP\"."
items:
anyOf:
- type: integer
- type: string
pattern: ^.*
x-kubernetes-int-or-string: true
type: array
selector:
description: "Selector is an optional field that contains\
\ a selector expression (see Policy for sample syntax).\
\ Only traffic that originates from (terminates at) endpoints\
\ matching the selector will be matched. \n Note that:\
\ in addition to the negated version of the Selector (see\
\ NotSelector below), the selector expression syntax itself\
\ supports negation. The two types of negation are subtly\
\ different. One negates the set of matched endpoints,\
\ the other negates the whole match: \n \tSelector = \"\
!has(my_label)\" matches packets that are from other Calico-controlled\
\ \tendpoints that do not have the label \"my_label\"\
. \n \tNotSelector = \"has(my_label)\" matches packets\
\ that are not from Calico-controlled \tendpoints that\
\ do have the label \"my_label\". \n The effect is that\
\ the latter will accept packets from non-Calico sources\
\ whereas the former is limited to packets from Calico-controlled\
\ endpoints."
type: string
serviceAccounts:
description: ServiceAccounts is an optional field that restricts
the rule to only apply to traffic that originates from
(or terminates at) a pod running as a matching service
account.
properties:
names:
description: Names is an optional field that restricts
the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service
account whose name is in the list.
items:
type: string
type: array
selector:
description: Selector is an optional field that restricts
the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service
account that matches the given label selector. If
both Names and Selector are specified then they are
AND'ed.
type: string
type: object
type: object
required:
- action
type: object
type: array
ingress:
description: The ordered set of ingress rules. Each rule contains
a set of packet match criteria and a corresponding action to apply.
items:
description: "A Rule encapsulates a set of match criteria and an\
\ action. Both selector-based security Policy and security Profiles\
\ reference rules - separated out as a list of rules for both\
\ ingress and egress packet matching. \n Each positive match criteria\
\ has a negated version, prefixed with \"Not\". All the match\
\ criteria within a rule must be satisfied for a packet to match.\
\ A single rule can contain the positive and negative version\
\ of a match and both must be satisfied for the rule to match."
properties:
action:
type: string
destination:
description: Destination contains the match criteria that apply
to destination entity.
properties:
namespaceSelector:
description: "NamespaceSelector is an optional field that\
\ contains a selector expression. Only traffic that originates\
\ from (or terminates at) endpoints within the selected\
\ namespaces will be matched. When both NamespaceSelector\
\ and Selector are defined on the same rule, then only\
\ workload endpoints that are matched by both selectors\
\ will be selected by the rule. \n For NetworkPolicy,\
\ an empty NamespaceSelector implies that the Selector\
\ is limited to selecting only workload endpoints in the\
\ same namespace as the NetworkPolicy. \n For NetworkPolicy,\
\ `global()` NamespaceSelector implies that the Selector\
\ is limited to selecting only GlobalNetworkSet or HostEndpoint.\
\ \n For GlobalNetworkPolicy, an empty NamespaceSelector\
\ implies the Selector applies to workload endpoints across\
\ all namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
rule to only apply to traffic that originates from (or
terminates at) IP addresses in any of the given subnets.
items:
type: string
type: array
notNets:
description: NotNets is the negated version of the Nets
field.
items:
type: string
type: array
notPorts:
description: NotPorts is the negated version of the Ports
field. Since only some protocols have ports, if any ports
are specified it requires the Protocol match in the Rule
to be set to "TCP" or "UDP".
items:
anyOf:
- type: integer
- type: string
pattern: ^.*
x-kubernetes-int-or-string: true
type: array
notSelector:
description: NotSelector is the negated version of the Selector
field. See Selector field for subtleties with negated
selectors.
type: string
ports:
description: "Ports is an optional field that restricts\
\ the rule to only apply to traffic that has a source\
\ (destination) port that matches one of these ranges/values.\
\ This value is a list of integers or strings that represent\
\ ranges of ports. \n Since only some protocols have ports,\
\ if any ports are specified it requires the Protocol\
\ match in the Rule to be set to \"TCP\" or \"UDP\"."
items:
anyOf:
- type: integer
- type: string
pattern: ^.*
x-kubernetes-int-or-string: true
type: array
selector:
description: "Selector is an optional field that contains\
\ a selector expression (see Policy for sample syntax).\
\ Only traffic that originates from (terminates at) endpoints\
\ matching the selector will be matched. \n Note that:\
\ in addition to the negated version of the Selector (see\
\ NotSelector below), the selector expression syntax itself\
\ supports negation. The two types of negation are subtly\
\ different. One negates the set of matched endpoints,\
\ the other negates the whole match: \n \tSelector = \"\
!has(my_label)\" matches packets that are from other Calico-controlled\
\ \tendpoints that do not have the label \"my_label\"\
. \n \tNotSelector = \"has(my_label)\" matches packets\
\ that are not from Calico-controlled \tendpoints that\
\ do have the label \"my_label\". \n The effect is that\
\ the latter will accept packets from non-Calico sources\
\ whereas the former is limited to packets from Calico-controlled\
\ endpoints."
type: string
serviceAccounts:
description: ServiceAccounts is an optional field that restricts
the rule to only apply to traffic that originates from
(or terminates at) a pod running as a matching service
account.
properties:
names:
description: Names is an optional field that restricts
the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service
account whose name is in the list.
items:
type: string
type: array
selector:
description: Selector is an optional field that restricts
the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service
account that matches the given label selector. If
both Names and Selector are specified then they are
AND'ed.
type: string
type: object
type: object
http:
description: HTTP contains match criteria that apply to HTTP
requests.
properties:
methods:
description: Methods is an optional field that restricts
the rule to apply only to HTTP requests that use one of
the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple
methods are OR'd together.
items:
type: string
type: array
paths:
description: 'Paths is an optional field that restricts
the rule to apply to HTTP requests that use one of the
listed HTTP Paths. Multiple paths are OR''d together.
e.g: - exact: /foo - prefix: /bar NOTE: Each entry may
ONLY specify either a `exact` or a `prefix` match. The
validator will check for it.'
items:
description: 'HTTPPath specifies an HTTP path to match.
It may be either of the form: exact: <path>: which matches
the path exactly or prefix: <path-prefix>: which matches
the path prefix'
properties:
exact:
type: string
prefix:
type: string
type: object
type: array
type: object
icmp:
description: ICMP is an optional field that restricts the rule
to apply to a specific type and code of ICMP traffic. This
should only be specified if the Protocol field is set to "ICMP"
or "ICMPv6".
properties:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
description: Match on a specific ICMP type. For example
a value of 8 refers to ICMP Echo Request (i.e. pings).
type: integer
type: object
ipVersion:
description: IPVersion is an optional field that restricts the
rule to only match a specific IP version.
type: integer
metadata:
description: Metadata contains additional information for this
rule
properties:
annotations:
additionalProperties:
type: string
description: Annotations is a set of key value pairs that
give extra information about the rule
type: object
type: object
notICMP:
description: NotICMP is the negated version of the ICMP field.
properties:
code:
description: Match on a specific ICMP code. If specified,
the Type value must also be specified. This is a technical
limitation imposed by the kernel's iptables firewall,
which Calico uses to enforce the rule.
type: integer
type:
description: Match on a specific ICMP type. For example
a value of 8 refers to ICMP Echo Request (i.e. pings).
type: integer
type: object
notProtocol:
anyOf:
- type: integer
- type: string
description: NotProtocol is the negated version of the Protocol
field.
pattern: ^.*
x-kubernetes-int-or-string: true
protocol:
anyOf:
- type: integer
- type: string
description: "Protocol is an optional field that restricts the\
\ rule to only apply to traffic of a specific IP protocol.\
\ Required if any of the EntityRules contain Ports (because\
\ ports only apply to certain protocols). \n Must be one of\
\ these string values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\"\
, \"SCTP\", \"UDPLite\" or an integer in the range 1-255."
pattern: ^.*
x-kubernetes-int-or-string: true
source:
description: Source contains the match criteria that apply to
source entity.
properties:
namespaceSelector:
description: "NamespaceSelector is an optional field that\
\ contains a selector expression. Only traffic that originates\
\ from (or terminates at) endpoints within the selected\
\ namespaces will be matched. When both NamespaceSelector\
\ and Selector are defined on the same rule, then only\
\ workload endpoints that are matched by both selectors\
\ will be selected by the rule. \n For NetworkPolicy,\
\ an empty NamespaceSelector implies that the Selector\
\ is limited to selecting only workload endpoints in the\
\ same namespace as the NetworkPolicy. \n For NetworkPolicy,\
\ `global()` NamespaceSelector implies that the Selector\
\ is limited to selecting only GlobalNetworkSet or HostEndpoint.\
\ \n For GlobalNetworkPolicy, an empty NamespaceSelector\
\ implies the Selector applies to workload endpoints across\
\ all namespaces."
type: string
nets:
description: Nets is an optional field that restricts the
rule to only apply to traffic that originates from (or
terminates at) IP addresses in any of the given subnets.
items:
type: string
type: array
notNets:
description: NotNets is the negated version of the Nets
field.
items:
type: string
type: array
notPorts:
description: NotPorts is the negated version of the Ports
field. Since only some protocols have ports, if any ports
are specified it requires the Protocol match in the Rule
to be set to "TCP" or "UDP".
items:
anyOf:
- type: integer
- type: string
pattern: ^.*
x-kubernetes-int-or-string: true
type: array
notSelector:
description: NotSelector is the negated version of the Selector
field. See Selector field for subtleties with negated
selectors.
type: string
ports:
description: "Ports is an optional field that restricts\
\ the rule to only apply to traffic that has a source\
\ (destination) port that matches one of these ranges/values.\
\ This value is a list of integers or strings that represent\
\ ranges of ports. \n Since only some protocols have ports,\
\ if any ports are specified it requires the Protocol\
\ match in the Rule to be set to \"TCP\" or \"UDP\"."
items:
anyOf:
- type: integer
- type: string
pattern: ^.*
x-kubernetes-int-or-string: true
type: array
selector:
description: "Selector is an optional field that contains\
\ a selector expression (see Policy for sample syntax).\
\ Only traffic that originates from (terminates at) endpoints\
\ matching the selector will be matched. \n Note that:\
\ in addition to the negated version of the Selector (see\
\ NotSelector below), the selector expression syntax itself\
\ supports negation. The two types of negation are subtly\
\ different. One negates the set of matched endpoints,\
\ the other negates the whole match: \n \tSelector = \"\
!has(my_label)\" matches packets that are from other Calico-controlled\
\ \tendpoints that do not have the label \"my_label\"\
. \n \tNotSelector = \"has(my_label)\" matches packets\
\ that are not from Calico-controlled \tendpoints that\
\ do have the label \"my_label\". \n The effect is that\
\ the latter will accept packets from non-Calico sources\
\ whereas the former is limited to packets from Calico-controlled\
\ endpoints."
type: string
serviceAccounts:
description: ServiceAccounts is an optional field that restricts
the rule to only apply to traffic that originates from
(or terminates at) a pod running as a matching service
account.
properties:
names:
description: Names is an optional field that restricts
the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service
account whose name is in the list.
items:
type: string
type: array
selector:
description: Selector is an optional field that restricts
the rule to only apply to traffic that originates
from (or terminates at) a pod running as a service
account that matches the given label selector. If
both Names and Selector are specified then they are
AND'ed.
type: string
type: object
type: object
required:
- action
type: object
type: array
order:
description: Order is an optional field that specifies the order in
which the policy is applied. Policies with higher "order" are applied
after those with lower order. If the order is omitted, it may be
considered to be "infinite" - i.e. the policy will be applied last. Policies
with identical order will be applied in alphanumerical order based
on the Policy "Name".
type: number
selector:
description: "The selector is an expression used to pick pick out\
\ the endpoints that the policy should be applied to. \n Selector\
\ expressions follow this syntax: \n \tlabel == \"string_literal\"\
\ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\"\
\ -> not equal; also matches if label is not present \tlabel\
\ in { \"a\", \"b\", \"c\", ... } -> true if the value of label\
\ X is one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\"\
, \"c\", ... } -> true if the value of label X is not one of \"\
a\", \"b\", \"c\" \thas(label_name) -> True if that label is present\
\ \t! expr -> negation of expr \texpr && expr -> Short-circuit\
\ and \texpr || expr -> Short-circuit or \t( expr ) -> parens for\
\ grouping \tall() or the empty selector -> matches all endpoints.\
\ \n Label names are allowed to contain alphanumerics, -, _ and\
\ /. String literals are more permissive but they do not support\
\ escape characters. \n Examples (with made-up labels): \n \ttype\
\ == \"webserver\" && deployment == \"prod\" \ttype in {\"frontend\"\
, \"backend\"} \tdeployment != \"dev\" \t! has(label_name)"
type: string
serviceAccountSelector:
description: ServiceAccountSelector is an optional field for an expression
used to select a pod based on service accounts.
type: string
types:
description: "Types indicates whether this policy applies to ingress,\
\ or to egress, or to both. When not explicitly specified (and\
\ so the value on creation is empty or nil), Calico defaults Types\
\ according to what Ingress and Egress are present in the policy.\
\ The default is: \n - [ PolicyTypeIngress ], if there are no Egress\
\ rules (including the case where there are also no Ingress rules)\
\ \n - [ PolicyTypeEgress ], if there are Egress rules but no Ingress\
\ rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are\
\ both Ingress and Egress rules. \n When the policy is read back\
\ again, Types will always be one of these values, never empty or\
\ nil."
items:
description: PolicyType enumerates the possible values of the PolicySpec
Types field.
type: string
type: array
type: object
type: object
served: true
storage: true
status:
acceptedNames:
kind: NetworkPolicy
listKind: NetworkPolicyList
plural: networkpolicies
singular: networkpolicy
conditions:
- lastTransitionTime: '2021-08-30T18:56:44Z'
message: no conflicts found
reason: NoConflicts
status: 'True'
type: NamesAccepted
- lastTransitionTime: '2021-08-30T18:56:44Z'
message: the initial names have been accepted
reason: InitialNamesAccepted
status: 'True'
type: Established
storedVersions:
- v1