Skip to content

cilium.v2.ciliumNetworkPolicy

"CiliumNetworkPolicy is a Kubernetes third-party resource with an extended version of NetworkPolicy."

Index

Fields

fn new

new(name)

new returns an instance of CiliumNetworkPolicy

fn withSpecs

withSpecs(specs)

"Specs is a list of desired Cilium specific rule specification."

fn withSpecsMixin

withSpecsMixin(specs)

"Specs is a list of desired Cilium specific rule specification."

Note: This function appends passed data to existing values

obj metadata

"ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create."

fn metadata.withAnnotations

withAnnotations(annotations)

"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"

fn metadata.withAnnotationsMixin

withAnnotationsMixin(annotations)

"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"

Note: This function appends passed data to existing values

fn metadata.withClusterName

withClusterName(clusterName)

"The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request."

fn metadata.withCreationTimestamp

withCreationTimestamp(creationTimestamp)

"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers."

fn metadata.withDeletionGracePeriodSeconds

withDeletionGracePeriodSeconds(deletionGracePeriodSeconds)

"Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only."

fn metadata.withDeletionTimestamp

withDeletionTimestamp(deletionTimestamp)

"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers."

fn metadata.withFinalizers

withFinalizers(finalizers)

"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list."

fn metadata.withFinalizersMixin

withFinalizersMixin(finalizers)

"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list."

Note: This function appends passed data to existing values

fn metadata.withGenerateName

withGenerateName(generateName)

"GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency"

fn metadata.withGeneration

withGeneration(generation)

"A sequence number representing a specific generation of the desired state. Populated by the system. Read-only."

fn metadata.withLabels

withLabels(labels)

"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"

fn metadata.withLabelsMixin

withLabelsMixin(labels)

"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"

Note: This function appends passed data to existing values

fn metadata.withName

withName(name)

"Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names"

fn metadata.withNamespace

withNamespace(namespace)

"Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces"

fn metadata.withOwnerReferences

withOwnerReferences(ownerReferences)

"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."

fn metadata.withOwnerReferencesMixin

withOwnerReferencesMixin(ownerReferences)

"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."

Note: This function appends passed data to existing values

fn metadata.withResourceVersion

withResourceVersion(resourceVersion)

"An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency"

withSelfLink(selfLink)

"SelfLink is a URL representing this object. Populated by the system. Read-only.\n\nDEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release."

fn metadata.withUid

withUid(uid)

"UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids"

obj spec

"Spec is the desired Cilium specific rule specification."

fn spec.withDescription

withDescription(description)

"Description is a free form string, it can be used by the creator of the rule to store human readable explanation of the purpose of this rule. Rules cannot be identified by comment."

fn spec.withEgress

withEgress(egress)

"Egress is a list of EgressRule which are enforced at egress. If omitted or empty, this rule does not apply at egress."

fn spec.withEgressDeny

withEgressDeny(egressDeny)

"EgressDeny is a list of EgressDenyRule which are enforced at egress. Any rule inserted here will by denied regardless of the allowed egress rules in the 'egress' field. If omitted or empty, this rule does not apply at egress."

fn spec.withEgressDenyMixin

withEgressDenyMixin(egressDeny)

"EgressDeny is a list of EgressDenyRule which are enforced at egress. Any rule inserted here will by denied regardless of the allowed egress rules in the 'egress' field. If omitted or empty, this rule does not apply at egress."

Note: This function appends passed data to existing values

fn spec.withEgressMixin

withEgressMixin(egress)

"Egress is a list of EgressRule which are enforced at egress. If omitted or empty, this rule does not apply at egress."

Note: This function appends passed data to existing values

fn spec.withIngress

withIngress(ingress)

"Ingress is a list of IngressRule which are enforced at ingress. If omitted or empty, this rule does not apply at ingress."

fn spec.withIngressDeny

withIngressDeny(ingressDeny)

"IngressDeny is a list of IngressDenyRule which are enforced at ingress. Any rule inserted here will by denied regardless of the allowed ingress rules in the 'ingress' field. If omitted or empty, this rule does not apply at ingress."

fn spec.withIngressDenyMixin

withIngressDenyMixin(ingressDeny)

"IngressDeny is a list of IngressDenyRule which are enforced at ingress. Any rule inserted here will by denied regardless of the allowed ingress rules in the 'ingress' field. If omitted or empty, this rule does not apply at ingress."

Note: This function appends passed data to existing values

fn spec.withIngressMixin

withIngressMixin(ingress)

"Ingress is a list of IngressRule which are enforced at ingress. If omitted or empty, this rule does not apply at ingress."

Note: This function appends passed data to existing values

fn spec.withLabels

withLabels(labels)

"Labels is a list of optional strings which can be used to re-identify the rule or to store metadata. It is possible to lookup or delete strings based on labels. Labels are not required to be unique, multiple rules can have overlapping or identical labels."

fn spec.withLabelsMixin

withLabelsMixin(labels)

"Labels is a list of optional strings which can be used to re-identify the rule or to store metadata. It is possible to lookup or delete strings based on labels. Labels are not required to be unique, multiple rules can have overlapping or identical labels."

Note: This function appends passed data to existing values

obj spec.egress

"Egress is a list of EgressRule which are enforced at egress. If omitted or empty, this rule does not apply at egress."

fn spec.egress.withIcmps

withIcmps(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is allowed to initiate type 8 ICMP connections."

fn spec.egress.withIcmpsMixin

withIcmpsMixin(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is allowed to initiate type 8 ICMP connections."

Note: This function appends passed data to existing values

fn spec.egress.withToCIDR

withToCIDR(toCIDR)

"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24"

fn spec.egress.withToCIDRMixin

withToCIDRMixin(toCIDR)

"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24"

Note: This function appends passed data to existing values

fn spec.egress.withToCIDRSet

withToCIDRSet(toCIDRSet)

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

fn spec.egress.withToCIDRSetMixin

withToCIDRSetMixin(toCIDRSet)

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

Note: This function appends passed data to existing values

fn spec.egress.withToEndpoints

withToEndpoints(toEndpoints)

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

fn spec.egress.withToEndpointsMixin

withToEndpointsMixin(toEndpoints)

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

Note: This function appends passed data to existing values

fn spec.egress.withToEntities

withToEntities(toEntities)

"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are world, cluster and host"

fn spec.egress.withToEntitiesMixin

withToEntitiesMixin(toEntities)

"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are world, cluster and host"

Note: This function appends passed data to existing values

fn spec.egress.withToFQDNs

withToFQDNs(toFQDNs)

"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of ToFQDN.MatchNames are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this EgressRule will also apply to these IPs. The DNS -> IP mapping is re-resolved periodically from within the cilium-agent, and the IPs in the DNS response are effected in the policy for selected pods as-is (i.e. the list of IPs is not modified in any way). Note: An explicit rule to allow for DNS traffic is needed for the pods, as ToFQDN counts as an egress rule and will enforce egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: ToFQDN cannot occur in the same policy as other To* rules. \n The current implementation has a number of limitations: - The DNS resolution originates from cilium-agent, and not from the pods. Differences between the responses seen by cilium agent and a particular pod will whitelist the incorrect IP. - DNS TTLs are ignored, and cilium-agent will repoll on a short interval (5 seconds). Each change to the DNS data will trigger a policy regeneration. This may result in delayed updates to the policy for an endpoint when the data changes often or the system is under load."

fn spec.egress.withToFQDNsMixin

withToFQDNsMixin(toFQDNs)

"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of ToFQDN.MatchNames are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this EgressRule will also apply to these IPs. The DNS -> IP mapping is re-resolved periodically from within the cilium-agent, and the IPs in the DNS response are effected in the policy for selected pods as-is (i.e. the list of IPs is not modified in any way). Note: An explicit rule to allow for DNS traffic is needed for the pods, as ToFQDN counts as an egress rule and will enforce egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: ToFQDN cannot occur in the same policy as other To* rules. \n The current implementation has a number of limitations: - The DNS resolution originates from cilium-agent, and not from the pods. Differences between the responses seen by cilium agent and a particular pod will whitelist the incorrect IP. - DNS TTLs are ignored, and cilium-agent will repoll on a short interval (5 seconds). Each change to the DNS data will trigger a policy regeneration. This may result in delayed updates to the policy for an endpoint when the data changes often or the system is under load."

Note: This function appends passed data to existing values

fn spec.egress.withToGroups

withToGroups(toGroups)

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

fn spec.egress.withToGroupsMixin

withToGroupsMixin(toGroups)

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

Note: This function appends passed data to existing values

fn spec.egress.withToPorts

withToPorts(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is allowed to initiate connections to destination port 8080/tcp"

fn spec.egress.withToPortsMixin

withToPortsMixin(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is allowed to initiate connections to destination port 8080/tcp"

Note: This function appends passed data to existing values

fn spec.egress.withToRequires

withToRequires(toRequires)

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

fn spec.egress.withToRequiresMixin

withToRequiresMixin(toRequires)

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

Note: This function appends passed data to existing values

fn spec.egress.withToServices

withToServices(toServices)

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

fn spec.egress.withToServicesMixin

withToServicesMixin(toServices)

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

Note: This function appends passed data to existing values

obj spec.egress.auth

"Auth is the required authentication type for the allowed traffic, if any."

fn spec.egress.auth.withType

withType(type)

"Type is the required authentication type for the allowed traffic, if any."

obj spec.egress.icmps

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is allowed to initiate type 8 ICMP connections."

fn spec.egress.icmps.withFields

withFields(fields)

"Fields is a list of ICMP fields."

fn spec.egress.icmps.withFieldsMixin

withFieldsMixin(fields)

"Fields is a list of ICMP fields."

Note: This function appends passed data to existing values

obj spec.egress.icmps.fields

"Fields is a list of ICMP fields."

fn spec.egress.icmps.fields.withFamily

withFamily(family)

"Family is a IP address version. Currently, we support IPv4 and IPv6. IPv4 is set as default."

fn spec.egress.icmps.fields.withType

withType(type)

"Type is a ICMP-type. It should be 0-255 (8bit)."

obj spec.egress.toCIDRSet

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

fn spec.egress.toCIDRSet.withCidr

withCidr(cidr)

"CIDR is a CIDR prefix / IP Block."

fn spec.egress.toCIDRSet.withExcept

withExcept(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

fn spec.egress.toCIDRSet.withExceptMixin

withExceptMixin(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

Note: This function appends passed data to existing values

obj spec.egress.toEndpoints

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

fn spec.egress.toEndpoints.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egress.toEndpoints.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.egress.toEndpoints.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.egress.toEndpoints.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.egress.toEndpoints.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egress.toEndpoints.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.egress.toEndpoints.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.egress.toEndpoints.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.egress.toEndpoints.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj spec.egress.toFQDNs

"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of ToFQDN.MatchNames are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this EgressRule will also apply to these IPs. The DNS -> IP mapping is re-resolved periodically from within the cilium-agent, and the IPs in the DNS response are effected in the policy for selected pods as-is (i.e. the list of IPs is not modified in any way). Note: An explicit rule to allow for DNS traffic is needed for the pods, as ToFQDN counts as an egress rule and will enforce egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: ToFQDN cannot occur in the same policy as other To* rules. \n The current implementation has a number of limitations: - The DNS resolution originates from cilium-agent, and not from the pods. Differences between the responses seen by cilium agent and a particular pod will whitelist the incorrect IP. - DNS TTLs are ignored, and cilium-agent will repoll on a short interval (5 seconds). Each change to the DNS data will trigger a policy regeneration. This may result in delayed updates to the policy for an endpoint when the data changes often or the system is under load."

fn spec.egress.toFQDNs.withMatchName

withMatchName(matchName)

"MatchName matches literal DNS names. A trailing \".\" is automatically added when missing."

fn spec.egress.toFQDNs.withMatchPattern

withMatchPattern(matchPattern)

"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \"\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \"\" as the leftmost character, without a following \".\" matches all subdomains as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: *.cilium.io matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not *cilium.io matches cilium.io and all subdomains ends with \"cilium.io\" except those containing \".\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \"sub\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not"

obj spec.egress.toGroups

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

obj spec.egress.toGroups.aws

"AWSGroup is an structure that can be used to whitelisting information from AWS integration"

fn spec.egress.toGroups.aws.withLabels

withLabels(labels)

fn spec.egress.toGroups.aws.withLabelsMixin

withLabelsMixin(labels)

Note: This function appends passed data to existing values

fn spec.egress.toGroups.aws.withRegion

withRegion(region)

fn spec.egress.toGroups.aws.withSecurityGroupsIds

withSecurityGroupsIds(securityGroupsIds)

fn spec.egress.toGroups.aws.withSecurityGroupsIdsMixin

withSecurityGroupsIdsMixin(securityGroupsIds)

Note: This function appends passed data to existing values

fn spec.egress.toGroups.aws.withSecurityGroupsNames

withSecurityGroupsNames(securityGroupsNames)

fn spec.egress.toGroups.aws.withSecurityGroupsNamesMixin

withSecurityGroupsNamesMixin(securityGroupsNames)

Note: This function appends passed data to existing values

obj spec.egress.toPorts

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is allowed to initiate connections to destination port 8080/tcp"

fn spec.egress.toPorts.withPorts

withPorts(ports)

"Ports is a list of L4 port/protocol"

fn spec.egress.toPorts.withPortsMixin

withPortsMixin(ports)

"Ports is a list of L4 port/protocol"

Note: This function appends passed data to existing values

fn spec.egress.toPorts.withServerNames

withServerNames(serverNames)

"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake."

fn spec.egress.toPorts.withServerNamesMixin

withServerNamesMixin(serverNames)

"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake."

Note: This function appends passed data to existing values

obj spec.egress.toPorts.listener

"listener specifies the name of a custom Envoy listener to which this traffic should be redirected to."

fn spec.egress.toPorts.listener.withName

withName(name)

"Name is the name of the listener."

obj spec.egress.toPorts.listener.envoyConfig

"EnvoyConfig is a reference to the CEC or CCNP resource in which the listener is defined."

fn spec.egress.toPorts.listener.envoyConfig.withKind

withKind(kind)

"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, respectively. The only case this is currently explicitly needed is when referring to a CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener from a cluster scoped policy is not allowed."

fn spec.egress.toPorts.listener.envoyConfig.withName

withName(name)

"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where the listener is defined in."

obj spec.egress.toPorts.originatingTLS

"OriginatingTLS is the TLS context for the connections originated by the L7 proxy. For egress policy this specifies the client-side TLS parameters for the upstream connection originating from the L7 proxy to the remote destination. For ingress policy this specifies the client-side TLS parameters for the connection from the L7 proxy to the local endpoint."

fn spec.egress.toPorts.originatingTLS.withCertificate

withCertificate(certificate)

"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist."

fn spec.egress.toPorts.originatingTLS.withPrivateKey

withPrivateKey(privateKey)

"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist."

fn spec.egress.toPorts.originatingTLS.withTrustedCA

withTrustedCA(trustedCA)

"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist."

obj spec.egress.toPorts.originatingTLS.secret

"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt' - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate."

fn spec.egress.toPorts.originatingTLS.secret.withName

withName(name)

"Name is the name of the secret."

fn spec.egress.toPorts.originatingTLS.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj spec.egress.toPorts.ports

"Ports is a list of L4 port/protocol"

fn spec.egress.toPorts.ports.withPort

withPort(port)

"Port is an L4 port number. For now the string will be strictly parsed as a single uint16. In the future, this field may support ranges in the form \"1024-2048 Port can also be a port name, which must contain at least one [a-z], and may also contain [0-9] and '-' anywhere except adjacent to another '-' or in the beginning or the end."

fn spec.egress.toPorts.ports.withProtocol

withProtocol(protocol)

"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching on ICMP is not supported. \n Named port specified for a container may narrow this down, but may not contradict this."

obj spec.egress.toPorts.rules

"Rules is a list of additional port level rules which must be met in order for the PortRule to allow the traffic. If omitted or empty, no layer 7 rules are enforced."

fn spec.egress.toPorts.rules.withDns

withDns(dns)

"DNS-specific rules."

fn spec.egress.toPorts.rules.withDnsMixin

withDnsMixin(dns)

"DNS-specific rules."

Note: This function appends passed data to existing values

fn spec.egress.toPorts.rules.withHttp

withHttp(http)

"HTTP specific rules."

fn spec.egress.toPorts.rules.withHttpMixin

withHttpMixin(http)

"HTTP specific rules."

Note: This function appends passed data to existing values

fn spec.egress.toPorts.rules.withKafka

withKafka(kafka)

"Kafka-specific rules."

fn spec.egress.toPorts.rules.withKafkaMixin

withKafkaMixin(kafka)

"Kafka-specific rules."

Note: This function appends passed data to existing values

fn spec.egress.toPorts.rules.withL7

withL7(l7)

"Key-value pair rules."

fn spec.egress.toPorts.rules.withL7Mixin

withL7Mixin(l7)

"Key-value pair rules."

Note: This function appends passed data to existing values

fn spec.egress.toPorts.rules.withL7proto

withL7proto(l7proto)

"Name of the L7 protocol for which the Key-value pair rules apply."

obj spec.egress.toPorts.rules.dns

"DNS-specific rules."

fn spec.egress.toPorts.rules.dns.withMatchName

withMatchName(matchName)

"MatchName matches literal DNS names. A trailing \".\" is automatically added when missing."

fn spec.egress.toPorts.rules.dns.withMatchPattern

withMatchPattern(matchPattern)

"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \"\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \"\" as the leftmost character, without a following \".\" matches all subdomains as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: *.cilium.io matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not *cilium.io matches cilium.io and all subdomains ends with \"cilium.io\" except those containing \".\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \"sub\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not"

obj spec.egress.toPorts.rules.http

"HTTP specific rules."

fn spec.egress.toPorts.rules.http.withHeaderMatches

withHeaderMatches(headerMatches)

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

fn spec.egress.toPorts.rules.http.withHeaderMatchesMixin

withHeaderMatchesMixin(headerMatches)

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

Note: This function appends passed data to existing values

fn spec.egress.toPorts.rules.http.withHeaders

withHeaders(headers)

"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present."

fn spec.egress.toPorts.rules.http.withHeadersMixin

withHeadersMixin(headers)

"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present."

Note: This function appends passed data to existing values

fn spec.egress.toPorts.rules.http.withHost

withHost(host)

"Host is an extended POSIX regex matched against the host header of a request, e.g. \"foo.com\" \n If omitted or empty, the value of the host header is ignored."

fn spec.egress.toPorts.rules.http.withMethod

withMethod(method)

"Method is an extended POSIX regex matched against the method of a request, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ... \n If omitted or empty, all methods are allowed."

fn spec.egress.toPorts.rules.http.withPath

withPath(path)

"Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. \n If omitted or empty, all paths are all allowed."

obj spec.egress.toPorts.rules.http.headerMatches

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

fn spec.egress.toPorts.rules.http.headerMatches.withMismatch

withMismatch(mismatch)

"Mismatch identifies what to do in case there is no match. The default is to drop the request. Otherwise the overall rule is still considered as matching, but the mismatches are logged in the access log."

fn spec.egress.toPorts.rules.http.headerMatches.withName

withName(name)

"Name identifies the header."

fn spec.egress.toPorts.rules.http.headerMatches.withValue

withValue(value)

"Value matches the exact value of the header. Can be specified either alone or together with \"Secret\"; will be used as the header value if the secret can not be found in the latter case."

obj spec.egress.toPorts.rules.http.headerMatches.secret

"Secret refers to a secret that contains the value to be matched against. The secret must only contain one entry. If the referred secret does not exist, and there is no \"Value\" specified, the match will fail."

fn spec.egress.toPorts.rules.http.headerMatches.secret.withName

withName(name)

"Name is the name of the secret."

fn spec.egress.toPorts.rules.http.headerMatches.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj spec.egress.toPorts.rules.kafka

"Kafka-specific rules."

fn spec.egress.toPorts.rules.kafka.withApiKey

withApiKey(apiKey)

"APIKey is a case-insensitive string matched against the key of a request, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys \n If omitted or empty, and if Role is not specified, then all keys are allowed."

fn spec.egress.toPorts.rules.kafka.withApiVersion

withApiVersion(apiVersion)

"APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. \n If omitted or empty, all versions are allowed."

fn spec.egress.toPorts.rules.kafka.withClientID

withClientID(clientID)

"ClientID is the client identifier as provided in the request. \n From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. \n If omitted or empty, all client identifiers are allowed."

fn spec.egress.toPorts.rules.kafka.withRole

withRole(role)

"Role is a case-insensitive string and describes a group of API keys necessary to perform certain higher-level Kafka operations such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. \n The following values are supported: - \"produce\": Allow producing to the topics specified in the rule - \"consume\": Allow consuming from the topics specified in the rule \n This field is incompatible with the APIKey field, i.e APIKey and Role cannot both be specified in the same rule. \n If omitted or empty, and if APIKey is not specified, then all keys are allowed."

fn spec.egress.toPorts.rules.kafka.withTopic

withTopic(topic)

"Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. \n This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _. \n Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255. \n If omitted or empty, all topics are allowed."

obj spec.egress.toPorts.terminatingTLS

"TerminatingTLS is the TLS context for the connection terminated by the L7 proxy. For egress policy this specifies the server-side TLS parameters to be applied on the connections originated from the local endpoint and terminated by the L7 proxy. For ingress policy this specifies the server-side TLS parameters to be applied on the connections originated from a remote source and terminated by the L7 proxy."

fn spec.egress.toPorts.terminatingTLS.withCertificate

withCertificate(certificate)

"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist."

fn spec.egress.toPorts.terminatingTLS.withPrivateKey

withPrivateKey(privateKey)

"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist."

fn spec.egress.toPorts.terminatingTLS.withTrustedCA

withTrustedCA(trustedCA)

"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist."

obj spec.egress.toPorts.terminatingTLS.secret

"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt' - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate."

fn spec.egress.toPorts.terminatingTLS.secret.withName

withName(name)

"Name is the name of the secret."

fn spec.egress.toPorts.terminatingTLS.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj spec.egress.toRequires

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

fn spec.egress.toRequires.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egress.toRequires.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.egress.toRequires.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.egress.toRequires.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.egress.toRequires.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egress.toRequires.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.egress.toRequires.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.egress.toRequires.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.egress.toRequires.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj spec.egress.toServices

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

obj spec.egress.toServices.k8sService

"K8sService selects service by name and namespace pair"

fn spec.egress.toServices.k8sService.withNamespace

withNamespace(namespace)

fn spec.egress.toServices.k8sService.withServiceName

withServiceName(serviceName)

obj spec.egress.toServices.k8sServiceSelector

"K8sServiceSelector selects services by k8s labels and namespace"

fn spec.egress.toServices.k8sServiceSelector.withNamespace

withNamespace(namespace)

obj spec.egress.toServices.k8sServiceSelector.selector

"ServiceSelector is a label selector for k8s services"

fn spec.egress.toServices.k8sServiceSelector.selector.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egress.toServices.k8sServiceSelector.selector.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.egress.toServices.k8sServiceSelector.selector.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.egress.toServices.k8sServiceSelector.selector.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.egress.toServices.k8sServiceSelector.selector.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egress.toServices.k8sServiceSelector.selector.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.egress.toServices.k8sServiceSelector.selector.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.egress.toServices.k8sServiceSelector.selector.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.egress.toServices.k8sServiceSelector.selector.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj spec.egressDeny

"EgressDeny is a list of EgressDenyRule which are enforced at egress. Any rule inserted here will by denied regardless of the allowed egress rules in the 'egress' field. If omitted or empty, this rule does not apply at egress."

fn spec.egressDeny.withIcmps

withIcmps(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is not allowed to initiate type 8 ICMP connections."

fn spec.egressDeny.withIcmpsMixin

withIcmpsMixin(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is not allowed to initiate type 8 ICMP connections."

Note: This function appends passed data to existing values

fn spec.egressDeny.withToCIDR

withToCIDR(toCIDR)

"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24"

fn spec.egressDeny.withToCIDRMixin

withToCIDRMixin(toCIDR)

"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24"

Note: This function appends passed data to existing values

fn spec.egressDeny.withToCIDRSet

withToCIDRSet(toCIDRSet)

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

fn spec.egressDeny.withToCIDRSetMixin

withToCIDRSetMixin(toCIDRSet)

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

Note: This function appends passed data to existing values

fn spec.egressDeny.withToEndpoints

withToEndpoints(toEndpoints)

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

fn spec.egressDeny.withToEndpointsMixin

withToEndpointsMixin(toEndpoints)

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

Note: This function appends passed data to existing values

fn spec.egressDeny.withToEntities

withToEntities(toEntities)

"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are world, cluster and host"

fn spec.egressDeny.withToEntitiesMixin

withToEntitiesMixin(toEntities)

"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are world, cluster and host"

Note: This function appends passed data to existing values

fn spec.egressDeny.withToGroups

withToGroups(toGroups)

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

fn spec.egressDeny.withToGroupsMixin

withToGroupsMixin(toGroups)

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

Note: This function appends passed data to existing values

fn spec.egressDeny.withToPorts

withToPorts(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is not allowed to initiate connections to destination port 8080/tcp"

fn spec.egressDeny.withToPortsMixin

withToPortsMixin(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is not allowed to initiate connections to destination port 8080/tcp"

Note: This function appends passed data to existing values

fn spec.egressDeny.withToRequires

withToRequires(toRequires)

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

fn spec.egressDeny.withToRequiresMixin

withToRequiresMixin(toRequires)

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

Note: This function appends passed data to existing values

fn spec.egressDeny.withToServices

withToServices(toServices)

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

fn spec.egressDeny.withToServicesMixin

withToServicesMixin(toServices)

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

Note: This function appends passed data to existing values

obj spec.egressDeny.icmps

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is not allowed to initiate type 8 ICMP connections."

fn spec.egressDeny.icmps.withFields

withFields(fields)

"Fields is a list of ICMP fields."

fn spec.egressDeny.icmps.withFieldsMixin

withFieldsMixin(fields)

"Fields is a list of ICMP fields."

Note: This function appends passed data to existing values

obj spec.egressDeny.icmps.fields

"Fields is a list of ICMP fields."

fn spec.egressDeny.icmps.fields.withFamily

withFamily(family)

"Family is a IP address version. Currently, we support IPv4 and IPv6. IPv4 is set as default."

fn spec.egressDeny.icmps.fields.withType

withType(type)

"Type is a ICMP-type. It should be 0-255 (8bit)."

obj spec.egressDeny.toCIDRSet

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

fn spec.egressDeny.toCIDRSet.withCidr

withCidr(cidr)

"CIDR is a CIDR prefix / IP Block."

fn spec.egressDeny.toCIDRSet.withExcept

withExcept(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

fn spec.egressDeny.toCIDRSet.withExceptMixin

withExceptMixin(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

Note: This function appends passed data to existing values

obj spec.egressDeny.toEndpoints

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

fn spec.egressDeny.toEndpoints.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egressDeny.toEndpoints.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.egressDeny.toEndpoints.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.egressDeny.toEndpoints.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.egressDeny.toEndpoints.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egressDeny.toEndpoints.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.egressDeny.toEndpoints.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.egressDeny.toEndpoints.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.egressDeny.toEndpoints.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj spec.egressDeny.toGroups

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

obj spec.egressDeny.toGroups.aws

"AWSGroup is an structure that can be used to whitelisting information from AWS integration"

fn spec.egressDeny.toGroups.aws.withLabels

withLabels(labels)

fn spec.egressDeny.toGroups.aws.withLabelsMixin

withLabelsMixin(labels)

Note: This function appends passed data to existing values

fn spec.egressDeny.toGroups.aws.withRegion

withRegion(region)

fn spec.egressDeny.toGroups.aws.withSecurityGroupsIds

withSecurityGroupsIds(securityGroupsIds)

fn spec.egressDeny.toGroups.aws.withSecurityGroupsIdsMixin

withSecurityGroupsIdsMixin(securityGroupsIds)

Note: This function appends passed data to existing values

fn spec.egressDeny.toGroups.aws.withSecurityGroupsNames

withSecurityGroupsNames(securityGroupsNames)

fn spec.egressDeny.toGroups.aws.withSecurityGroupsNamesMixin

withSecurityGroupsNamesMixin(securityGroupsNames)

Note: This function appends passed data to existing values

obj spec.egressDeny.toPorts

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is not allowed to initiate connections to destination port 8080/tcp"

fn spec.egressDeny.toPorts.withPorts

withPorts(ports)

"Ports is a list of L4 port/protocol"

fn spec.egressDeny.toPorts.withPortsMixin

withPortsMixin(ports)

"Ports is a list of L4 port/protocol"

Note: This function appends passed data to existing values

obj spec.egressDeny.toPorts.ports

"Ports is a list of L4 port/protocol"

fn spec.egressDeny.toPorts.ports.withPort

withPort(port)

"Port is an L4 port number. For now the string will be strictly parsed as a single uint16. In the future, this field may support ranges in the form \"1024-2048 Port can also be a port name, which must contain at least one [a-z], and may also contain [0-9] and '-' anywhere except adjacent to another '-' or in the beginning or the end."

fn spec.egressDeny.toPorts.ports.withProtocol

withProtocol(protocol)

"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching on ICMP is not supported. \n Named port specified for a container may narrow this down, but may not contradict this."

obj spec.egressDeny.toRequires

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

fn spec.egressDeny.toRequires.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egressDeny.toRequires.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.egressDeny.toRequires.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.egressDeny.toRequires.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.egressDeny.toRequires.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egressDeny.toRequires.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.egressDeny.toRequires.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.egressDeny.toRequires.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.egressDeny.toRequires.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj spec.egressDeny.toServices

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

obj spec.egressDeny.toServices.k8sService

"K8sService selects service by name and namespace pair"

fn spec.egressDeny.toServices.k8sService.withNamespace

withNamespace(namespace)

fn spec.egressDeny.toServices.k8sService.withServiceName

withServiceName(serviceName)

obj spec.egressDeny.toServices.k8sServiceSelector

"K8sServiceSelector selects services by k8s labels and namespace"

fn spec.egressDeny.toServices.k8sServiceSelector.withNamespace

withNamespace(namespace)

obj spec.egressDeny.toServices.k8sServiceSelector.selector

"ServiceSelector is a label selector for k8s services"

fn spec.egressDeny.toServices.k8sServiceSelector.selector.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egressDeny.toServices.k8sServiceSelector.selector.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.egressDeny.toServices.k8sServiceSelector.selector.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.egressDeny.toServices.k8sServiceSelector.selector.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj spec.endpointSelector

"EndpointSelector selects all endpoints which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive."

fn spec.endpointSelector.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.endpointSelector.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.endpointSelector.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.endpointSelector.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.endpointSelector.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.endpointSelector.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.endpointSelector.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.endpointSelector.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.endpointSelector.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj spec.ingress

"Ingress is a list of IngressRule which are enforced at ingress. If omitted or empty, this rule does not apply at ingress."

fn spec.ingress.withFromCIDR

withFromCIDR(fromCIDR)

"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do not originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.3.9.1"

fn spec.ingress.withFromCIDRMixin

withFromCIDRMixin(fromCIDR)

"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do not originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.3.9.1"

Note: This function appends passed data to existing values

fn spec.ingress.withFromCIDRSet

withFromCIDRSet(fromCIDRSet)

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

fn spec.ingress.withFromCIDRSetMixin

withFromCIDRSetMixin(fromCIDRSet)

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

Note: This function appends passed data to existing values

fn spec.ingress.withFromEndpoints

withFromEndpoints(fromEndpoints)

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

fn spec.ingress.withFromEndpointsMixin

withFromEndpointsMixin(fromEndpoints)

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

Note: This function appends passed data to existing values

fn spec.ingress.withFromEntities

withFromEntities(fromEntities)

"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are world, cluster and host"

fn spec.ingress.withFromEntitiesMixin

withFromEntitiesMixin(fromEntities)

"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are world, cluster and host"

Note: This function appends passed data to existing values

fn spec.ingress.withFromRequires

withFromRequires(fromRequires)

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

fn spec.ingress.withFromRequiresMixin

withFromRequiresMixin(fromRequires)

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

Note: This function appends passed data to existing values

fn spec.ingress.withIcmps

withIcmps(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming type 8 ICMP connections."

fn spec.ingress.withIcmpsMixin

withIcmpsMixin(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming type 8 ICMP connections."

Note: This function appends passed data to existing values

fn spec.ingress.withToPorts

withToPorts(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming connections on port 80/tcp."

fn spec.ingress.withToPortsMixin

withToPortsMixin(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming connections on port 80/tcp."

Note: This function appends passed data to existing values

obj spec.ingress.auth

"Auth is the required authentication type for the allowed traffic, if any."

fn spec.ingress.auth.withType

withType(type)

"Type is the required authentication type for the allowed traffic, if any."

obj spec.ingress.fromCIDRSet

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

fn spec.ingress.fromCIDRSet.withCidr

withCidr(cidr)

"CIDR is a CIDR prefix / IP Block."

fn spec.ingress.fromCIDRSet.withExcept

withExcept(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

fn spec.ingress.fromCIDRSet.withExceptMixin

withExceptMixin(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

Note: This function appends passed data to existing values

obj spec.ingress.fromEndpoints

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

fn spec.ingress.fromEndpoints.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.ingress.fromEndpoints.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.ingress.fromEndpoints.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.ingress.fromEndpoints.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.ingress.fromEndpoints.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.ingress.fromEndpoints.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.ingress.fromEndpoints.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.ingress.fromEndpoints.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.ingress.fromEndpoints.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj spec.ingress.fromRequires

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

fn spec.ingress.fromRequires.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.ingress.fromRequires.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.ingress.fromRequires.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.ingress.fromRequires.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.ingress.fromRequires.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.ingress.fromRequires.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.ingress.fromRequires.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.ingress.fromRequires.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.ingress.fromRequires.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj spec.ingress.icmps

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming type 8 ICMP connections."

fn spec.ingress.icmps.withFields

withFields(fields)

"Fields is a list of ICMP fields."

fn spec.ingress.icmps.withFieldsMixin

withFieldsMixin(fields)

"Fields is a list of ICMP fields."

Note: This function appends passed data to existing values

obj spec.ingress.icmps.fields

"Fields is a list of ICMP fields."

fn spec.ingress.icmps.fields.withFamily

withFamily(family)

"Family is a IP address version. Currently, we support IPv4 and IPv6. IPv4 is set as default."

fn spec.ingress.icmps.fields.withType

withType(type)

"Type is a ICMP-type. It should be 0-255 (8bit)."

obj spec.ingress.toPorts

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming connections on port 80/tcp."

fn spec.ingress.toPorts.withPorts

withPorts(ports)

"Ports is a list of L4 port/protocol"

fn spec.ingress.toPorts.withPortsMixin

withPortsMixin(ports)

"Ports is a list of L4 port/protocol"

Note: This function appends passed data to existing values

fn spec.ingress.toPorts.withServerNames

withServerNames(serverNames)

"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake."

fn spec.ingress.toPorts.withServerNamesMixin

withServerNamesMixin(serverNames)

"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake."

Note: This function appends passed data to existing values

obj spec.ingress.toPorts.listener

"listener specifies the name of a custom Envoy listener to which this traffic should be redirected to."

fn spec.ingress.toPorts.listener.withName

withName(name)

"Name is the name of the listener."

obj spec.ingress.toPorts.listener.envoyConfig

"EnvoyConfig is a reference to the CEC or CCNP resource in which the listener is defined."

fn spec.ingress.toPorts.listener.envoyConfig.withKind

withKind(kind)

"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, respectively. The only case this is currently explicitly needed is when referring to a CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener from a cluster scoped policy is not allowed."

fn spec.ingress.toPorts.listener.envoyConfig.withName

withName(name)

"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where the listener is defined in."

obj spec.ingress.toPorts.originatingTLS

"OriginatingTLS is the TLS context for the connections originated by the L7 proxy. For egress policy this specifies the client-side TLS parameters for the upstream connection originating from the L7 proxy to the remote destination. For ingress policy this specifies the client-side TLS parameters for the connection from the L7 proxy to the local endpoint."

fn spec.ingress.toPorts.originatingTLS.withCertificate

withCertificate(certificate)

"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist."

fn spec.ingress.toPorts.originatingTLS.withPrivateKey

withPrivateKey(privateKey)

"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist."

fn spec.ingress.toPorts.originatingTLS.withTrustedCA

withTrustedCA(trustedCA)

"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist."

obj spec.ingress.toPorts.originatingTLS.secret

"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt' - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate."

fn spec.ingress.toPorts.originatingTLS.secret.withName

withName(name)

"Name is the name of the secret."

fn spec.ingress.toPorts.originatingTLS.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj spec.ingress.toPorts.ports

"Ports is a list of L4 port/protocol"

fn spec.ingress.toPorts.ports.withPort

withPort(port)

"Port is an L4 port number. For now the string will be strictly parsed as a single uint16. In the future, this field may support ranges in the form \"1024-2048 Port can also be a port name, which must contain at least one [a-z], and may also contain [0-9] and '-' anywhere except adjacent to another '-' or in the beginning or the end."

fn spec.ingress.toPorts.ports.withProtocol

withProtocol(protocol)

"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching on ICMP is not supported. \n Named port specified for a container may narrow this down, but may not contradict this."

obj spec.ingress.toPorts.rules

"Rules is a list of additional port level rules which must be met in order for the PortRule to allow the traffic. If omitted or empty, no layer 7 rules are enforced."

fn spec.ingress.toPorts.rules.withDns

withDns(dns)

"DNS-specific rules."

fn spec.ingress.toPorts.rules.withDnsMixin

withDnsMixin(dns)

"DNS-specific rules."

Note: This function appends passed data to existing values

fn spec.ingress.toPorts.rules.withHttp

withHttp(http)

"HTTP specific rules."

fn spec.ingress.toPorts.rules.withHttpMixin

withHttpMixin(http)

"HTTP specific rules."

Note: This function appends passed data to existing values

fn spec.ingress.toPorts.rules.withKafka

withKafka(kafka)

"Kafka-specific rules."

fn spec.ingress.toPorts.rules.withKafkaMixin

withKafkaMixin(kafka)

"Kafka-specific rules."

Note: This function appends passed data to existing values

fn spec.ingress.toPorts.rules.withL7

withL7(l7)

"Key-value pair rules."

fn spec.ingress.toPorts.rules.withL7Mixin

withL7Mixin(l7)

"Key-value pair rules."

Note: This function appends passed data to existing values

fn spec.ingress.toPorts.rules.withL7proto

withL7proto(l7proto)

"Name of the L7 protocol for which the Key-value pair rules apply."

obj spec.ingress.toPorts.rules.dns

"DNS-specific rules."

fn spec.ingress.toPorts.rules.dns.withMatchName

withMatchName(matchName)

"MatchName matches literal DNS names. A trailing \".\" is automatically added when missing."

fn spec.ingress.toPorts.rules.dns.withMatchPattern

withMatchPattern(matchPattern)

"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \"\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \"\" as the leftmost character, without a following \".\" matches all subdomains as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: *.cilium.io matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not *cilium.io matches cilium.io and all subdomains ends with \"cilium.io\" except those containing \".\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \"sub\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not"

obj spec.ingress.toPorts.rules.http

"HTTP specific rules."

fn spec.ingress.toPorts.rules.http.withHeaderMatches

withHeaderMatches(headerMatches)

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

fn spec.ingress.toPorts.rules.http.withHeaderMatchesMixin

withHeaderMatchesMixin(headerMatches)

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

Note: This function appends passed data to existing values

fn spec.ingress.toPorts.rules.http.withHeaders

withHeaders(headers)

"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present."

fn spec.ingress.toPorts.rules.http.withHeadersMixin

withHeadersMixin(headers)

"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present."

Note: This function appends passed data to existing values

fn spec.ingress.toPorts.rules.http.withHost

withHost(host)

"Host is an extended POSIX regex matched against the host header of a request, e.g. \"foo.com\" \n If omitted or empty, the value of the host header is ignored."

fn spec.ingress.toPorts.rules.http.withMethod

withMethod(method)

"Method is an extended POSIX regex matched against the method of a request, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ... \n If omitted or empty, all methods are allowed."

fn spec.ingress.toPorts.rules.http.withPath

withPath(path)

"Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. \n If omitted or empty, all paths are all allowed."

obj spec.ingress.toPorts.rules.http.headerMatches

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

fn spec.ingress.toPorts.rules.http.headerMatches.withMismatch

withMismatch(mismatch)

"Mismatch identifies what to do in case there is no match. The default is to drop the request. Otherwise the overall rule is still considered as matching, but the mismatches are logged in the access log."

fn spec.ingress.toPorts.rules.http.headerMatches.withName

withName(name)

"Name identifies the header."

fn spec.ingress.toPorts.rules.http.headerMatches.withValue

withValue(value)

"Value matches the exact value of the header. Can be specified either alone or together with \"Secret\"; will be used as the header value if the secret can not be found in the latter case."

obj spec.ingress.toPorts.rules.http.headerMatches.secret

"Secret refers to a secret that contains the value to be matched against. The secret must only contain one entry. If the referred secret does not exist, and there is no \"Value\" specified, the match will fail."

fn spec.ingress.toPorts.rules.http.headerMatches.secret.withName

withName(name)

"Name is the name of the secret."

fn spec.ingress.toPorts.rules.http.headerMatches.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj spec.ingress.toPorts.rules.kafka

"Kafka-specific rules."

fn spec.ingress.toPorts.rules.kafka.withApiKey

withApiKey(apiKey)

"APIKey is a case-insensitive string matched against the key of a request, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys \n If omitted or empty, and if Role is not specified, then all keys are allowed."

fn spec.ingress.toPorts.rules.kafka.withApiVersion

withApiVersion(apiVersion)

"APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. \n If omitted or empty, all versions are allowed."

fn spec.ingress.toPorts.rules.kafka.withClientID

withClientID(clientID)

"ClientID is the client identifier as provided in the request. \n From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. \n If omitted or empty, all client identifiers are allowed."

fn spec.ingress.toPorts.rules.kafka.withRole

withRole(role)

"Role is a case-insensitive string and describes a group of API keys necessary to perform certain higher-level Kafka operations such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. \n The following values are supported: - \"produce\": Allow producing to the topics specified in the rule - \"consume\": Allow consuming from the topics specified in the rule \n This field is incompatible with the APIKey field, i.e APIKey and Role cannot both be specified in the same rule. \n If omitted or empty, and if APIKey is not specified, then all keys are allowed."

fn spec.ingress.toPorts.rules.kafka.withTopic

withTopic(topic)

"Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. \n This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _. \n Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255. \n If omitted or empty, all topics are allowed."

obj spec.ingress.toPorts.terminatingTLS

"TerminatingTLS is the TLS context for the connection terminated by the L7 proxy. For egress policy this specifies the server-side TLS parameters to be applied on the connections originated from the local endpoint and terminated by the L7 proxy. For ingress policy this specifies the server-side TLS parameters to be applied on the connections originated from a remote source and terminated by the L7 proxy."

fn spec.ingress.toPorts.terminatingTLS.withCertificate

withCertificate(certificate)

"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist."

fn spec.ingress.toPorts.terminatingTLS.withPrivateKey

withPrivateKey(privateKey)

"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist."

fn spec.ingress.toPorts.terminatingTLS.withTrustedCA

withTrustedCA(trustedCA)

"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist."

obj spec.ingress.toPorts.terminatingTLS.secret

"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt' - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate."

fn spec.ingress.toPorts.terminatingTLS.secret.withName

withName(name)

"Name is the name of the secret."

fn spec.ingress.toPorts.terminatingTLS.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj spec.ingressDeny

"IngressDeny is a list of IngressDenyRule which are enforced at ingress. Any rule inserted here will by denied regardless of the allowed ingress rules in the 'ingress' field. If omitted or empty, this rule does not apply at ingress."

fn spec.ingressDeny.withFromCIDR

withFromCIDR(fromCIDR)

"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do not originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.3.9.1"

fn spec.ingressDeny.withFromCIDRMixin

withFromCIDRMixin(fromCIDR)

"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do not originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.3.9.1"

Note: This function appends passed data to existing values

fn spec.ingressDeny.withFromCIDRSet

withFromCIDRSet(fromCIDRSet)

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

fn spec.ingressDeny.withFromCIDRSetMixin

withFromCIDRSetMixin(fromCIDRSet)

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

Note: This function appends passed data to existing values

fn spec.ingressDeny.withFromEndpoints

withFromEndpoints(fromEndpoints)

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

fn spec.ingressDeny.withFromEndpointsMixin

withFromEndpointsMixin(fromEndpoints)

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

Note: This function appends passed data to existing values

fn spec.ingressDeny.withFromEntities

withFromEntities(fromEntities)

"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are world, cluster and host"

fn spec.ingressDeny.withFromEntitiesMixin

withFromEntitiesMixin(fromEntities)

"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are world, cluster and host"

Note: This function appends passed data to existing values

fn spec.ingressDeny.withFromRequires

withFromRequires(fromRequires)

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

fn spec.ingressDeny.withFromRequiresMixin

withFromRequiresMixin(fromRequires)

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

Note: This function appends passed data to existing values

fn spec.ingressDeny.withIcmps

withIcmps(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming type 8 ICMP connections."

fn spec.ingressDeny.withIcmpsMixin

withIcmpsMixin(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming type 8 ICMP connections."

Note: This function appends passed data to existing values

fn spec.ingressDeny.withToPorts

withToPorts(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming connections on port 80/tcp."

fn spec.ingressDeny.withToPortsMixin

withToPortsMixin(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming connections on port 80/tcp."

Note: This function appends passed data to existing values

obj spec.ingressDeny.fromCIDRSet

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

fn spec.ingressDeny.fromCIDRSet.withCidr

withCidr(cidr)

"CIDR is a CIDR prefix / IP Block."

fn spec.ingressDeny.fromCIDRSet.withExcept

withExcept(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

fn spec.ingressDeny.fromCIDRSet.withExceptMixin

withExceptMixin(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

Note: This function appends passed data to existing values

obj spec.ingressDeny.fromEndpoints

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

fn spec.ingressDeny.fromEndpoints.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.ingressDeny.fromEndpoints.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.ingressDeny.fromEndpoints.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.ingressDeny.fromEndpoints.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.ingressDeny.fromEndpoints.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.ingressDeny.fromEndpoints.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.ingressDeny.fromEndpoints.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.ingressDeny.fromEndpoints.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.ingressDeny.fromEndpoints.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj spec.ingressDeny.fromRequires

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

fn spec.ingressDeny.fromRequires.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.ingressDeny.fromRequires.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.ingressDeny.fromRequires.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.ingressDeny.fromRequires.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.ingressDeny.fromRequires.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.ingressDeny.fromRequires.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.ingressDeny.fromRequires.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.ingressDeny.fromRequires.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.ingressDeny.fromRequires.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj spec.ingressDeny.icmps

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming type 8 ICMP connections."

fn spec.ingressDeny.icmps.withFields

withFields(fields)

"Fields is a list of ICMP fields."

fn spec.ingressDeny.icmps.withFieldsMixin

withFieldsMixin(fields)

"Fields is a list of ICMP fields."

Note: This function appends passed data to existing values

obj spec.ingressDeny.icmps.fields

"Fields is a list of ICMP fields."

fn spec.ingressDeny.icmps.fields.withFamily

withFamily(family)

"Family is a IP address version. Currently, we support IPv4 and IPv6. IPv4 is set as default."

fn spec.ingressDeny.icmps.fields.withType

withType(type)

"Type is a ICMP-type. It should be 0-255 (8bit)."

obj spec.ingressDeny.toPorts

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming connections on port 80/tcp."

fn spec.ingressDeny.toPorts.withPorts

withPorts(ports)

"Ports is a list of L4 port/protocol"

fn spec.ingressDeny.toPorts.withPortsMixin

withPortsMixin(ports)

"Ports is a list of L4 port/protocol"

Note: This function appends passed data to existing values

obj spec.ingressDeny.toPorts.ports

"Ports is a list of L4 port/protocol"

fn spec.ingressDeny.toPorts.ports.withPort

withPort(port)

"Port is an L4 port number. For now the string will be strictly parsed as a single uint16. In the future, this field may support ranges in the form \"1024-2048 Port can also be a port name, which must contain at least one [a-z], and may also contain [0-9] and '-' anywhere except adjacent to another '-' or in the beginning or the end."

fn spec.ingressDeny.toPorts.ports.withProtocol

withProtocol(protocol)

"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching on ICMP is not supported. \n Named port specified for a container may narrow this down, but may not contradict this."

obj spec.labels

"Labels is a list of optional strings which can be used to re-identify the rule or to store metadata. It is possible to lookup or delete strings based on labels. Labels are not required to be unique, multiple rules can have overlapping or identical labels."

fn spec.labels.withKey

withKey(key)

fn spec.labels.withSource

withSource(source)

"Source can be one of the above values (e.g.: LabelSourceContainer)."

fn spec.labels.withValue

withValue(value)

obj spec.nodeSelector

"NodeSelector selects all nodes which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies."

fn spec.nodeSelector.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.nodeSelector.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn spec.nodeSelector.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn spec.nodeSelector.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj spec.nodeSelector.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn spec.nodeSelector.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn spec.nodeSelector.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn spec.nodeSelector.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn spec.nodeSelector.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs

"Specs is a list of desired Cilium specific rule specification."

fn specs.withDescription

withDescription(description)

"Description is a free form string, it can be used by the creator of the rule to store human readable explanation of the purpose of this rule. Rules cannot be identified by comment."

fn specs.withEgress

withEgress(egress)

"Egress is a list of EgressRule which are enforced at egress. If omitted or empty, this rule does not apply at egress."

fn specs.withEgressDeny

withEgressDeny(egressDeny)

"EgressDeny is a list of EgressDenyRule which are enforced at egress. Any rule inserted here will by denied regardless of the allowed egress rules in the 'egress' field. If omitted or empty, this rule does not apply at egress."

fn specs.withEgressDenyMixin

withEgressDenyMixin(egressDeny)

"EgressDeny is a list of EgressDenyRule which are enforced at egress. Any rule inserted here will by denied regardless of the allowed egress rules in the 'egress' field. If omitted or empty, this rule does not apply at egress."

Note: This function appends passed data to existing values

fn specs.withEgressMixin

withEgressMixin(egress)

"Egress is a list of EgressRule which are enforced at egress. If omitted or empty, this rule does not apply at egress."

Note: This function appends passed data to existing values

fn specs.withIngress

withIngress(ingress)

"Ingress is a list of IngressRule which are enforced at ingress. If omitted or empty, this rule does not apply at ingress."

fn specs.withIngressDeny

withIngressDeny(ingressDeny)

"IngressDeny is a list of IngressDenyRule which are enforced at ingress. Any rule inserted here will by denied regardless of the allowed ingress rules in the 'ingress' field. If omitted or empty, this rule does not apply at ingress."

fn specs.withIngressDenyMixin

withIngressDenyMixin(ingressDeny)

"IngressDeny is a list of IngressDenyRule which are enforced at ingress. Any rule inserted here will by denied regardless of the allowed ingress rules in the 'ingress' field. If omitted or empty, this rule does not apply at ingress."

Note: This function appends passed data to existing values

fn specs.withIngressMixin

withIngressMixin(ingress)

"Ingress is a list of IngressRule which are enforced at ingress. If omitted or empty, this rule does not apply at ingress."

Note: This function appends passed data to existing values

fn specs.withLabels

withLabels(labels)

"Labels is a list of optional strings which can be used to re-identify the rule or to store metadata. It is possible to lookup or delete strings based on labels. Labels are not required to be unique, multiple rules can have overlapping or identical labels."

fn specs.withLabelsMixin

withLabelsMixin(labels)

"Labels is a list of optional strings which can be used to re-identify the rule or to store metadata. It is possible to lookup or delete strings based on labels. Labels are not required to be unique, multiple rules can have overlapping or identical labels."

Note: This function appends passed data to existing values

obj specs.egress

"Egress is a list of EgressRule which are enforced at egress. If omitted or empty, this rule does not apply at egress."

fn specs.egress.withIcmps

withIcmps(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is allowed to initiate type 8 ICMP connections."

fn specs.egress.withIcmpsMixin

withIcmpsMixin(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is allowed to initiate type 8 ICMP connections."

Note: This function appends passed data to existing values

fn specs.egress.withToCIDR

withToCIDR(toCIDR)

"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24"

fn specs.egress.withToCIDRMixin

withToCIDRMixin(toCIDR)

"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24"

Note: This function appends passed data to existing values

fn specs.egress.withToCIDRSet

withToCIDRSet(toCIDRSet)

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

fn specs.egress.withToCIDRSetMixin

withToCIDRSetMixin(toCIDRSet)

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

Note: This function appends passed data to existing values

fn specs.egress.withToEndpoints

withToEndpoints(toEndpoints)

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

fn specs.egress.withToEndpointsMixin

withToEndpointsMixin(toEndpoints)

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

Note: This function appends passed data to existing values

fn specs.egress.withToEntities

withToEntities(toEntities)

"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are world, cluster and host"

fn specs.egress.withToEntitiesMixin

withToEntitiesMixin(toEntities)

"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are world, cluster and host"

Note: This function appends passed data to existing values

fn specs.egress.withToFQDNs

withToFQDNs(toFQDNs)

"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of ToFQDN.MatchNames are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this EgressRule will also apply to these IPs. The DNS -> IP mapping is re-resolved periodically from within the cilium-agent, and the IPs in the DNS response are effected in the policy for selected pods as-is (i.e. the list of IPs is not modified in any way). Note: An explicit rule to allow for DNS traffic is needed for the pods, as ToFQDN counts as an egress rule and will enforce egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: ToFQDN cannot occur in the same policy as other To* rules. \n The current implementation has a number of limitations: - The DNS resolution originates from cilium-agent, and not from the pods. Differences between the responses seen by cilium agent and a particular pod will whitelist the incorrect IP. - DNS TTLs are ignored, and cilium-agent will repoll on a short interval (5 seconds). Each change to the DNS data will trigger a policy regeneration. This may result in delayed updates to the policy for an endpoint when the data changes often or the system is under load."

fn specs.egress.withToFQDNsMixin

withToFQDNsMixin(toFQDNs)

"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of ToFQDN.MatchNames are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this EgressRule will also apply to these IPs. The DNS -> IP mapping is re-resolved periodically from within the cilium-agent, and the IPs in the DNS response are effected in the policy for selected pods as-is (i.e. the list of IPs is not modified in any way). Note: An explicit rule to allow for DNS traffic is needed for the pods, as ToFQDN counts as an egress rule and will enforce egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: ToFQDN cannot occur in the same policy as other To* rules. \n The current implementation has a number of limitations: - The DNS resolution originates from cilium-agent, and not from the pods. Differences between the responses seen by cilium agent and a particular pod will whitelist the incorrect IP. - DNS TTLs are ignored, and cilium-agent will repoll on a short interval (5 seconds). Each change to the DNS data will trigger a policy regeneration. This may result in delayed updates to the policy for an endpoint when the data changes often or the system is under load."

Note: This function appends passed data to existing values

fn specs.egress.withToGroups

withToGroups(toGroups)

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

fn specs.egress.withToGroupsMixin

withToGroupsMixin(toGroups)

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

Note: This function appends passed data to existing values

fn specs.egress.withToPorts

withToPorts(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is allowed to initiate connections to destination port 8080/tcp"

fn specs.egress.withToPortsMixin

withToPortsMixin(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is allowed to initiate connections to destination port 8080/tcp"

Note: This function appends passed data to existing values

fn specs.egress.withToRequires

withToRequires(toRequires)

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

fn specs.egress.withToRequiresMixin

withToRequiresMixin(toRequires)

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

Note: This function appends passed data to existing values

fn specs.egress.withToServices

withToServices(toServices)

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

fn specs.egress.withToServicesMixin

withToServicesMixin(toServices)

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

Note: This function appends passed data to existing values

obj specs.egress.auth

"Auth is the required authentication type for the allowed traffic, if any."

fn specs.egress.auth.withType

withType(type)

"Type is the required authentication type for the allowed traffic, if any."

obj specs.egress.icmps

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is allowed to initiate type 8 ICMP connections."

fn specs.egress.icmps.withFields

withFields(fields)

"Fields is a list of ICMP fields."

fn specs.egress.icmps.withFieldsMixin

withFieldsMixin(fields)

"Fields is a list of ICMP fields."

Note: This function appends passed data to existing values

obj specs.egress.icmps.fields

"Fields is a list of ICMP fields."

fn specs.egress.icmps.fields.withFamily

withFamily(family)

"Family is a IP address version. Currently, we support IPv4 and IPv6. IPv4 is set as default."

fn specs.egress.icmps.fields.withType

withType(type)

"Type is a ICMP-type. It should be 0-255 (8bit)."

obj specs.egress.toCIDRSet

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

fn specs.egress.toCIDRSet.withCidr

withCidr(cidr)

"CIDR is a CIDR prefix / IP Block."

fn specs.egress.toCIDRSet.withExcept

withExcept(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

fn specs.egress.toCIDRSet.withExceptMixin

withExceptMixin(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

Note: This function appends passed data to existing values

obj specs.egress.toEndpoints

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

fn specs.egress.toEndpoints.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egress.toEndpoints.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.egress.toEndpoints.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.egress.toEndpoints.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.egress.toEndpoints.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egress.toEndpoints.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.egress.toEndpoints.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.egress.toEndpoints.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.egress.toEndpoints.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs.egress.toFQDNs

"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of ToFQDN.MatchNames are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this EgressRule will also apply to these IPs. The DNS -> IP mapping is re-resolved periodically from within the cilium-agent, and the IPs in the DNS response are effected in the policy for selected pods as-is (i.e. the list of IPs is not modified in any way). Note: An explicit rule to allow for DNS traffic is needed for the pods, as ToFQDN counts as an egress rule and will enforce egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: ToFQDN cannot occur in the same policy as other To* rules. \n The current implementation has a number of limitations: - The DNS resolution originates from cilium-agent, and not from the pods. Differences between the responses seen by cilium agent and a particular pod will whitelist the incorrect IP. - DNS TTLs are ignored, and cilium-agent will repoll on a short interval (5 seconds). Each change to the DNS data will trigger a policy regeneration. This may result in delayed updates to the policy for an endpoint when the data changes often or the system is under load."

fn specs.egress.toFQDNs.withMatchName

withMatchName(matchName)

"MatchName matches literal DNS names. A trailing \".\" is automatically added when missing."

fn specs.egress.toFQDNs.withMatchPattern

withMatchPattern(matchPattern)

"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \"\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \"\" as the leftmost character, without a following \".\" matches all subdomains as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: *.cilium.io matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not *cilium.io matches cilium.io and all subdomains ends with \"cilium.io\" except those containing \".\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \"sub\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not"

obj specs.egress.toGroups

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

obj specs.egress.toGroups.aws

"AWSGroup is an structure that can be used to whitelisting information from AWS integration"

fn specs.egress.toGroups.aws.withLabels

withLabels(labels)

fn specs.egress.toGroups.aws.withLabelsMixin

withLabelsMixin(labels)

Note: This function appends passed data to existing values

fn specs.egress.toGroups.aws.withRegion

withRegion(region)

fn specs.egress.toGroups.aws.withSecurityGroupsIds

withSecurityGroupsIds(securityGroupsIds)

fn specs.egress.toGroups.aws.withSecurityGroupsIdsMixin

withSecurityGroupsIdsMixin(securityGroupsIds)

Note: This function appends passed data to existing values

fn specs.egress.toGroups.aws.withSecurityGroupsNames

withSecurityGroupsNames(securityGroupsNames)

fn specs.egress.toGroups.aws.withSecurityGroupsNamesMixin

withSecurityGroupsNamesMixin(securityGroupsNames)

Note: This function appends passed data to existing values

obj specs.egress.toPorts

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is allowed to initiate connections to destination port 8080/tcp"

fn specs.egress.toPorts.withPorts

withPorts(ports)

"Ports is a list of L4 port/protocol"

fn specs.egress.toPorts.withPortsMixin

withPortsMixin(ports)

"Ports is a list of L4 port/protocol"

Note: This function appends passed data to existing values

fn specs.egress.toPorts.withServerNames

withServerNames(serverNames)

"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake."

fn specs.egress.toPorts.withServerNamesMixin

withServerNamesMixin(serverNames)

"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake."

Note: This function appends passed data to existing values

obj specs.egress.toPorts.listener

"listener specifies the name of a custom Envoy listener to which this traffic should be redirected to."

fn specs.egress.toPorts.listener.withName

withName(name)

"Name is the name of the listener."

obj specs.egress.toPorts.listener.envoyConfig

"EnvoyConfig is a reference to the CEC or CCNP resource in which the listener is defined."

fn specs.egress.toPorts.listener.envoyConfig.withKind

withKind(kind)

"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, respectively. The only case this is currently explicitly needed is when referring to a CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener from a cluster scoped policy is not allowed."

fn specs.egress.toPorts.listener.envoyConfig.withName

withName(name)

"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where the listener is defined in."

obj specs.egress.toPorts.originatingTLS

"OriginatingTLS is the TLS context for the connections originated by the L7 proxy. For egress policy this specifies the client-side TLS parameters for the upstream connection originating from the L7 proxy to the remote destination. For ingress policy this specifies the client-side TLS parameters for the connection from the L7 proxy to the local endpoint."

fn specs.egress.toPorts.originatingTLS.withCertificate

withCertificate(certificate)

"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist."

fn specs.egress.toPorts.originatingTLS.withPrivateKey

withPrivateKey(privateKey)

"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist."

fn specs.egress.toPorts.originatingTLS.withTrustedCA

withTrustedCA(trustedCA)

"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist."

obj specs.egress.toPorts.originatingTLS.secret

"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt' - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate."

fn specs.egress.toPorts.originatingTLS.secret.withName

withName(name)

"Name is the name of the secret."

fn specs.egress.toPorts.originatingTLS.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj specs.egress.toPorts.ports

"Ports is a list of L4 port/protocol"

fn specs.egress.toPorts.ports.withPort

withPort(port)

"Port is an L4 port number. For now the string will be strictly parsed as a single uint16. In the future, this field may support ranges in the form \"1024-2048 Port can also be a port name, which must contain at least one [a-z], and may also contain [0-9] and '-' anywhere except adjacent to another '-' or in the beginning or the end."

fn specs.egress.toPorts.ports.withProtocol

withProtocol(protocol)

"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching on ICMP is not supported. \n Named port specified for a container may narrow this down, but may not contradict this."

obj specs.egress.toPorts.rules

"Rules is a list of additional port level rules which must be met in order for the PortRule to allow the traffic. If omitted or empty, no layer 7 rules are enforced."

fn specs.egress.toPorts.rules.withDns

withDns(dns)

"DNS-specific rules."

fn specs.egress.toPorts.rules.withDnsMixin

withDnsMixin(dns)

"DNS-specific rules."

Note: This function appends passed data to existing values

fn specs.egress.toPorts.rules.withHttp

withHttp(http)

"HTTP specific rules."

fn specs.egress.toPorts.rules.withHttpMixin

withHttpMixin(http)

"HTTP specific rules."

Note: This function appends passed data to existing values

fn specs.egress.toPorts.rules.withKafka

withKafka(kafka)

"Kafka-specific rules."

fn specs.egress.toPorts.rules.withKafkaMixin

withKafkaMixin(kafka)

"Kafka-specific rules."

Note: This function appends passed data to existing values

fn specs.egress.toPorts.rules.withL7

withL7(l7)

"Key-value pair rules."

fn specs.egress.toPorts.rules.withL7Mixin

withL7Mixin(l7)

"Key-value pair rules."

Note: This function appends passed data to existing values

fn specs.egress.toPorts.rules.withL7proto

withL7proto(l7proto)

"Name of the L7 protocol for which the Key-value pair rules apply."

obj specs.egress.toPorts.rules.dns

"DNS-specific rules."

fn specs.egress.toPorts.rules.dns.withMatchName

withMatchName(matchName)

"MatchName matches literal DNS names. A trailing \".\" is automatically added when missing."

fn specs.egress.toPorts.rules.dns.withMatchPattern

withMatchPattern(matchPattern)

"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \"\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \"\" as the leftmost character, without a following \".\" matches all subdomains as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: *.cilium.io matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not *cilium.io matches cilium.io and all subdomains ends with \"cilium.io\" except those containing \".\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \"sub\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not"

obj specs.egress.toPorts.rules.http

"HTTP specific rules."

fn specs.egress.toPorts.rules.http.withHeaderMatches

withHeaderMatches(headerMatches)

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

fn specs.egress.toPorts.rules.http.withHeaderMatchesMixin

withHeaderMatchesMixin(headerMatches)

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

Note: This function appends passed data to existing values

fn specs.egress.toPorts.rules.http.withHeaders

withHeaders(headers)

"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present."

fn specs.egress.toPorts.rules.http.withHeadersMixin

withHeadersMixin(headers)

"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present."

Note: This function appends passed data to existing values

fn specs.egress.toPorts.rules.http.withHost

withHost(host)

"Host is an extended POSIX regex matched against the host header of a request, e.g. \"foo.com\" \n If omitted or empty, the value of the host header is ignored."

fn specs.egress.toPorts.rules.http.withMethod

withMethod(method)

"Method is an extended POSIX regex matched against the method of a request, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ... \n If omitted or empty, all methods are allowed."

fn specs.egress.toPorts.rules.http.withPath

withPath(path)

"Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. \n If omitted or empty, all paths are all allowed."

obj specs.egress.toPorts.rules.http.headerMatches

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

fn specs.egress.toPorts.rules.http.headerMatches.withMismatch

withMismatch(mismatch)

"Mismatch identifies what to do in case there is no match. The default is to drop the request. Otherwise the overall rule is still considered as matching, but the mismatches are logged in the access log."

fn specs.egress.toPorts.rules.http.headerMatches.withName

withName(name)

"Name identifies the header."

fn specs.egress.toPorts.rules.http.headerMatches.withValue

withValue(value)

"Value matches the exact value of the header. Can be specified either alone or together with \"Secret\"; will be used as the header value if the secret can not be found in the latter case."

obj specs.egress.toPorts.rules.http.headerMatches.secret

"Secret refers to a secret that contains the value to be matched against. The secret must only contain one entry. If the referred secret does not exist, and there is no \"Value\" specified, the match will fail."

fn specs.egress.toPorts.rules.http.headerMatches.secret.withName

withName(name)

"Name is the name of the secret."

fn specs.egress.toPorts.rules.http.headerMatches.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj specs.egress.toPorts.rules.kafka

"Kafka-specific rules."

fn specs.egress.toPorts.rules.kafka.withApiKey

withApiKey(apiKey)

"APIKey is a case-insensitive string matched against the key of a request, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys \n If omitted or empty, and if Role is not specified, then all keys are allowed."

fn specs.egress.toPorts.rules.kafka.withApiVersion

withApiVersion(apiVersion)

"APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. \n If omitted or empty, all versions are allowed."

fn specs.egress.toPorts.rules.kafka.withClientID

withClientID(clientID)

"ClientID is the client identifier as provided in the request. \n From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. \n If omitted or empty, all client identifiers are allowed."

fn specs.egress.toPorts.rules.kafka.withRole

withRole(role)

"Role is a case-insensitive string and describes a group of API keys necessary to perform certain higher-level Kafka operations such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. \n The following values are supported: - \"produce\": Allow producing to the topics specified in the rule - \"consume\": Allow consuming from the topics specified in the rule \n This field is incompatible with the APIKey field, i.e APIKey and Role cannot both be specified in the same rule. \n If omitted or empty, and if APIKey is not specified, then all keys are allowed."

fn specs.egress.toPorts.rules.kafka.withTopic

withTopic(topic)

"Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. \n This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _. \n Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255. \n If omitted or empty, all topics are allowed."

obj specs.egress.toPorts.terminatingTLS

"TerminatingTLS is the TLS context for the connection terminated by the L7 proxy. For egress policy this specifies the server-side TLS parameters to be applied on the connections originated from the local endpoint and terminated by the L7 proxy. For ingress policy this specifies the server-side TLS parameters to be applied on the connections originated from a remote source and terminated by the L7 proxy."

fn specs.egress.toPorts.terminatingTLS.withCertificate

withCertificate(certificate)

"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist."

fn specs.egress.toPorts.terminatingTLS.withPrivateKey

withPrivateKey(privateKey)

"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist."

fn specs.egress.toPorts.terminatingTLS.withTrustedCA

withTrustedCA(trustedCA)

"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist."

obj specs.egress.toPorts.terminatingTLS.secret

"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt' - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate."

fn specs.egress.toPorts.terminatingTLS.secret.withName

withName(name)

"Name is the name of the secret."

fn specs.egress.toPorts.terminatingTLS.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj specs.egress.toRequires

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

fn specs.egress.toRequires.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egress.toRequires.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.egress.toRequires.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.egress.toRequires.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.egress.toRequires.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egress.toRequires.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.egress.toRequires.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.egress.toRequires.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.egress.toRequires.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs.egress.toServices

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

obj specs.egress.toServices.k8sService

"K8sService selects service by name and namespace pair"

fn specs.egress.toServices.k8sService.withNamespace

withNamespace(namespace)

fn specs.egress.toServices.k8sService.withServiceName

withServiceName(serviceName)

obj specs.egress.toServices.k8sServiceSelector

"K8sServiceSelector selects services by k8s labels and namespace"

fn specs.egress.toServices.k8sServiceSelector.withNamespace

withNamespace(namespace)

obj specs.egress.toServices.k8sServiceSelector.selector

"ServiceSelector is a label selector for k8s services"

fn specs.egress.toServices.k8sServiceSelector.selector.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egress.toServices.k8sServiceSelector.selector.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.egress.toServices.k8sServiceSelector.selector.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.egress.toServices.k8sServiceSelector.selector.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.egress.toServices.k8sServiceSelector.selector.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egress.toServices.k8sServiceSelector.selector.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.egress.toServices.k8sServiceSelector.selector.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.egress.toServices.k8sServiceSelector.selector.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.egress.toServices.k8sServiceSelector.selector.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs.egressDeny

"EgressDeny is a list of EgressDenyRule which are enforced at egress. Any rule inserted here will by denied regardless of the allowed egress rules in the 'egress' field. If omitted or empty, this rule does not apply at egress."

fn specs.egressDeny.withIcmps

withIcmps(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is not allowed to initiate type 8 ICMP connections."

fn specs.egressDeny.withIcmpsMixin

withIcmpsMixin(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is not allowed to initiate type 8 ICMP connections."

Note: This function appends passed data to existing values

fn specs.egressDeny.withToCIDR

withToCIDR(toCIDR)

"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24"

fn specs.egressDeny.withToCIDRMixin

withToCIDRMixin(toCIDR)

"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24"

Note: This function appends passed data to existing values

fn specs.egressDeny.withToCIDRSet

withToCIDRSet(toCIDRSet)

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

fn specs.egressDeny.withToCIDRSetMixin

withToCIDRSetMixin(toCIDRSet)

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

Note: This function appends passed data to existing values

fn specs.egressDeny.withToEndpoints

withToEndpoints(toEndpoints)

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

fn specs.egressDeny.withToEndpointsMixin

withToEndpointsMixin(toEndpoints)

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

Note: This function appends passed data to existing values

fn specs.egressDeny.withToEntities

withToEntities(toEntities)

"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are world, cluster and host"

fn specs.egressDeny.withToEntitiesMixin

withToEntitiesMixin(toEntities)

"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are world, cluster and host"

Note: This function appends passed data to existing values

fn specs.egressDeny.withToGroups

withToGroups(toGroups)

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

fn specs.egressDeny.withToGroupsMixin

withToGroupsMixin(toGroups)

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

Note: This function appends passed data to existing values

fn specs.egressDeny.withToPorts

withToPorts(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is not allowed to initiate connections to destination port 8080/tcp"

fn specs.egressDeny.withToPortsMixin

withToPortsMixin(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is not allowed to initiate connections to destination port 8080/tcp"

Note: This function appends passed data to existing values

fn specs.egressDeny.withToRequires

withToRequires(toRequires)

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

fn specs.egressDeny.withToRequiresMixin

withToRequiresMixin(toRequires)

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

Note: This function appends passed data to existing values

fn specs.egressDeny.withToServices

withToServices(toServices)

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

fn specs.egressDeny.withToServicesMixin

withToServicesMixin(toServices)

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

Note: This function appends passed data to existing values

obj specs.egressDeny.icmps

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"app=httpd\" is not allowed to initiate type 8 ICMP connections."

fn specs.egressDeny.icmps.withFields

withFields(fields)

"Fields is a list of ICMP fields."

fn specs.egressDeny.icmps.withFieldsMixin

withFieldsMixin(fields)

"Fields is a list of ICMP fields."

Note: This function appends passed data to existing values

obj specs.egressDeny.icmps.fields

"Fields is a list of ICMP fields."

fn specs.egressDeny.icmps.fields.withFamily

withFamily(family)

"Family is a IP address version. Currently, we support IPv4 and IPv6. IPv4 is set as default."

fn specs.egressDeny.icmps.fields.withType

withType(type)

"Type is a ICMP-type. It should be 0-255 (8bit)."

obj specs.egressDeny.toCIDRSet

"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \n Example: Any endpoint with the label \"app=database-proxy\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."

fn specs.egressDeny.toCIDRSet.withCidr

withCidr(cidr)

"CIDR is a CIDR prefix / IP Block."

fn specs.egressDeny.toCIDRSet.withExcept

withExcept(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

fn specs.egressDeny.toCIDRSet.withExceptMixin

withExceptMixin(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

Note: This function appends passed data to existing values

obj specs.egressDeny.toEndpoints

"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \n Example: Any endpoint with the label \"role=frontend\" can communicate with any endpoint carrying the label \"role=backend\"."

fn specs.egressDeny.toEndpoints.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egressDeny.toEndpoints.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.egressDeny.toEndpoints.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.egressDeny.toEndpoints.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.egressDeny.toEndpoints.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egressDeny.toEndpoints.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.egressDeny.toEndpoints.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.egressDeny.toEndpoints.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.egressDeny.toEndpoints.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs.egressDeny.toGroups

"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'"

obj specs.egressDeny.toGroups.aws

"AWSGroup is an structure that can be used to whitelisting information from AWS integration"

fn specs.egressDeny.toGroups.aws.withLabels

withLabels(labels)

fn specs.egressDeny.toGroups.aws.withLabelsMixin

withLabelsMixin(labels)

Note: This function appends passed data to existing values

fn specs.egressDeny.toGroups.aws.withRegion

withRegion(region)

fn specs.egressDeny.toGroups.aws.withSecurityGroupsIds

withSecurityGroupsIds(securityGroupsIds)

fn specs.egressDeny.toGroups.aws.withSecurityGroupsIdsMixin

withSecurityGroupsIdsMixin(securityGroupsIds)

Note: This function appends passed data to existing values

fn specs.egressDeny.toGroups.aws.withSecurityGroupsNames

withSecurityGroupsNames(securityGroupsNames)

fn specs.egressDeny.toGroups.aws.withSecurityGroupsNamesMixin

withSecurityGroupsNamesMixin(securityGroupsNames)

Note: This function appends passed data to existing values

obj specs.egressDeny.toPorts

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to connect to. \n Example: Any endpoint with the label \"role=frontend\" is not allowed to initiate connections to destination port 8080/tcp"

fn specs.egressDeny.toPorts.withPorts

withPorts(ports)

"Ports is a list of L4 port/protocol"

fn specs.egressDeny.toPorts.withPortsMixin

withPortsMixin(ports)

"Ports is a list of L4 port/protocol"

Note: This function appends passed data to existing values

obj specs.egressDeny.toPorts.ports

"Ports is a list of L4 port/protocol"

fn specs.egressDeny.toPorts.ports.withPort

withPort(port)

"Port is an L4 port number. For now the string will be strictly parsed as a single uint16. In the future, this field may support ranges in the form \"1024-2048 Port can also be a port name, which must contain at least one [a-z], and may also contain [0-9] and '-' anywhere except adjacent to another '-' or in the beginning or the end."

fn specs.egressDeny.toPorts.ports.withProtocol

withProtocol(protocol)

"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching on ICMP is not supported. \n Named port specified for a container may narrow this down, but may not contradict this."

obj specs.egressDeny.toRequires

"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires any endpoint to which it communicates to also carry the label \"team=A\"."

fn specs.egressDeny.toRequires.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egressDeny.toRequires.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.egressDeny.toRequires.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.egressDeny.toRequires.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.egressDeny.toRequires.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egressDeny.toRequires.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.egressDeny.toRequires.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.egressDeny.toRequires.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.egressDeny.toRequires.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs.egressDeny.toServices

"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \n Example: Any endpoint with the label \"app=backend-app\" is allowed to initiate connections to all cidrs backing the \"external-service\" service"

obj specs.egressDeny.toServices.k8sService

"K8sService selects service by name and namespace pair"

fn specs.egressDeny.toServices.k8sService.withNamespace

withNamespace(namespace)

fn specs.egressDeny.toServices.k8sService.withServiceName

withServiceName(serviceName)

obj specs.egressDeny.toServices.k8sServiceSelector

"K8sServiceSelector selects services by k8s labels and namespace"

fn specs.egressDeny.toServices.k8sServiceSelector.withNamespace

withNamespace(namespace)

obj specs.egressDeny.toServices.k8sServiceSelector.selector

"ServiceSelector is a label selector for k8s services"

fn specs.egressDeny.toServices.k8sServiceSelector.selector.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egressDeny.toServices.k8sServiceSelector.selector.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.egressDeny.toServices.k8sServiceSelector.selector.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.egressDeny.toServices.k8sServiceSelector.selector.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs.endpointSelector

"EndpointSelector selects all endpoints which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive."

fn specs.endpointSelector.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.endpointSelector.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.endpointSelector.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.endpointSelector.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.endpointSelector.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.endpointSelector.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.endpointSelector.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.endpointSelector.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.endpointSelector.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs.ingress

"Ingress is a list of IngressRule which are enforced at ingress. If omitted or empty, this rule does not apply at ingress."

fn specs.ingress.withFromCIDR

withFromCIDR(fromCIDR)

"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do not originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.3.9.1"

fn specs.ingress.withFromCIDRMixin

withFromCIDRMixin(fromCIDR)

"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do not originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.3.9.1"

Note: This function appends passed data to existing values

fn specs.ingress.withFromCIDRSet

withFromCIDRSet(fromCIDRSet)

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

fn specs.ingress.withFromCIDRSetMixin

withFromCIDRSetMixin(fromCIDRSet)

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

Note: This function appends passed data to existing values

fn specs.ingress.withFromEndpoints

withFromEndpoints(fromEndpoints)

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

fn specs.ingress.withFromEndpointsMixin

withFromEndpointsMixin(fromEndpoints)

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

Note: This function appends passed data to existing values

fn specs.ingress.withFromEntities

withFromEntities(fromEntities)

"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are world, cluster and host"

fn specs.ingress.withFromEntitiesMixin

withFromEntitiesMixin(fromEntities)

"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are world, cluster and host"

Note: This function appends passed data to existing values

fn specs.ingress.withFromRequires

withFromRequires(fromRequires)

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

fn specs.ingress.withFromRequiresMixin

withFromRequiresMixin(fromRequires)

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

Note: This function appends passed data to existing values

fn specs.ingress.withIcmps

withIcmps(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming type 8 ICMP connections."

fn specs.ingress.withIcmpsMixin

withIcmpsMixin(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming type 8 ICMP connections."

Note: This function appends passed data to existing values

fn specs.ingress.withToPorts

withToPorts(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming connections on port 80/tcp."

fn specs.ingress.withToPortsMixin

withToPortsMixin(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming connections on port 80/tcp."

Note: This function appends passed data to existing values

obj specs.ingress.auth

"Auth is the required authentication type for the allowed traffic, if any."

fn specs.ingress.auth.withType

withType(type)

"Type is the required authentication type for the allowed traffic, if any."

obj specs.ingress.fromCIDRSet

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

fn specs.ingress.fromCIDRSet.withCidr

withCidr(cidr)

"CIDR is a CIDR prefix / IP Block."

fn specs.ingress.fromCIDRSet.withExcept

withExcept(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

fn specs.ingress.fromCIDRSet.withExceptMixin

withExceptMixin(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

Note: This function appends passed data to existing values

obj specs.ingress.fromEndpoints

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

fn specs.ingress.fromEndpoints.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.ingress.fromEndpoints.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.ingress.fromEndpoints.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.ingress.fromEndpoints.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.ingress.fromEndpoints.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.ingress.fromEndpoints.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.ingress.fromEndpoints.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.ingress.fromEndpoints.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.ingress.fromEndpoints.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs.ingress.fromRequires

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

fn specs.ingress.fromRequires.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.ingress.fromRequires.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.ingress.fromRequires.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.ingress.fromRequires.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.ingress.fromRequires.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.ingress.fromRequires.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.ingress.fromRequires.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.ingress.fromRequires.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.ingress.fromRequires.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs.ingress.icmps

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming type 8 ICMP connections."

fn specs.ingress.icmps.withFields

withFields(fields)

"Fields is a list of ICMP fields."

fn specs.ingress.icmps.withFieldsMixin

withFieldsMixin(fields)

"Fields is a list of ICMP fields."

Note: This function appends passed data to existing values

obj specs.ingress.icmps.fields

"Fields is a list of ICMP fields."

fn specs.ingress.icmps.fields.withFamily

withFamily(family)

"Family is a IP address version. Currently, we support IPv4 and IPv6. IPv4 is set as default."

fn specs.ingress.icmps.fields.withType

withType(type)

"Type is a ICMP-type. It should be 0-255 (8bit)."

obj specs.ingress.toPorts

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can only accept incoming connections on port 80/tcp."

fn specs.ingress.toPorts.withPorts

withPorts(ports)

"Ports is a list of L4 port/protocol"

fn specs.ingress.toPorts.withPortsMixin

withPortsMixin(ports)

"Ports is a list of L4 port/protocol"

Note: This function appends passed data to existing values

fn specs.ingress.toPorts.withServerNames

withServerNames(serverNames)

"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake."

fn specs.ingress.toPorts.withServerNamesMixin

withServerNamesMixin(serverNames)

"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake."

Note: This function appends passed data to existing values

obj specs.ingress.toPorts.listener

"listener specifies the name of a custom Envoy listener to which this traffic should be redirected to."

fn specs.ingress.toPorts.listener.withName

withName(name)

"Name is the name of the listener."

obj specs.ingress.toPorts.listener.envoyConfig

"EnvoyConfig is a reference to the CEC or CCNP resource in which the listener is defined."

fn specs.ingress.toPorts.listener.envoyConfig.withKind

withKind(kind)

"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, respectively. The only case this is currently explicitly needed is when referring to a CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener from a cluster scoped policy is not allowed."

fn specs.ingress.toPorts.listener.envoyConfig.withName

withName(name)

"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where the listener is defined in."

obj specs.ingress.toPorts.originatingTLS

"OriginatingTLS is the TLS context for the connections originated by the L7 proxy. For egress policy this specifies the client-side TLS parameters for the upstream connection originating from the L7 proxy to the remote destination. For ingress policy this specifies the client-side TLS parameters for the connection from the L7 proxy to the local endpoint."

fn specs.ingress.toPorts.originatingTLS.withCertificate

withCertificate(certificate)

"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist."

fn specs.ingress.toPorts.originatingTLS.withPrivateKey

withPrivateKey(privateKey)

"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist."

fn specs.ingress.toPorts.originatingTLS.withTrustedCA

withTrustedCA(trustedCA)

"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist."

obj specs.ingress.toPorts.originatingTLS.secret

"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt' - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate."

fn specs.ingress.toPorts.originatingTLS.secret.withName

withName(name)

"Name is the name of the secret."

fn specs.ingress.toPorts.originatingTLS.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj specs.ingress.toPorts.ports

"Ports is a list of L4 port/protocol"

fn specs.ingress.toPorts.ports.withPort

withPort(port)

"Port is an L4 port number. For now the string will be strictly parsed as a single uint16. In the future, this field may support ranges in the form \"1024-2048 Port can also be a port name, which must contain at least one [a-z], and may also contain [0-9] and '-' anywhere except adjacent to another '-' or in the beginning or the end."

fn specs.ingress.toPorts.ports.withProtocol

withProtocol(protocol)

"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching on ICMP is not supported. \n Named port specified for a container may narrow this down, but may not contradict this."

obj specs.ingress.toPorts.rules

"Rules is a list of additional port level rules which must be met in order for the PortRule to allow the traffic. If omitted or empty, no layer 7 rules are enforced."

fn specs.ingress.toPorts.rules.withDns

withDns(dns)

"DNS-specific rules."

fn specs.ingress.toPorts.rules.withDnsMixin

withDnsMixin(dns)

"DNS-specific rules."

Note: This function appends passed data to existing values

fn specs.ingress.toPorts.rules.withHttp

withHttp(http)

"HTTP specific rules."

fn specs.ingress.toPorts.rules.withHttpMixin

withHttpMixin(http)

"HTTP specific rules."

Note: This function appends passed data to existing values

fn specs.ingress.toPorts.rules.withKafka

withKafka(kafka)

"Kafka-specific rules."

fn specs.ingress.toPorts.rules.withKafkaMixin

withKafkaMixin(kafka)

"Kafka-specific rules."

Note: This function appends passed data to existing values

fn specs.ingress.toPorts.rules.withL7

withL7(l7)

"Key-value pair rules."

fn specs.ingress.toPorts.rules.withL7Mixin

withL7Mixin(l7)

"Key-value pair rules."

Note: This function appends passed data to existing values

fn specs.ingress.toPorts.rules.withL7proto

withL7proto(l7proto)

"Name of the L7 protocol for which the Key-value pair rules apply."

obj specs.ingress.toPorts.rules.dns

"DNS-specific rules."

fn specs.ingress.toPorts.rules.dns.withMatchName

withMatchName(matchName)

"MatchName matches literal DNS names. A trailing \".\" is automatically added when missing."

fn specs.ingress.toPorts.rules.dns.withMatchPattern

withMatchPattern(matchPattern)

"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \"\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \"\" as the leftmost character, without a following \".\" matches all subdomains as well as the name to the right. A trailing \".\" is automatically added when missing. \n Examples: *.cilium.io matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not *cilium.io matches cilium.io and all subdomains ends with \"cilium.io\" except those containing \".\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \"sub\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not"

obj specs.ingress.toPorts.rules.http

"HTTP specific rules."

fn specs.ingress.toPorts.rules.http.withHeaderMatches

withHeaderMatches(headerMatches)

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

fn specs.ingress.toPorts.rules.http.withHeaderMatchesMixin

withHeaderMatchesMixin(headerMatches)

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

Note: This function appends passed data to existing values

fn specs.ingress.toPorts.rules.http.withHeaders

withHeaders(headers)

"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present."

fn specs.ingress.toPorts.rules.http.withHeadersMixin

withHeadersMixin(headers)

"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present."

Note: This function appends passed data to existing values

fn specs.ingress.toPorts.rules.http.withHost

withHost(host)

"Host is an extended POSIX regex matched against the host header of a request, e.g. \"foo.com\" \n If omitted or empty, the value of the host header is ignored."

fn specs.ingress.toPorts.rules.http.withMethod

withMethod(method)

"Method is an extended POSIX regex matched against the method of a request, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ... \n If omitted or empty, all methods are allowed."

fn specs.ingress.toPorts.rules.http.withPath

withPath(path)

"Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional \"path\" part of a URL as defined by RFC 3986. \n If omitted or empty, all paths are all allowed."

obj specs.ingress.toPorts.rules.http.headerMatches

"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match."

fn specs.ingress.toPorts.rules.http.headerMatches.withMismatch

withMismatch(mismatch)

"Mismatch identifies what to do in case there is no match. The default is to drop the request. Otherwise the overall rule is still considered as matching, but the mismatches are logged in the access log."

fn specs.ingress.toPorts.rules.http.headerMatches.withName

withName(name)

"Name identifies the header."

fn specs.ingress.toPorts.rules.http.headerMatches.withValue

withValue(value)

"Value matches the exact value of the header. Can be specified either alone or together with \"Secret\"; will be used as the header value if the secret can not be found in the latter case."

obj specs.ingress.toPorts.rules.http.headerMatches.secret

"Secret refers to a secret that contains the value to be matched against. The secret must only contain one entry. If the referred secret does not exist, and there is no \"Value\" specified, the match will fail."

fn specs.ingress.toPorts.rules.http.headerMatches.secret.withName

withName(name)

"Name is the name of the secret."

fn specs.ingress.toPorts.rules.http.headerMatches.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj specs.ingress.toPorts.rules.kafka

"Kafka-specific rules."

fn specs.ingress.toPorts.rules.kafka.withApiKey

withApiKey(apiKey)

"APIKey is a case-insensitive string matched against the key of a request, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys \n If omitted or empty, and if Role is not specified, then all keys are allowed."

fn specs.ingress.toPorts.rules.kafka.withApiVersion

withApiVersion(apiVersion)

"APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. \n If omitted or empty, all versions are allowed."

fn specs.ingress.toPorts.rules.kafka.withClientID

withClientID(clientID)

"ClientID is the client identifier as provided in the request. \n From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. \n If omitted or empty, all client identifiers are allowed."

fn specs.ingress.toPorts.rules.kafka.withRole

withRole(role)

"Role is a case-insensitive string and describes a group of API keys necessary to perform certain higher-level Kafka operations such as \"produce\" or \"consume\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. \n The following values are supported: - \"produce\": Allow producing to the topics specified in the rule - \"consume\": Allow consuming from the topics specified in the rule \n This field is incompatible with the APIKey field, i.e APIKey and Role cannot both be specified in the same rule. \n If omitted or empty, and if APIKey is not specified, then all keys are allowed."

fn specs.ingress.toPorts.rules.kafka.withTopic

withTopic(topic)

"Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. \n This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _. \n Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255. \n If omitted or empty, all topics are allowed."

obj specs.ingress.toPorts.terminatingTLS

"TerminatingTLS is the TLS context for the connection terminated by the L7 proxy. For egress policy this specifies the server-side TLS parameters to be applied on the connections originated from the local endpoint and terminated by the L7 proxy. For ingress policy this specifies the server-side TLS parameters to be applied on the connections originated from a remote source and terminated by the L7 proxy."

fn specs.ingress.toPorts.terminatingTLS.withCertificate

withCertificate(certificate)

"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist."

fn specs.ingress.toPorts.terminatingTLS.withPrivateKey

withPrivateKey(privateKey)

"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist."

fn specs.ingress.toPorts.terminatingTLS.withTrustedCA

withTrustedCA(trustedCA)

"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist."

obj specs.ingress.toPorts.terminatingTLS.secret

"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt' - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate."

fn specs.ingress.toPorts.terminatingTLS.secret.withName

withName(name)

"Name is the name of the secret."

fn specs.ingress.toPorts.terminatingTLS.secret.withNamespace

withNamespace(namespace)

"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \"default\")."

obj specs.ingressDeny

"IngressDeny is a list of IngressDenyRule which are enforced at ingress. Any rule inserted here will by denied regardless of the allowed ingress rules in the 'ingress' field. If omitted or empty, this rule does not apply at ingress."

fn specs.ingressDeny.withFromCIDR

withFromCIDR(fromCIDR)

"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do not originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.3.9.1"

fn specs.ingressDeny.withFromCIDRMixin

withFromCIDRMixin(fromCIDR)

"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do not originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.3.9.1"

Note: This function appends passed data to existing values

fn specs.ingressDeny.withFromCIDRSet

withFromCIDRSet(fromCIDRSet)

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

fn specs.ingressDeny.withFromCIDRSetMixin

withFromCIDRSetMixin(fromCIDRSet)

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

Note: This function appends passed data to existing values

fn specs.ingressDeny.withFromEndpoints

withFromEndpoints(fromEndpoints)

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

fn specs.ingressDeny.withFromEndpointsMixin

withFromEndpointsMixin(fromEndpoints)

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

Note: This function appends passed data to existing values

fn specs.ingressDeny.withFromEntities

withFromEntities(fromEntities)

"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are world, cluster and host"

fn specs.ingressDeny.withFromEntitiesMixin

withFromEntitiesMixin(fromEntities)

"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are world, cluster and host"

Note: This function appends passed data to existing values

fn specs.ingressDeny.withFromRequires

withFromRequires(fromRequires)

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

fn specs.ingressDeny.withFromRequiresMixin

withFromRequiresMixin(fromRequires)

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

Note: This function appends passed data to existing values

fn specs.ingressDeny.withIcmps

withIcmps(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming type 8 ICMP connections."

fn specs.ingressDeny.withIcmpsMixin

withIcmpsMixin(icmps)

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming type 8 ICMP connections."

Note: This function appends passed data to existing values

fn specs.ingressDeny.withToPorts

withToPorts(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming connections on port 80/tcp."

fn specs.ingressDeny.withToPortsMixin

withToPortsMixin(toPorts)

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming connections on port 80/tcp."

Note: This function appends passed data to existing values

obj specs.ingressDeny.fromCIDRSet

"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \n Example: Any endpoint with the label \"app=my-legacy-pet\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."

fn specs.ingressDeny.fromCIDRSet.withCidr

withCidr(cidr)

"CIDR is a CIDR prefix / IP Block."

fn specs.ingressDeny.fromCIDRSet.withExcept

withExcept(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

fn specs.ingressDeny.fromCIDRSet.withExceptMixin

withExceptMixin(except)

"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules."

Note: This function appends passed data to existing values

obj specs.ingressDeny.fromEndpoints

"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \n Example: Any endpoint with the label \"role=backend\" can be consumed by any endpoint carrying the label \"role=frontend\"."

fn specs.ingressDeny.fromEndpoints.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.ingressDeny.fromEndpoints.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.ingressDeny.fromEndpoints.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.ingressDeny.fromEndpoints.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.ingressDeny.fromEndpoints.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.ingressDeny.fromEndpoints.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.ingressDeny.fromEndpoints.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.ingressDeny.fromEndpoints.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.ingressDeny.fromEndpoints.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs.ingressDeny.fromRequires

"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \n Example: Any Endpoint with the label \"team=A\" requires consuming endpoint to also carry the label \"team=A\"."

fn specs.ingressDeny.fromRequires.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.ingressDeny.fromRequires.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.ingressDeny.fromRequires.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.ingressDeny.fromRequires.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.ingressDeny.fromRequires.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.ingressDeny.fromRequires.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.ingressDeny.fromRequires.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.ingressDeny.fromRequires.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.ingressDeny.fromRequires.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values

obj specs.ingressDeny.icmps

"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming type 8 ICMP connections."

fn specs.ingressDeny.icmps.withFields

withFields(fields)

"Fields is a list of ICMP fields."

fn specs.ingressDeny.icmps.withFieldsMixin

withFieldsMixin(fields)

"Fields is a list of ICMP fields."

Note: This function appends passed data to existing values

obj specs.ingressDeny.icmps.fields

"Fields is a list of ICMP fields."

fn specs.ingressDeny.icmps.fields.withFamily

withFamily(family)

"Family is a IP address version. Currently, we support IPv4 and IPv6. IPv4 is set as default."

fn specs.ingressDeny.icmps.fields.withType

withType(type)

"Type is a ICMP-type. It should be 0-255 (8bit)."

obj specs.ingressDeny.toPorts

"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to receive connections on. \n Example: Any endpoint with the label \"app=httpd\" can not accept incoming connections on port 80/tcp."

fn specs.ingressDeny.toPorts.withPorts

withPorts(ports)

"Ports is a list of L4 port/protocol"

fn specs.ingressDeny.toPorts.withPortsMixin

withPortsMixin(ports)

"Ports is a list of L4 port/protocol"

Note: This function appends passed data to existing values

obj specs.ingressDeny.toPorts.ports

"Ports is a list of L4 port/protocol"

fn specs.ingressDeny.toPorts.ports.withPort

withPort(port)

"Port is an L4 port number. For now the string will be strictly parsed as a single uint16. In the future, this field may support ranges in the form \"1024-2048 Port can also be a port name, which must contain at least one [a-z], and may also contain [0-9] and '-' anywhere except adjacent to another '-' or in the beginning or the end."

fn specs.ingressDeny.toPorts.ports.withProtocol

withProtocol(protocol)

"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\" \n Matching on ICMP is not supported. \n Named port specified for a container may narrow this down, but may not contradict this."

obj specs.labels

"Labels is a list of optional strings which can be used to re-identify the rule or to store metadata. It is possible to lookup or delete strings based on labels. Labels are not required to be unique, multiple rules can have overlapping or identical labels."

fn specs.labels.withKey

withKey(key)

fn specs.labels.withSource

withSource(source)

"Source can be one of the above values (e.g.: LabelSourceContainer)."

fn specs.labels.withValue

withValue(value)

obj specs.nodeSelector

"NodeSelector selects all nodes which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies."

fn specs.nodeSelector.withMatchExpressions

withMatchExpressions(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.nodeSelector.withMatchExpressionsMixin

withMatchExpressionsMixin(matchExpressions)

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

Note: This function appends passed data to existing values

fn specs.nodeSelector.withMatchLabels

withMatchLabels(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

fn specs.nodeSelector.withMatchLabelsMixin

withMatchLabelsMixin(matchLabels)

"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed."

Note: This function appends passed data to existing values

obj specs.nodeSelector.matchExpressions

"matchExpressions is a list of label selector requirements. The requirements are ANDed."

fn specs.nodeSelector.matchExpressions.withKey

withKey(key)

"key is the label key that the selector applies to."

fn specs.nodeSelector.matchExpressions.withOperator

withOperator(operator)

"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist."

fn specs.nodeSelector.matchExpressions.withValues

withValues(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

fn specs.nodeSelector.matchExpressions.withValuesMixin

withValuesMixin(values)

"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch."

Note: This function appends passed data to existing values