cilium.v2.ciliumClusterwideNetworkPolicy
"CiliumClusterwideNetworkPolicy is a Kubernetes third-party resource with an\nmodified version of CiliumNetworkPolicy which is cluster scoped rather than\nnamespace scoped."
Index
fn new(name)fn withSpecs(specs)fn withSpecsMixin(specs)obj metadatafn withAnnotations(annotations)fn withAnnotationsMixin(annotations)fn withClusterName(clusterName)fn withCreationTimestamp(creationTimestamp)fn withDeletionGracePeriodSeconds(deletionGracePeriodSeconds)fn withDeletionTimestamp(deletionTimestamp)fn withFinalizers(finalizers)fn withFinalizersMixin(finalizers)fn withGenerateName(generateName)fn withGeneration(generation)fn withLabels(labels)fn withLabelsMixin(labels)fn withName(name)fn withNamespace(namespace)fn withOwnerReferences(ownerReferences)fn withOwnerReferencesMixin(ownerReferences)fn withResourceVersion(resourceVersion)fn withSelfLink(selfLink)fn withUid(uid)
obj specfn withDescription(description)fn withEgress(egress)fn withEgressDeny(egressDeny)fn withEgressDenyMixin(egressDeny)fn withEgressMixin(egress)fn withIngress(ingress)fn withIngressDeny(ingressDeny)fn withIngressDenyMixin(ingressDeny)fn withIngressMixin(ingress)fn withLabels(labels)fn withLabelsMixin(labels)obj spec.egressfn withIcmps(icmps)fn withIcmpsMixin(icmps)fn withToCIDR(toCIDR)fn withToCIDRMixin(toCIDR)fn withToCIDRSet(toCIDRSet)fn withToCIDRSetMixin(toCIDRSet)fn withToEndpoints(toEndpoints)fn withToEndpointsMixin(toEndpoints)fn withToEntities(toEntities)fn withToEntitiesMixin(toEntities)fn withToFQDNs(toFQDNs)fn withToFQDNsMixin(toFQDNs)fn withToGroups(toGroups)fn withToGroupsMixin(toGroups)fn withToNodes(toNodes)fn withToNodesMixin(toNodes)fn withToPorts(toPorts)fn withToPortsMixin(toPorts)fn withToRequires(toRequires)fn withToRequiresMixin(toRequires)fn withToServices(toServices)fn withToServicesMixin(toServices)obj spec.egress.authenticationobj spec.egress.icmpsobj spec.egress.toCIDRSetfn withCidr(cidr)fn withCidrGroupRef(cidrGroupRef)fn withExcept(except)fn withExceptMixin(except)obj spec.egress.toCIDRSet.cidrGroupSelector
obj spec.egress.toEndpointsobj spec.egress.toFQDNsobj spec.egress.toGroupsobj spec.egress.toNodesobj spec.egress.toPortsfn withPorts(ports)fn withPortsMixin(ports)fn withServerNames(serverNames)fn withServerNamesMixin(serverNames)obj spec.egress.toPorts.listenerobj spec.egress.toPorts.originatingTLSobj spec.egress.toPorts.portsobj spec.egress.toPorts.rulesfn withDns(dns)fn withDnsMixin(dns)fn withHttp(http)fn withHttpMixin(http)fn withKafka(kafka)fn withKafkaMixin(kafka)fn withL7(l7)fn withL7Mixin(l7)fn withL7proto(l7proto)obj spec.egress.toPorts.rules.dnsobj spec.egress.toPorts.rules.httpobj spec.egress.toPorts.rules.kafka
obj spec.egress.toPorts.terminatingTLS
obj spec.egress.toRequiresobj spec.egress.toServicesobj spec.egress.toServices.k8sServiceobj spec.egress.toServices.k8sServiceSelectorfn withNamespace(namespace)obj spec.egress.toServices.k8sServiceSelector.selector
obj spec.egressDenyfn withIcmps(icmps)fn withIcmpsMixin(icmps)fn withToCIDR(toCIDR)fn withToCIDRMixin(toCIDR)fn withToCIDRSet(toCIDRSet)fn withToCIDRSetMixin(toCIDRSet)fn withToEndpoints(toEndpoints)fn withToEndpointsMixin(toEndpoints)fn withToEntities(toEntities)fn withToEntitiesMixin(toEntities)fn withToGroups(toGroups)fn withToGroupsMixin(toGroups)fn withToNodes(toNodes)fn withToNodesMixin(toNodes)fn withToPorts(toPorts)fn withToPortsMixin(toPorts)fn withToRequires(toRequires)fn withToRequiresMixin(toRequires)fn withToServices(toServices)fn withToServicesMixin(toServices)obj spec.egressDeny.icmpsobj spec.egressDeny.toCIDRSetfn withCidr(cidr)fn withCidrGroupRef(cidrGroupRef)fn withExcept(except)fn withExceptMixin(except)obj spec.egressDeny.toCIDRSet.cidrGroupSelector
obj spec.egressDeny.toEndpointsobj spec.egressDeny.toGroupsobj spec.egressDeny.toNodesobj spec.egressDeny.toPortsobj spec.egressDeny.toRequiresobj spec.egressDeny.toServicesobj spec.egressDeny.toServices.k8sServiceobj spec.egressDeny.toServices.k8sServiceSelectorfn withNamespace(namespace)obj spec.egressDeny.toServices.k8sServiceSelector.selector
obj spec.enableDefaultDenyobj spec.endpointSelectorobj spec.ingressfn withFromCIDR(fromCIDR)fn withFromCIDRMixin(fromCIDR)fn withFromCIDRSet(fromCIDRSet)fn withFromCIDRSetMixin(fromCIDRSet)fn withFromEndpoints(fromEndpoints)fn withFromEndpointsMixin(fromEndpoints)fn withFromEntities(fromEntities)fn withFromEntitiesMixin(fromEntities)fn withFromGroups(fromGroups)fn withFromGroupsMixin(fromGroups)fn withFromNodes(fromNodes)fn withFromNodesMixin(fromNodes)fn withFromRequires(fromRequires)fn withFromRequiresMixin(fromRequires)fn withIcmps(icmps)fn withIcmpsMixin(icmps)fn withToPorts(toPorts)fn withToPortsMixin(toPorts)obj spec.ingress.authenticationobj spec.ingress.fromCIDRSetfn withCidr(cidr)fn withCidrGroupRef(cidrGroupRef)fn withExcept(except)fn withExceptMixin(except)obj spec.ingress.fromCIDRSet.cidrGroupSelector
obj spec.ingress.fromEndpointsobj spec.ingress.fromGroupsobj spec.ingress.fromNodesobj spec.ingress.fromRequiresobj spec.ingress.icmpsobj spec.ingress.toPortsfn withPorts(ports)fn withPortsMixin(ports)fn withServerNames(serverNames)fn withServerNamesMixin(serverNames)obj spec.ingress.toPorts.listenerobj spec.ingress.toPorts.originatingTLSobj spec.ingress.toPorts.portsobj spec.ingress.toPorts.rulesfn withDns(dns)fn withDnsMixin(dns)fn withHttp(http)fn withHttpMixin(http)fn withKafka(kafka)fn withKafkaMixin(kafka)fn withL7(l7)fn withL7Mixin(l7)fn withL7proto(l7proto)obj spec.ingress.toPorts.rules.dnsobj spec.ingress.toPorts.rules.httpobj spec.ingress.toPorts.rules.kafka
obj spec.ingress.toPorts.terminatingTLS
obj spec.ingressDenyfn withFromCIDR(fromCIDR)fn withFromCIDRMixin(fromCIDR)fn withFromCIDRSet(fromCIDRSet)fn withFromCIDRSetMixin(fromCIDRSet)fn withFromEndpoints(fromEndpoints)fn withFromEndpointsMixin(fromEndpoints)fn withFromEntities(fromEntities)fn withFromEntitiesMixin(fromEntities)fn withFromGroups(fromGroups)fn withFromGroupsMixin(fromGroups)fn withFromNodes(fromNodes)fn withFromNodesMixin(fromNodes)fn withFromRequires(fromRequires)fn withFromRequiresMixin(fromRequires)fn withIcmps(icmps)fn withIcmpsMixin(icmps)fn withToPorts(toPorts)fn withToPortsMixin(toPorts)obj spec.ingressDeny.fromCIDRSetfn withCidr(cidr)fn withCidrGroupRef(cidrGroupRef)fn withExcept(except)fn withExceptMixin(except)obj spec.ingressDeny.fromCIDRSet.cidrGroupSelector
obj spec.ingressDeny.fromEndpointsobj spec.ingressDeny.fromGroupsobj spec.ingressDeny.fromNodesobj spec.ingressDeny.fromRequiresobj spec.ingressDeny.icmpsobj spec.ingressDeny.toPorts
obj spec.labelsobj spec.nodeSelector
obj specsfn withDescription(description)fn withEgress(egress)fn withEgressDeny(egressDeny)fn withEgressDenyMixin(egressDeny)fn withEgressMixin(egress)fn withIngress(ingress)fn withIngressDeny(ingressDeny)fn withIngressDenyMixin(ingressDeny)fn withIngressMixin(ingress)fn withLabels(labels)fn withLabelsMixin(labels)obj specs.egressfn withIcmps(icmps)fn withIcmpsMixin(icmps)fn withToCIDR(toCIDR)fn withToCIDRMixin(toCIDR)fn withToCIDRSet(toCIDRSet)fn withToCIDRSetMixin(toCIDRSet)fn withToEndpoints(toEndpoints)fn withToEndpointsMixin(toEndpoints)fn withToEntities(toEntities)fn withToEntitiesMixin(toEntities)fn withToFQDNs(toFQDNs)fn withToFQDNsMixin(toFQDNs)fn withToGroups(toGroups)fn withToGroupsMixin(toGroups)fn withToNodes(toNodes)fn withToNodesMixin(toNodes)fn withToPorts(toPorts)fn withToPortsMixin(toPorts)fn withToRequires(toRequires)fn withToRequiresMixin(toRequires)fn withToServices(toServices)fn withToServicesMixin(toServices)obj specs.egress.authenticationobj specs.egress.icmpsobj specs.egress.toCIDRSetfn withCidr(cidr)fn withCidrGroupRef(cidrGroupRef)fn withExcept(except)fn withExceptMixin(except)obj specs.egress.toCIDRSet.cidrGroupSelector
obj specs.egress.toEndpointsobj specs.egress.toFQDNsobj specs.egress.toGroupsobj specs.egress.toNodesobj specs.egress.toPortsfn withPorts(ports)fn withPortsMixin(ports)fn withServerNames(serverNames)fn withServerNamesMixin(serverNames)obj specs.egress.toPorts.listenerobj specs.egress.toPorts.originatingTLSobj specs.egress.toPorts.portsobj specs.egress.toPorts.rulesfn withDns(dns)fn withDnsMixin(dns)fn withHttp(http)fn withHttpMixin(http)fn withKafka(kafka)fn withKafkaMixin(kafka)fn withL7(l7)fn withL7Mixin(l7)fn withL7proto(l7proto)obj specs.egress.toPorts.rules.dnsobj specs.egress.toPorts.rules.httpobj specs.egress.toPorts.rules.kafka
obj specs.egress.toPorts.terminatingTLS
obj specs.egress.toRequiresobj specs.egress.toServicesobj specs.egress.toServices.k8sServiceobj specs.egress.toServices.k8sServiceSelectorfn withNamespace(namespace)obj specs.egress.toServices.k8sServiceSelector.selector
obj specs.egressDenyfn withIcmps(icmps)fn withIcmpsMixin(icmps)fn withToCIDR(toCIDR)fn withToCIDRMixin(toCIDR)fn withToCIDRSet(toCIDRSet)fn withToCIDRSetMixin(toCIDRSet)fn withToEndpoints(toEndpoints)fn withToEndpointsMixin(toEndpoints)fn withToEntities(toEntities)fn withToEntitiesMixin(toEntities)fn withToGroups(toGroups)fn withToGroupsMixin(toGroups)fn withToNodes(toNodes)fn withToNodesMixin(toNodes)fn withToPorts(toPorts)fn withToPortsMixin(toPorts)fn withToRequires(toRequires)fn withToRequiresMixin(toRequires)fn withToServices(toServices)fn withToServicesMixin(toServices)obj specs.egressDeny.icmpsobj specs.egressDeny.toCIDRSetfn withCidr(cidr)fn withCidrGroupRef(cidrGroupRef)fn withExcept(except)fn withExceptMixin(except)obj specs.egressDeny.toCIDRSet.cidrGroupSelector
obj specs.egressDeny.toEndpointsobj specs.egressDeny.toGroupsobj specs.egressDeny.toNodesobj specs.egressDeny.toPortsobj specs.egressDeny.toRequiresobj specs.egressDeny.toServicesobj specs.egressDeny.toServices.k8sServiceobj specs.egressDeny.toServices.k8sServiceSelectorfn withNamespace(namespace)obj specs.egressDeny.toServices.k8sServiceSelector.selector
obj specs.enableDefaultDenyobj specs.endpointSelectorobj specs.ingressfn withFromCIDR(fromCIDR)fn withFromCIDRMixin(fromCIDR)fn withFromCIDRSet(fromCIDRSet)fn withFromCIDRSetMixin(fromCIDRSet)fn withFromEndpoints(fromEndpoints)fn withFromEndpointsMixin(fromEndpoints)fn withFromEntities(fromEntities)fn withFromEntitiesMixin(fromEntities)fn withFromGroups(fromGroups)fn withFromGroupsMixin(fromGroups)fn withFromNodes(fromNodes)fn withFromNodesMixin(fromNodes)fn withFromRequires(fromRequires)fn withFromRequiresMixin(fromRequires)fn withIcmps(icmps)fn withIcmpsMixin(icmps)fn withToPorts(toPorts)fn withToPortsMixin(toPorts)obj specs.ingress.authenticationobj specs.ingress.fromCIDRSetfn withCidr(cidr)fn withCidrGroupRef(cidrGroupRef)fn withExcept(except)fn withExceptMixin(except)obj specs.ingress.fromCIDRSet.cidrGroupSelector
obj specs.ingress.fromEndpointsobj specs.ingress.fromGroupsobj specs.ingress.fromNodesobj specs.ingress.fromRequiresobj specs.ingress.icmpsobj specs.ingress.toPortsfn withPorts(ports)fn withPortsMixin(ports)fn withServerNames(serverNames)fn withServerNamesMixin(serverNames)obj specs.ingress.toPorts.listenerobj specs.ingress.toPorts.originatingTLSobj specs.ingress.toPorts.portsobj specs.ingress.toPorts.rulesfn withDns(dns)fn withDnsMixin(dns)fn withHttp(http)fn withHttpMixin(http)fn withKafka(kafka)fn withKafkaMixin(kafka)fn withL7(l7)fn withL7Mixin(l7)fn withL7proto(l7proto)obj specs.ingress.toPorts.rules.dnsobj specs.ingress.toPorts.rules.httpobj specs.ingress.toPorts.rules.kafka
obj specs.ingress.toPorts.terminatingTLS
obj specs.ingressDenyfn withFromCIDR(fromCIDR)fn withFromCIDRMixin(fromCIDR)fn withFromCIDRSet(fromCIDRSet)fn withFromCIDRSetMixin(fromCIDRSet)fn withFromEndpoints(fromEndpoints)fn withFromEndpointsMixin(fromEndpoints)fn withFromEntities(fromEntities)fn withFromEntitiesMixin(fromEntities)fn withFromGroups(fromGroups)fn withFromGroupsMixin(fromGroups)fn withFromNodes(fromNodes)fn withFromNodesMixin(fromNodes)fn withFromRequires(fromRequires)fn withFromRequiresMixin(fromRequires)fn withIcmps(icmps)fn withIcmpsMixin(icmps)fn withToPorts(toPorts)fn withToPortsMixin(toPorts)obj specs.ingressDeny.fromCIDRSetfn withCidr(cidr)fn withCidrGroupRef(cidrGroupRef)fn withExcept(except)fn withExceptMixin(except)obj specs.ingressDeny.fromCIDRSet.cidrGroupSelector
obj specs.ingressDeny.fromEndpointsobj specs.ingressDeny.fromGroupsobj specs.ingressDeny.fromNodesobj specs.ingressDeny.fromRequiresobj specs.ingressDeny.icmpsobj specs.ingressDeny.toPorts
obj specs.labelsobj specs.nodeSelector
Fields
fn new
new(name)
new returns an instance of CiliumClusterwideNetworkPolicy
fn withSpecs
withSpecs(specs)
"Specs is a list of desired Cilium specific rule specification."
fn withSpecsMixin
withSpecsMixin(specs)
"Specs is a list of desired Cilium specific rule specification."
Note: This function appends passed data to existing values
obj metadata
"ObjectMeta is metadata that all persisted resources must have, which includes all objects users must create."
fn metadata.withAnnotations
withAnnotations(annotations)
"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"
fn metadata.withAnnotationsMixin
withAnnotationsMixin(annotations)
"Annotations is an unstructured key value map stored with a resource that may be set by external tools to store and retrieve arbitrary metadata. They are not queryable and should be preserved when modifying objects. More info: http://kubernetes.io/docs/user-guide/annotations"
Note: This function appends passed data to existing values
fn metadata.withClusterName
withClusterName(clusterName)
"The name of the cluster which the object belongs to. This is used to distinguish resources with same name and namespace in different clusters. This field is not set anywhere right now and apiserver is going to ignore it if set in create or update request."
fn metadata.withCreationTimestamp
withCreationTimestamp(creationTimestamp)
"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers."
fn metadata.withDeletionGracePeriodSeconds
withDeletionGracePeriodSeconds(deletionGracePeriodSeconds)
"Number of seconds allowed for this object to gracefully terminate before it will be removed from the system. Only set when deletionTimestamp is also set. May only be shortened. Read-only."
fn metadata.withDeletionTimestamp
withDeletionTimestamp(deletionTimestamp)
"Time is a wrapper around time.Time which supports correct marshaling to YAML and JSON. Wrappers are provided for many of the factory methods that the time package offers."
fn metadata.withFinalizers
withFinalizers(finalizers)
"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list."
fn metadata.withFinalizersMixin
withFinalizersMixin(finalizers)
"Must be empty before the object is deleted from the registry. Each entry is an identifier for the responsible component that will remove the entry from the list. If the deletionTimestamp of the object is non-nil, entries in this list can only be removed. Finalizers may be processed and removed in any order. Order is NOT enforced because it introduces significant risk of stuck finalizers. finalizers is a shared field, any actor with permission can reorder it. If the finalizer list is processed in order, then this can lead to a situation in which the component responsible for the first finalizer in the list is waiting for a signal (field value, external system, or other) produced by a component responsible for a finalizer later in the list, resulting in a deadlock. Without enforced ordering finalizers are free to order amongst themselves and are not vulnerable to ordering changes in the list."
Note: This function appends passed data to existing values
fn metadata.withGenerateName
withGenerateName(generateName)
"GenerateName is an optional prefix, used by the server, to generate a unique name ONLY IF the Name field has not been provided. If this field is used, the name returned to the client will be different than the name passed. This value will also be combined with a unique suffix. The provided value has the same validation rules as the Name field, and may be truncated by the length of the suffix required to make the value unique on the server.\n\nIf this field is specified and the generated name exists, the server will NOT return a 409 - instead, it will either return 201 Created or 500 with Reason ServerTimeout indicating a unique name could not be found in the time allotted, and the client should retry (optionally after the time indicated in the Retry-After header).\n\nApplied only if Name is not specified. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#idempotency"
fn metadata.withGeneration
withGeneration(generation)
"A sequence number representing a specific generation of the desired state. Populated by the system. Read-only."
fn metadata.withLabels
withLabels(labels)
"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"
fn metadata.withLabelsMixin
withLabelsMixin(labels)
"Map of string keys and values that can be used to organize and categorize (scope and select) objects. May match selectors of replication controllers and services. More info: http://kubernetes.io/docs/user-guide/labels"
Note: This function appends passed data to existing values
fn metadata.withName
withName(name)
"Name must be unique within a namespace. Is required when creating resources, although some resources may allow a client to request the generation of an appropriate name automatically. Name is primarily intended for creation idempotence and configuration definition. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/identifiers#names"
fn metadata.withNamespace
withNamespace(namespace)
"Namespace defines the space within which each name must be unique. An empty namespace is equivalent to the \"default\" namespace, but \"default\" is the canonical representation. Not all objects are required to be scoped to a namespace - the value of this field for those objects will be empty.\n\nMust be a DNS_LABEL. Cannot be updated. More info: http://kubernetes.io/docs/user-guide/namespaces"
fn metadata.withOwnerReferences
withOwnerReferences(ownerReferences)
"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."
fn metadata.withOwnerReferencesMixin
withOwnerReferencesMixin(ownerReferences)
"List of objects depended by this object. If ALL objects in the list have been deleted, this object will be garbage collected. If this object is managed by a controller, then an entry in this list will point to this controller, with the controller field set to true. There cannot be more than one managing controller."
Note: This function appends passed data to existing values
fn metadata.withResourceVersion
withResourceVersion(resourceVersion)
"An opaque value that represents the internal version of this object that can be used by clients to determine when objects have changed. May be used for optimistic concurrency, change detection, and the watch operation on a resource or set of resources. Clients must treat these values as opaque and passed unmodified back to the server. They may only be valid for a particular resource or set of resources.\n\nPopulated by the system. Read-only. Value must be treated as opaque by clients and . More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency"
fn metadata.withSelfLink
withSelfLink(selfLink)
"SelfLink is a URL representing this object. Populated by the system. Read-only.\n\nDEPRECATED Kubernetes will stop propagating this field in 1.20 release and the field is planned to be removed in 1.21 release."
fn metadata.withUid
withUid(uid)
"UID is the unique in time and space value for this object. It is typically generated by the server on successful creation of a resource and is not allowed to change on PUT operations.\n\nPopulated by the system. Read-only. More info: http://kubernetes.io/docs/user-guide/identifiers#uids"
obj spec
"Spec is the desired Cilium specific rule specification."
fn spec.withDescription
withDescription(description)
"Description is a free form string, it can be used by the creator of\nthe rule to store human readable explanation of the purpose of this\nrule. Rules cannot be identified by comment."
fn spec.withEgress
withEgress(egress)
"Egress is a list of EgressRule which are enforced at egress.\nIf omitted or empty, this rule does not apply at egress."
fn spec.withEgressDeny
withEgressDeny(egressDeny)
"EgressDeny is a list of EgressDenyRule which are enforced at egress.\nAny rule inserted here will be denied regardless of the allowed egress\nrules in the 'egress' field.\nIf omitted or empty, this rule does not apply at egress."
fn spec.withEgressDenyMixin
withEgressDenyMixin(egressDeny)
"EgressDeny is a list of EgressDenyRule which are enforced at egress.\nAny rule inserted here will be denied regardless of the allowed egress\nrules in the 'egress' field.\nIf omitted or empty, this rule does not apply at egress."
Note: This function appends passed data to existing values
fn spec.withEgressMixin
withEgressMixin(egress)
"Egress is a list of EgressRule which are enforced at egress.\nIf omitted or empty, this rule does not apply at egress."
Note: This function appends passed data to existing values
fn spec.withIngress
withIngress(ingress)
"Ingress is a list of IngressRule which are enforced at ingress.\nIf omitted or empty, this rule does not apply at ingress."
fn spec.withIngressDeny
withIngressDeny(ingressDeny)
"IngressDeny is a list of IngressDenyRule which are enforced at ingress.\nAny rule inserted here will be denied regardless of the allowed ingress\nrules in the 'ingress' field.\nIf omitted or empty, this rule does not apply at ingress."
fn spec.withIngressDenyMixin
withIngressDenyMixin(ingressDeny)
"IngressDeny is a list of IngressDenyRule which are enforced at ingress.\nAny rule inserted here will be denied regardless of the allowed ingress\nrules in the 'ingress' field.\nIf omitted or empty, this rule does not apply at ingress."
Note: This function appends passed data to existing values
fn spec.withIngressMixin
withIngressMixin(ingress)
"Ingress is a list of IngressRule which are enforced at ingress.\nIf omitted or empty, this rule does not apply at ingress."
Note: This function appends passed data to existing values
fn spec.withLabels
withLabels(labels)
"Labels is a list of optional strings which can be used to\nre-identify the rule or to store metadata. It is possible to lookup\nor delete strings based on labels. Labels are not required to be\nunique, multiple rules can have overlapping or identical labels."
fn spec.withLabelsMixin
withLabelsMixin(labels)
"Labels is a list of optional strings which can be used to\nre-identify the rule or to store metadata. It is possible to lookup\nor delete strings based on labels. Labels are not required to be\nunique, multiple rules can have overlapping or identical labels."
Note: This function appends passed data to existing values
obj spec.egress
"Egress is a list of EgressRule which are enforced at egress.\nIf omitted or empty, this rule does not apply at egress."
fn spec.egress.withIcmps
withIcmps(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is allowed to initiate\ntype 8 ICMP connections."
fn spec.egress.withIcmpsMixin
withIcmpsMixin(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is allowed to initiate\ntype 8 ICMP connections."
Note: This function appends passed data to existing values
fn spec.egress.withToCIDR
withToCIDR(toCIDR)
"ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24"
fn spec.egress.withToCIDRMixin
withToCIDRMixin(toCIDR)
"ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24"
Note: This function appends passed data to existing values
fn spec.egress.withToCIDRSet
withToCIDRSet(toCIDRSet)
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
fn spec.egress.withToCIDRSetMixin
withToCIDRSetMixin(toCIDRSet)
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
Note: This function appends passed data to existing values
fn spec.egress.withToEndpoints
withToEndpoints(toEndpoints)
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
fn spec.egress.withToEndpointsMixin
withToEndpointsMixin(toEndpoints)
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
Note: This function appends passed data to existing values
fn spec.egress.withToEntities
withToEntities(toEntities)
"ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\nworld, cluster,host,remote-node,kube-apiserver, init,\nhealth,unmanaged and all."
fn spec.egress.withToEntitiesMixin
withToEntitiesMixin(toEntities)
"ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\nworld, cluster,host,remote-node,kube-apiserver, init,\nhealth,unmanaged and all."
Note: This function appends passed data to existing values
fn spec.egress.withToFQDNs
withToFQDNs(toFQDNs)
"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\nfrom DNS resolution of ToFQDN.MatchNames are added to the same\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\nL7 rules within this EgressRule will also apply to these IPs.\nThe DNS -> IP mapping is re-resolved periodically from within the\ncilium-agent, and the IPs in the DNS response are effected in the policy\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\nToFQDN counts as an egress rule and will enforce egress policy when\nPolicyEnforcment=default.\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\nToFQDN rule will not apply to that IP.\nNote: ToFQDN cannot occur in the same policy as other To* rules."
fn spec.egress.withToFQDNsMixin
withToFQDNsMixin(toFQDNs)
"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\nfrom DNS resolution of ToFQDN.MatchNames are added to the same\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\nL7 rules within this EgressRule will also apply to these IPs.\nThe DNS -> IP mapping is re-resolved periodically from within the\ncilium-agent, and the IPs in the DNS response are effected in the policy\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\nToFQDN counts as an egress rule and will enforce egress policy when\nPolicyEnforcment=default.\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\nToFQDN rule will not apply to that IP.\nNote: ToFQDN cannot occur in the same policy as other To* rules."
Note: This function appends passed data to existing values
fn spec.egress.withToGroups
withToGroups(toGroups)
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
fn spec.egress.withToGroupsMixin
withToGroupsMixin(toGroups)
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
Note: This function appends passed data to existing values
fn spec.egress.withToNodes
withToNodes(toNodes)
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
fn spec.egress.withToNodesMixin
withToNodesMixin(toNodes)
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
Note: This function appends passed data to existing values
fn spec.egress.withToPorts
withToPorts(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nconnect to.\n\nExample:\nAny endpoint with the label \"role=frontend\" is allowed to initiate\nconnections to destination port 8080/tcp"
fn spec.egress.withToPortsMixin
withToPortsMixin(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nconnect to.\n\nExample:\nAny endpoint with the label \"role=frontend\" is allowed to initiate\nconnections to destination port 8080/tcp"
Note: This function appends passed data to existing values
fn spec.egress.withToRequires
withToRequires(toRequires)
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
fn spec.egress.withToRequiresMixin
withToRequiresMixin(toRequires)
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
Note: This function appends passed data to existing values
fn spec.egress.withToServices
withToServices(toServices)
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
fn spec.egress.withToServicesMixin
withToServicesMixin(toServices)
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
Note: This function appends passed data to existing values
obj spec.egress.authentication
"Authentication is the required authentication type for the allowed traffic, if any."
fn spec.egress.authentication.withMode
withMode(mode)
"Mode is the required authentication mode for the allowed traffic, if any."
obj spec.egress.icmps
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is allowed to initiate\ntype 8 ICMP connections."
fn spec.egress.icmps.withFields
withFields(fields)
"Fields is a list of ICMP fields."
fn spec.egress.icmps.withFieldsMixin
withFieldsMixin(fields)
"Fields is a list of ICMP fields."
Note: This function appends passed data to existing values
obj spec.egress.icmps.fields
"Fields is a list of ICMP fields."
fn spec.egress.icmps.fields.withFamily
withFamily(family)
"Family is a IP address version.\nCurrently, we support IPv4 and IPv6.\nIPv4 is set as default."
fn spec.egress.icmps.fields.withType
withType(type)
"Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply"
obj spec.egress.toCIDRSet
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
fn spec.egress.toCIDRSet.withCidr
withCidr(cidr)
"CIDR is a CIDR prefix / IP Block."
fn spec.egress.toCIDRSet.withCidrGroupRef
withCidrGroupRef(cidrGroupRef)
"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from."
fn spec.egress.toCIDRSet.withExcept
withExcept(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
fn spec.egress.toCIDRSet.withExceptMixin
withExceptMixin(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
Note: This function appends passed data to existing values
obj spec.egress.toCIDRSet.cidrGroupSelector
"CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name."
fn spec.egress.toCIDRSet.cidrGroupSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egress.toCIDRSet.cidrGroupSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.egress.toCIDRSet.cidrGroupSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.egress.toCIDRSet.cidrGroupSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.egress.toCIDRSet.cidrGroupSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egress.toCIDRSet.cidrGroupSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.egress.toCIDRSet.cidrGroupSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.egress.toCIDRSet.cidrGroupSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.egress.toCIDRSet.cidrGroupSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.egress.toEndpoints
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
fn spec.egress.toEndpoints.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egress.toEndpoints.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.egress.toEndpoints.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.egress.toEndpoints.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.egress.toEndpoints.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egress.toEndpoints.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.egress.toEndpoints.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.egress.toEndpoints.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.egress.toEndpoints.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.egress.toFQDNs
"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\nfrom DNS resolution of ToFQDN.MatchNames are added to the same\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\nL7 rules within this EgressRule will also apply to these IPs.\nThe DNS -> IP mapping is re-resolved periodically from within the\ncilium-agent, and the IPs in the DNS response are effected in the policy\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\nToFQDN counts as an egress rule and will enforce egress policy when\nPolicyEnforcment=default.\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\nToFQDN rule will not apply to that IP.\nNote: ToFQDN cannot occur in the same policy as other To* rules."
fn spec.egress.toFQDNs.withMatchName
withMatchName(matchName)
"MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing."
fn spec.egress.toFQDNs.withMatchPattern
withMatchPattern(matchPattern)
"MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n\nExamples:\n*.cilium.io matches subomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n*cilium.io matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\nsub*.cilium.io matches subdomains of cilium where the subdomain component\nbegins with \"sub\"\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not"
obj spec.egress.toGroups
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
obj spec.egress.toGroups.aws
"AWSGroup is an structure that can be used to whitelisting information from AWS integration"
fn spec.egress.toGroups.aws.withLabels
withLabels(labels)
fn spec.egress.toGroups.aws.withLabelsMixin
withLabelsMixin(labels)
Note: This function appends passed data to existing values
fn spec.egress.toGroups.aws.withRegion
withRegion(region)
fn spec.egress.toGroups.aws.withSecurityGroupsIds
withSecurityGroupsIds(securityGroupsIds)
fn spec.egress.toGroups.aws.withSecurityGroupsIdsMixin
withSecurityGroupsIdsMixin(securityGroupsIds)
Note: This function appends passed data to existing values
fn spec.egress.toGroups.aws.withSecurityGroupsNames
withSecurityGroupsNames(securityGroupsNames)
fn spec.egress.toGroups.aws.withSecurityGroupsNamesMixin
withSecurityGroupsNamesMixin(securityGroupsNames)
Note: This function appends passed data to existing values
obj spec.egress.toNodes
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
fn spec.egress.toNodes.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egress.toNodes.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.egress.toNodes.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.egress.toNodes.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.egress.toNodes.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egress.toNodes.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.egress.toNodes.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.egress.toNodes.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.egress.toNodes.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.egress.toPorts
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nconnect to.\n\nExample:\nAny endpoint with the label \"role=frontend\" is allowed to initiate\nconnections to destination port 8080/tcp"
fn spec.egress.toPorts.withPorts
withPorts(ports)
"Ports is a list of L4 port/protocol"
fn spec.egress.toPorts.withPortsMixin
withPortsMixin(ports)
"Ports is a list of L4 port/protocol"
Note: This function appends passed data to existing values
fn spec.egress.toPorts.withServerNames
withServerNames(serverNames)
"ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake."
fn spec.egress.toPorts.withServerNamesMixin
withServerNamesMixin(serverNames)
"ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake."
Note: This function appends passed data to existing values
obj spec.egress.toPorts.listener
"listener specifies the name of a custom Envoy listener to which this traffic should be\nredirected to."
fn spec.egress.toPorts.listener.withName
withName(name)
"Name is the name of the listener."
fn spec.egress.toPorts.listener.withPriority
withPriority(priority)
"Priority for this Listener that is used when multiple rules would apply different\nlisteners to a policy map entry. Behavior of this is implementation dependent."
obj spec.egress.toPorts.listener.envoyConfig
"EnvoyConfig is a reference to the CEC or CCEC resource in which\nthe listener is defined."
fn spec.egress.toPorts.listener.envoyConfig.withKind
withKind(kind)
"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\nrespectively. The only case this is currently explicitly needed is when referring to a\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\nfrom a cluster scoped policy is not allowed."
fn spec.egress.toPorts.listener.envoyConfig.withName
withName(name)
"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\nthe listener is defined in."
obj spec.egress.toPorts.originatingTLS
"OriginatingTLS is the TLS context for the connections originated by\nthe L7 proxy. For egress policy this specifies the client-side TLS\nparameters for the upstream connection originating from the L7 proxy\nto the remote destination. For ingress policy this specifies the\nclient-side TLS parameters for the connection from the L7 proxy to\nthe local endpoint."
fn spec.egress.toPorts.originatingTLS.withCertificate
withCertificate(certificate)
"Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist."
fn spec.egress.toPorts.originatingTLS.withPrivateKey
withPrivateKey(privateKey)
"PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist."
fn spec.egress.toPorts.originatingTLS.withTrustedCA
withTrustedCA(trustedCA)
"TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist."
obj spec.egress.toPorts.originatingTLS.secret
"Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate."
fn spec.egress.toPorts.originatingTLS.secret.withName
withName(name)
"Name is the name of the secret."
fn spec.egress.toPorts.originatingTLS.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj spec.egress.toPorts.ports
"Ports is a list of L4 port/protocol"
fn spec.egress.toPorts.ports.withEndPort
withEndPort(endPort)
"EndPort can only be an L4 port number."
fn spec.egress.toPorts.ports.withPort
withPort(port)
"Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\"."
fn spec.egress.toPorts.ports.withProtocol
withProtocol(protocol)
"Protocol is the L4 protocol. If omitted or empty, any protocol\nmatches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this."
obj spec.egress.toPorts.rules
"Rules is a list of additional port level rules which must be met in\norder for the PortRule to allow the traffic. If omitted or empty,\nno layer 7 rules are enforced."
fn spec.egress.toPorts.rules.withDns
withDns(dns)
"DNS-specific rules."
fn spec.egress.toPorts.rules.withDnsMixin
withDnsMixin(dns)
"DNS-specific rules."
Note: This function appends passed data to existing values
fn spec.egress.toPorts.rules.withHttp
withHttp(http)
"HTTP specific rules."
fn spec.egress.toPorts.rules.withHttpMixin
withHttpMixin(http)
"HTTP specific rules."
Note: This function appends passed data to existing values
fn spec.egress.toPorts.rules.withKafka
withKafka(kafka)
"Kafka-specific rules."
fn spec.egress.toPorts.rules.withKafkaMixin
withKafkaMixin(kafka)
"Kafka-specific rules."
Note: This function appends passed data to existing values
fn spec.egress.toPorts.rules.withL7
withL7(l7)
"Key-value pair rules."
fn spec.egress.toPorts.rules.withL7Mixin
withL7Mixin(l7)
"Key-value pair rules."
Note: This function appends passed data to existing values
fn spec.egress.toPorts.rules.withL7proto
withL7proto(l7proto)
"Name of the L7 protocol for which the Key-value pair rules apply."
obj spec.egress.toPorts.rules.dns
"DNS-specific rules."
fn spec.egress.toPorts.rules.dns.withMatchName
withMatchName(matchName)
"MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing."
fn spec.egress.toPorts.rules.dns.withMatchPattern
withMatchPattern(matchPattern)
"MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n\nExamples:\n*.cilium.io matches subomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n*cilium.io matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\nsub*.cilium.io matches subdomains of cilium where the subdomain component\nbegins with \"sub\"\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not"
obj spec.egress.toPorts.rules.http
"HTTP specific rules."
fn spec.egress.toPorts.rules.http.withHeaderMatches
withHeaderMatches(headerMatches)
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
fn spec.egress.toPorts.rules.http.withHeaderMatchesMixin
withHeaderMatchesMixin(headerMatches)
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
Note: This function appends passed data to existing values
fn spec.egress.toPorts.rules.http.withHeaders
withHeaders(headers)
"Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present."
fn spec.egress.toPorts.rules.http.withHeadersMixin
withHeadersMixin(headers)
"Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present."
Note: This function appends passed data to existing values
fn spec.egress.toPorts.rules.http.withHost
withHost(host)
"Host is an extended POSIX regex matched against the host header of a\nrequest. Examples:\n\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\n- foo\.bar\.com will only match the host foo.bar.com\n\nIf omitted or empty, the value of the host header is ignored."
fn spec.egress.toPorts.rules.http.withMethod
withMethod(method)
"Method is an extended POSIX regex matched against the method of a\nrequest, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\nIf omitted or empty, all methods are allowed."
fn spec.egress.toPorts.rules.http.withPath
withPath(path)
"Path is an extended POSIX regex matched against the path of a\nrequest. Currently it can contain characters disallowed from the\nconventional \"path\" part of a URL as defined by RFC 3986.\n\nIf omitted or empty, all paths are all allowed."
obj spec.egress.toPorts.rules.http.headerMatches
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
fn spec.egress.toPorts.rules.http.headerMatches.withMismatch
withMismatch(mismatch)
"Mismatch identifies what to do in case there is no match. The default is\nto drop the request. Otherwise the overall rule is still considered as\nmatching, but the mismatches are logged in the access log."
fn spec.egress.toPorts.rules.http.headerMatches.withName
withName(name)
"Name identifies the header."
fn spec.egress.toPorts.rules.http.headerMatches.withValue
withValue(value)
"Value matches the exact value of the header. Can be specified either\nalone or together with \"Secret\"; will be used as the header value if the\nsecret can not be found in the latter case."
obj spec.egress.toPorts.rules.http.headerMatches.secret
"Secret refers to a secret that contains the value to be matched against.\nThe secret must only contain one entry. If the referred secret does not\nexist, and there is no \"Value\" specified, the match will fail."
fn spec.egress.toPorts.rules.http.headerMatches.secret.withName
withName(name)
"Name is the name of the secret."
fn spec.egress.toPorts.rules.http.headerMatches.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj spec.egress.toPorts.rules.kafka
"Kafka-specific rules."
fn spec.egress.toPorts.rules.kafka.withApiKey
withApiKey(apiKey)
"APIKey is a case-insensitive string matched against the key of a\nrequest, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al\nReference: https://kafka.apache.org/protocol#protocol_api_keys\n\nIf omitted or empty, and if Role is not specified, then all keys are allowed."
fn spec.egress.toPorts.rules.kafka.withApiVersion
withApiVersion(apiVersion)
"APIVersion is the version matched against the api version of the\nKafka message. If set, it has to be a string representing a positive\ninteger.\n\nIf omitted or empty, all versions are allowed."
fn spec.egress.toPorts.rules.kafka.withClientID
withClientID(clientID)
"ClientID is the client identifier as provided in the request.\n\nFrom Kafka protocol documentation:\nThis is a user supplied identifier for the client application. The\nuser can use any identifier they like and it will be used when\nlogging errors, monitoring aggregates, etc. For example, one might\nwant to monitor not just the requests per second overall, but the\nnumber coming from each client application (each of which could\nreside on multiple servers). This id acts as a logical grouping\nacross all requests from a particular client.\n\nIf omitted or empty, all client identifiers are allowed."
fn spec.egress.toPorts.rules.kafka.withRole
withRole(role)
"Role is a case-insensitive string and describes a group of API keys\nnecessary to perform certain higher-level Kafka operations such as \"produce\"\nor \"consume\". A Role automatically expands into all APIKeys required\nto perform the specified higher-level operation.\n\nThe following values are supported:\n - \"produce\": Allow producing to the topics specified in the rule\n - \"consume\": Allow consuming from the topics specified in the rule\n\nThis field is incompatible with the APIKey field, i.e APIKey and Role\ncannot both be specified in the same rule.\n\nIf omitted or empty, and if APIKey is not specified, then all keys are\nallowed."
fn spec.egress.toPorts.rules.kafka.withTopic
withTopic(topic)
"Topic is the topic name contained in the message. If a Kafka request\ncontains multiple topics, then all topics must be allowed or the\nmessage will be rejected.\n\nThis constraint is ignored if the matched request message type\ndoesn't contain any topic. Maximum size of Topic can be 249\ncharacters as per recent Kafka spec and allowed characters are\na-z, A-Z, 0-9, -, . and _.\n\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\nversion the length was changed from 255 to 249. For compatibility\nreasons we are using 255.\n\nIf omitted or empty, all topics are allowed."
obj spec.egress.toPorts.terminatingTLS
"TerminatingTLS is the TLS context for the connection terminated by\nthe L7 proxy. For egress policy this specifies the server-side TLS\nparameters to be applied on the connections originated from the local\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\nthe server-side TLS parameters to be applied on the connections\noriginated from a remote source and terminated by the L7 proxy."
fn spec.egress.toPorts.terminatingTLS.withCertificate
withCertificate(certificate)
"Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist."
fn spec.egress.toPorts.terminatingTLS.withPrivateKey
withPrivateKey(privateKey)
"PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist."
fn spec.egress.toPorts.terminatingTLS.withTrustedCA
withTrustedCA(trustedCA)
"TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist."
obj spec.egress.toPorts.terminatingTLS.secret
"Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate."
fn spec.egress.toPorts.terminatingTLS.secret.withName
withName(name)
"Name is the name of the secret."
fn spec.egress.toPorts.terminatingTLS.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj spec.egress.toRequires
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
fn spec.egress.toRequires.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egress.toRequires.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.egress.toRequires.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.egress.toRequires.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.egress.toRequires.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egress.toRequires.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.egress.toRequires.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.egress.toRequires.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.egress.toRequires.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.egress.toServices
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
obj spec.egress.toServices.k8sService
"K8sService selects service by name and namespace pair"
fn spec.egress.toServices.k8sService.withNamespace
withNamespace(namespace)
fn spec.egress.toServices.k8sService.withServiceName
withServiceName(serviceName)
obj spec.egress.toServices.k8sServiceSelector
"K8sServiceSelector selects services by k8s labels and namespace"
fn spec.egress.toServices.k8sServiceSelector.withNamespace
withNamespace(namespace)
obj spec.egress.toServices.k8sServiceSelector.selector
"ServiceSelector is a label selector for k8s services"
fn spec.egress.toServices.k8sServiceSelector.selector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egress.toServices.k8sServiceSelector.selector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.egress.toServices.k8sServiceSelector.selector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.egress.toServices.k8sServiceSelector.selector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.egress.toServices.k8sServiceSelector.selector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egress.toServices.k8sServiceSelector.selector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.egress.toServices.k8sServiceSelector.selector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.egress.toServices.k8sServiceSelector.selector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.egress.toServices.k8sServiceSelector.selector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.egressDeny
"EgressDeny is a list of EgressDenyRule which are enforced at egress.\nAny rule inserted here will be denied regardless of the allowed egress\nrules in the 'egress' field.\nIf omitted or empty, this rule does not apply at egress."
fn spec.egressDeny.withIcmps
withIcmps(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is not allowed to initiate\ntype 8 ICMP connections."
fn spec.egressDeny.withIcmpsMixin
withIcmpsMixin(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is not allowed to initiate\ntype 8 ICMP connections."
Note: This function appends passed data to existing values
fn spec.egressDeny.withToCIDR
withToCIDR(toCIDR)
"ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24"
fn spec.egressDeny.withToCIDRMixin
withToCIDRMixin(toCIDR)
"ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24"
Note: This function appends passed data to existing values
fn spec.egressDeny.withToCIDRSet
withToCIDRSet(toCIDRSet)
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
fn spec.egressDeny.withToCIDRSetMixin
withToCIDRSetMixin(toCIDRSet)
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
Note: This function appends passed data to existing values
fn spec.egressDeny.withToEndpoints
withToEndpoints(toEndpoints)
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
fn spec.egressDeny.withToEndpointsMixin
withToEndpointsMixin(toEndpoints)
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
Note: This function appends passed data to existing values
fn spec.egressDeny.withToEntities
withToEntities(toEntities)
"ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\nworld, cluster,host,remote-node,kube-apiserver, init,\nhealth,unmanaged and all."
fn spec.egressDeny.withToEntitiesMixin
withToEntitiesMixin(toEntities)
"ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\nworld, cluster,host,remote-node,kube-apiserver, init,\nhealth,unmanaged and all."
Note: This function appends passed data to existing values
fn spec.egressDeny.withToGroups
withToGroups(toGroups)
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
fn spec.egressDeny.withToGroupsMixin
withToGroupsMixin(toGroups)
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
Note: This function appends passed data to existing values
fn spec.egressDeny.withToNodes
withToNodes(toNodes)
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
fn spec.egressDeny.withToNodesMixin
withToNodesMixin(toNodes)
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
Note: This function appends passed data to existing values
fn spec.egressDeny.withToPorts
withToPorts(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to connect\nto.\n\nExample:\nAny endpoint with the label \"role=frontend\" is not allowed to initiate\nconnections to destination port 8080/tcp"
fn spec.egressDeny.withToPortsMixin
withToPortsMixin(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to connect\nto.\n\nExample:\nAny endpoint with the label \"role=frontend\" is not allowed to initiate\nconnections to destination port 8080/tcp"
Note: This function appends passed data to existing values
fn spec.egressDeny.withToRequires
withToRequires(toRequires)
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
fn spec.egressDeny.withToRequiresMixin
withToRequiresMixin(toRequires)
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
Note: This function appends passed data to existing values
fn spec.egressDeny.withToServices
withToServices(toServices)
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
fn spec.egressDeny.withToServicesMixin
withToServicesMixin(toServices)
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
Note: This function appends passed data to existing values
obj spec.egressDeny.icmps
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is not allowed to initiate\ntype 8 ICMP connections."
fn spec.egressDeny.icmps.withFields
withFields(fields)
"Fields is a list of ICMP fields."
fn spec.egressDeny.icmps.withFieldsMixin
withFieldsMixin(fields)
"Fields is a list of ICMP fields."
Note: This function appends passed data to existing values
obj spec.egressDeny.icmps.fields
"Fields is a list of ICMP fields."
fn spec.egressDeny.icmps.fields.withFamily
withFamily(family)
"Family is a IP address version.\nCurrently, we support IPv4 and IPv6.\nIPv4 is set as default."
fn spec.egressDeny.icmps.fields.withType
withType(type)
"Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply"
obj spec.egressDeny.toCIDRSet
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
fn spec.egressDeny.toCIDRSet.withCidr
withCidr(cidr)
"CIDR is a CIDR prefix / IP Block."
fn spec.egressDeny.toCIDRSet.withCidrGroupRef
withCidrGroupRef(cidrGroupRef)
"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from."
fn spec.egressDeny.toCIDRSet.withExcept
withExcept(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
fn spec.egressDeny.toCIDRSet.withExceptMixin
withExceptMixin(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
Note: This function appends passed data to existing values
obj spec.egressDeny.toCIDRSet.cidrGroupSelector
"CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name."
fn spec.egressDeny.toCIDRSet.cidrGroupSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egressDeny.toCIDRSet.cidrGroupSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.egressDeny.toCIDRSet.cidrGroupSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.egressDeny.toCIDRSet.cidrGroupSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.egressDeny.toCIDRSet.cidrGroupSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egressDeny.toCIDRSet.cidrGroupSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.egressDeny.toCIDRSet.cidrGroupSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.egressDeny.toCIDRSet.cidrGroupSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.egressDeny.toCIDRSet.cidrGroupSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.egressDeny.toEndpoints
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
fn spec.egressDeny.toEndpoints.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egressDeny.toEndpoints.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.egressDeny.toEndpoints.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.egressDeny.toEndpoints.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.egressDeny.toEndpoints.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egressDeny.toEndpoints.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.egressDeny.toEndpoints.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.egressDeny.toEndpoints.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.egressDeny.toEndpoints.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.egressDeny.toGroups
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
obj spec.egressDeny.toGroups.aws
"AWSGroup is an structure that can be used to whitelisting information from AWS integration"
fn spec.egressDeny.toGroups.aws.withLabels
withLabels(labels)
fn spec.egressDeny.toGroups.aws.withLabelsMixin
withLabelsMixin(labels)
Note: This function appends passed data to existing values
fn spec.egressDeny.toGroups.aws.withRegion
withRegion(region)
fn spec.egressDeny.toGroups.aws.withSecurityGroupsIds
withSecurityGroupsIds(securityGroupsIds)
fn spec.egressDeny.toGroups.aws.withSecurityGroupsIdsMixin
withSecurityGroupsIdsMixin(securityGroupsIds)
Note: This function appends passed data to existing values
fn spec.egressDeny.toGroups.aws.withSecurityGroupsNames
withSecurityGroupsNames(securityGroupsNames)
fn spec.egressDeny.toGroups.aws.withSecurityGroupsNamesMixin
withSecurityGroupsNamesMixin(securityGroupsNames)
Note: This function appends passed data to existing values
obj spec.egressDeny.toNodes
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
fn spec.egressDeny.toNodes.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egressDeny.toNodes.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.egressDeny.toNodes.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.egressDeny.toNodes.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.egressDeny.toNodes.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egressDeny.toNodes.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.egressDeny.toNodes.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.egressDeny.toNodes.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.egressDeny.toNodes.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.egressDeny.toPorts
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to connect\nto.\n\nExample:\nAny endpoint with the label \"role=frontend\" is not allowed to initiate\nconnections to destination port 8080/tcp"
fn spec.egressDeny.toPorts.withPorts
withPorts(ports)
"Ports is a list of L4 port/protocol"
fn spec.egressDeny.toPorts.withPortsMixin
withPortsMixin(ports)
"Ports is a list of L4 port/protocol"
Note: This function appends passed data to existing values
obj spec.egressDeny.toPorts.ports
"Ports is a list of L4 port/protocol"
fn spec.egressDeny.toPorts.ports.withEndPort
withEndPort(endPort)
"EndPort can only be an L4 port number."
fn spec.egressDeny.toPorts.ports.withPort
withPort(port)
"Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\"."
fn spec.egressDeny.toPorts.ports.withProtocol
withProtocol(protocol)
"Protocol is the L4 protocol. If omitted or empty, any protocol\nmatches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this."
obj spec.egressDeny.toRequires
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
fn spec.egressDeny.toRequires.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egressDeny.toRequires.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.egressDeny.toRequires.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.egressDeny.toRequires.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.egressDeny.toRequires.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egressDeny.toRequires.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.egressDeny.toRequires.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.egressDeny.toRequires.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.egressDeny.toRequires.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.egressDeny.toServices
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
obj spec.egressDeny.toServices.k8sService
"K8sService selects service by name and namespace pair"
fn spec.egressDeny.toServices.k8sService.withNamespace
withNamespace(namespace)
fn spec.egressDeny.toServices.k8sService.withServiceName
withServiceName(serviceName)
obj spec.egressDeny.toServices.k8sServiceSelector
"K8sServiceSelector selects services by k8s labels and namespace"
fn spec.egressDeny.toServices.k8sServiceSelector.withNamespace
withNamespace(namespace)
obj spec.egressDeny.toServices.k8sServiceSelector.selector
"ServiceSelector is a label selector for k8s services"
fn spec.egressDeny.toServices.k8sServiceSelector.selector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egressDeny.toServices.k8sServiceSelector.selector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.egressDeny.toServices.k8sServiceSelector.selector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.egressDeny.toServices.k8sServiceSelector.selector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.enableDefaultDeny
"EnableDefaultDeny determines whether this policy configures the\nsubject endpoint(s) to have a default deny mode. If enabled,\nthis causes all traffic not explicitly allowed by a network policy\nto be dropped.\n\nIf not specified, the default is true for each traffic direction\nthat has rules, and false otherwise. For example, if a policy\nonly has Ingress or IngressDeny rules, then the default for\ningress is true and egress is false.\n\nIf multiple policies apply to an endpoint, that endpoint's default deny\nwill be enabled if any policy requests it.\n\nThis is useful for creating broad-based network policies that will not\ncause endpoints to enter default-deny mode."
fn spec.enableDefaultDeny.withEgress
withEgress(egress)
"Whether or not the endpoint should have a default-deny rule applied\nto egress traffic."
fn spec.enableDefaultDeny.withIngress
withIngress(ingress)
"Whether or not the endpoint should have a default-deny rule applied\nto ingress traffic."
obj spec.endpointSelector
"EndpointSelector selects all endpoints which should be subject to\nthis rule. EndpointSelector and NodeSelector cannot be both empty and\nare mutually exclusive."
fn spec.endpointSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.endpointSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.endpointSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.endpointSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.endpointSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.endpointSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.endpointSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.endpointSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.endpointSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.ingress
"Ingress is a list of IngressRule which are enforced at ingress.\nIf omitted or empty, this rule does not apply at ingress."
fn spec.ingress.withFromCIDR
withFromCIDR(fromCIDR)
"FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo not originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1"
fn spec.ingress.withFromCIDRMixin
withFromCIDRMixin(fromCIDR)
"FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo not originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1"
Note: This function appends passed data to existing values
fn spec.ingress.withFromCIDRSet
withFromCIDRSet(fromCIDRSet)
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
fn spec.ingress.withFromCIDRSetMixin
withFromCIDRSetMixin(fromCIDRSet)
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
Note: This function appends passed data to existing values
fn spec.ingress.withFromEndpoints
withFromEndpoints(fromEndpoints)
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
fn spec.ingress.withFromEndpointsMixin
withFromEndpointsMixin(fromEndpoints)
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
Note: This function appends passed data to existing values
fn spec.ingress.withFromEntities
withFromEntities(fromEntities)
"FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\nworld, cluster and host"
fn spec.ingress.withFromEntitiesMixin
withFromEntitiesMixin(fromEntities)
"FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\nworld, cluster and host"
Note: This function appends passed data to existing values
fn spec.ingress.withFromGroups
withFromGroups(fromGroups)
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
fn spec.ingress.withFromGroupsMixin
withFromGroupsMixin(fromGroups)
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
Note: This function appends passed data to existing values
fn spec.ingress.withFromNodes
withFromNodes(fromNodes)
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
fn spec.ingress.withFromNodesMixin
withFromNodesMixin(fromNodes)
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
Note: This function appends passed data to existing values
fn spec.ingress.withFromRequires
withFromRequires(fromRequires)
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
fn spec.ingress.withFromRequiresMixin
withFromRequiresMixin(fromRequires)
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
Note: This function appends passed data to existing values
fn spec.ingress.withIcmps
withIcmps(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\ntype 8 ICMP connections."
fn spec.ingress.withIcmpsMixin
withIcmpsMixin(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\ntype 8 ICMP connections."
Note: This function appends passed data to existing values
fn spec.ingress.withToPorts
withToPorts(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\nconnections on port 80/tcp."
fn spec.ingress.withToPortsMixin
withToPortsMixin(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\nconnections on port 80/tcp."
Note: This function appends passed data to existing values
obj spec.ingress.authentication
"Authentication is the required authentication type for the allowed traffic, if any."
fn spec.ingress.authentication.withMode
withMode(mode)
"Mode is the required authentication mode for the allowed traffic, if any."
obj spec.ingress.fromCIDRSet
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
fn spec.ingress.fromCIDRSet.withCidr
withCidr(cidr)
"CIDR is a CIDR prefix / IP Block."
fn spec.ingress.fromCIDRSet.withCidrGroupRef
withCidrGroupRef(cidrGroupRef)
"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from."
fn spec.ingress.fromCIDRSet.withExcept
withExcept(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
fn spec.ingress.fromCIDRSet.withExceptMixin
withExceptMixin(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
Note: This function appends passed data to existing values
obj spec.ingress.fromCIDRSet.cidrGroupSelector
"CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name."
fn spec.ingress.fromCIDRSet.cidrGroupSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingress.fromCIDRSet.cidrGroupSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.ingress.fromCIDRSet.cidrGroupSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.ingress.fromCIDRSet.cidrGroupSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.ingress.fromCIDRSet.cidrGroupSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingress.fromCIDRSet.cidrGroupSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.ingress.fromCIDRSet.cidrGroupSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.ingress.fromCIDRSet.cidrGroupSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.ingress.fromCIDRSet.cidrGroupSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.ingress.fromEndpoints
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
fn spec.ingress.fromEndpoints.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingress.fromEndpoints.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.ingress.fromEndpoints.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.ingress.fromEndpoints.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.ingress.fromEndpoints.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingress.fromEndpoints.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.ingress.fromEndpoints.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.ingress.fromEndpoints.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.ingress.fromEndpoints.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.ingress.fromGroups
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
obj spec.ingress.fromGroups.aws
"AWSGroup is an structure that can be used to whitelisting information from AWS integration"
fn spec.ingress.fromGroups.aws.withLabels
withLabels(labels)
fn spec.ingress.fromGroups.aws.withLabelsMixin
withLabelsMixin(labels)
Note: This function appends passed data to existing values
fn spec.ingress.fromGroups.aws.withRegion
withRegion(region)
fn spec.ingress.fromGroups.aws.withSecurityGroupsIds
withSecurityGroupsIds(securityGroupsIds)
fn spec.ingress.fromGroups.aws.withSecurityGroupsIdsMixin
withSecurityGroupsIdsMixin(securityGroupsIds)
Note: This function appends passed data to existing values
fn spec.ingress.fromGroups.aws.withSecurityGroupsNames
withSecurityGroupsNames(securityGroupsNames)
fn spec.ingress.fromGroups.aws.withSecurityGroupsNamesMixin
withSecurityGroupsNamesMixin(securityGroupsNames)
Note: This function appends passed data to existing values
obj spec.ingress.fromNodes
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
fn spec.ingress.fromNodes.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingress.fromNodes.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.ingress.fromNodes.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.ingress.fromNodes.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.ingress.fromNodes.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingress.fromNodes.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.ingress.fromNodes.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.ingress.fromNodes.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.ingress.fromNodes.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.ingress.fromRequires
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
fn spec.ingress.fromRequires.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingress.fromRequires.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.ingress.fromRequires.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.ingress.fromRequires.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.ingress.fromRequires.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingress.fromRequires.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.ingress.fromRequires.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.ingress.fromRequires.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.ingress.fromRequires.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.ingress.icmps
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\ntype 8 ICMP connections."
fn spec.ingress.icmps.withFields
withFields(fields)
"Fields is a list of ICMP fields."
fn spec.ingress.icmps.withFieldsMixin
withFieldsMixin(fields)
"Fields is a list of ICMP fields."
Note: This function appends passed data to existing values
obj spec.ingress.icmps.fields
"Fields is a list of ICMP fields."
fn spec.ingress.icmps.fields.withFamily
withFamily(family)
"Family is a IP address version.\nCurrently, we support IPv4 and IPv6.\nIPv4 is set as default."
fn spec.ingress.icmps.fields.withType
withType(type)
"Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply"
obj spec.ingress.toPorts
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\nconnections on port 80/tcp."
fn spec.ingress.toPorts.withPorts
withPorts(ports)
"Ports is a list of L4 port/protocol"
fn spec.ingress.toPorts.withPortsMixin
withPortsMixin(ports)
"Ports is a list of L4 port/protocol"
Note: This function appends passed data to existing values
fn spec.ingress.toPorts.withServerNames
withServerNames(serverNames)
"ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake."
fn spec.ingress.toPorts.withServerNamesMixin
withServerNamesMixin(serverNames)
"ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake."
Note: This function appends passed data to existing values
obj spec.ingress.toPorts.listener
"listener specifies the name of a custom Envoy listener to which this traffic should be\nredirected to."
fn spec.ingress.toPorts.listener.withName
withName(name)
"Name is the name of the listener."
fn spec.ingress.toPorts.listener.withPriority
withPriority(priority)
"Priority for this Listener that is used when multiple rules would apply different\nlisteners to a policy map entry. Behavior of this is implementation dependent."
obj spec.ingress.toPorts.listener.envoyConfig
"EnvoyConfig is a reference to the CEC or CCEC resource in which\nthe listener is defined."
fn spec.ingress.toPorts.listener.envoyConfig.withKind
withKind(kind)
"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\nrespectively. The only case this is currently explicitly needed is when referring to a\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\nfrom a cluster scoped policy is not allowed."
fn spec.ingress.toPorts.listener.envoyConfig.withName
withName(name)
"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\nthe listener is defined in."
obj spec.ingress.toPorts.originatingTLS
"OriginatingTLS is the TLS context for the connections originated by\nthe L7 proxy. For egress policy this specifies the client-side TLS\nparameters for the upstream connection originating from the L7 proxy\nto the remote destination. For ingress policy this specifies the\nclient-side TLS parameters for the connection from the L7 proxy to\nthe local endpoint."
fn spec.ingress.toPorts.originatingTLS.withCertificate
withCertificate(certificate)
"Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist."
fn spec.ingress.toPorts.originatingTLS.withPrivateKey
withPrivateKey(privateKey)
"PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist."
fn spec.ingress.toPorts.originatingTLS.withTrustedCA
withTrustedCA(trustedCA)
"TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist."
obj spec.ingress.toPorts.originatingTLS.secret
"Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate."
fn spec.ingress.toPorts.originatingTLS.secret.withName
withName(name)
"Name is the name of the secret."
fn spec.ingress.toPorts.originatingTLS.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj spec.ingress.toPorts.ports
"Ports is a list of L4 port/protocol"
fn spec.ingress.toPorts.ports.withEndPort
withEndPort(endPort)
"EndPort can only be an L4 port number."
fn spec.ingress.toPorts.ports.withPort
withPort(port)
"Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\"."
fn spec.ingress.toPorts.ports.withProtocol
withProtocol(protocol)
"Protocol is the L4 protocol. If omitted or empty, any protocol\nmatches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this."
obj spec.ingress.toPorts.rules
"Rules is a list of additional port level rules which must be met in\norder for the PortRule to allow the traffic. If omitted or empty,\nno layer 7 rules are enforced."
fn spec.ingress.toPorts.rules.withDns
withDns(dns)
"DNS-specific rules."
fn spec.ingress.toPorts.rules.withDnsMixin
withDnsMixin(dns)
"DNS-specific rules."
Note: This function appends passed data to existing values
fn spec.ingress.toPorts.rules.withHttp
withHttp(http)
"HTTP specific rules."
fn spec.ingress.toPorts.rules.withHttpMixin
withHttpMixin(http)
"HTTP specific rules."
Note: This function appends passed data to existing values
fn spec.ingress.toPorts.rules.withKafka
withKafka(kafka)
"Kafka-specific rules."
fn spec.ingress.toPorts.rules.withKafkaMixin
withKafkaMixin(kafka)
"Kafka-specific rules."
Note: This function appends passed data to existing values
fn spec.ingress.toPorts.rules.withL7
withL7(l7)
"Key-value pair rules."
fn spec.ingress.toPorts.rules.withL7Mixin
withL7Mixin(l7)
"Key-value pair rules."
Note: This function appends passed data to existing values
fn spec.ingress.toPorts.rules.withL7proto
withL7proto(l7proto)
"Name of the L7 protocol for which the Key-value pair rules apply."
obj spec.ingress.toPorts.rules.dns
"DNS-specific rules."
fn spec.ingress.toPorts.rules.dns.withMatchName
withMatchName(matchName)
"MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing."
fn spec.ingress.toPorts.rules.dns.withMatchPattern
withMatchPattern(matchPattern)
"MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n\nExamples:\n*.cilium.io matches subomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n*cilium.io matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\nsub*.cilium.io matches subdomains of cilium where the subdomain component\nbegins with \"sub\"\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not"
obj spec.ingress.toPorts.rules.http
"HTTP specific rules."
fn spec.ingress.toPorts.rules.http.withHeaderMatches
withHeaderMatches(headerMatches)
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
fn spec.ingress.toPorts.rules.http.withHeaderMatchesMixin
withHeaderMatchesMixin(headerMatches)
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
Note: This function appends passed data to existing values
fn spec.ingress.toPorts.rules.http.withHeaders
withHeaders(headers)
"Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present."
fn spec.ingress.toPorts.rules.http.withHeadersMixin
withHeadersMixin(headers)
"Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present."
Note: This function appends passed data to existing values
fn spec.ingress.toPorts.rules.http.withHost
withHost(host)
"Host is an extended POSIX regex matched against the host header of a\nrequest. Examples:\n\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\n- foo\.bar\.com will only match the host foo.bar.com\n\nIf omitted or empty, the value of the host header is ignored."
fn spec.ingress.toPorts.rules.http.withMethod
withMethod(method)
"Method is an extended POSIX regex matched against the method of a\nrequest, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\nIf omitted or empty, all methods are allowed."
fn spec.ingress.toPorts.rules.http.withPath
withPath(path)
"Path is an extended POSIX regex matched against the path of a\nrequest. Currently it can contain characters disallowed from the\nconventional \"path\" part of a URL as defined by RFC 3986.\n\nIf omitted or empty, all paths are all allowed."
obj spec.ingress.toPorts.rules.http.headerMatches
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
fn spec.ingress.toPorts.rules.http.headerMatches.withMismatch
withMismatch(mismatch)
"Mismatch identifies what to do in case there is no match. The default is\nto drop the request. Otherwise the overall rule is still considered as\nmatching, but the mismatches are logged in the access log."
fn spec.ingress.toPorts.rules.http.headerMatches.withName
withName(name)
"Name identifies the header."
fn spec.ingress.toPorts.rules.http.headerMatches.withValue
withValue(value)
"Value matches the exact value of the header. Can be specified either\nalone or together with \"Secret\"; will be used as the header value if the\nsecret can not be found in the latter case."
obj spec.ingress.toPorts.rules.http.headerMatches.secret
"Secret refers to a secret that contains the value to be matched against.\nThe secret must only contain one entry. If the referred secret does not\nexist, and there is no \"Value\" specified, the match will fail."
fn spec.ingress.toPorts.rules.http.headerMatches.secret.withName
withName(name)
"Name is the name of the secret."
fn spec.ingress.toPorts.rules.http.headerMatches.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj spec.ingress.toPorts.rules.kafka
"Kafka-specific rules."
fn spec.ingress.toPorts.rules.kafka.withApiKey
withApiKey(apiKey)
"APIKey is a case-insensitive string matched against the key of a\nrequest, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al\nReference: https://kafka.apache.org/protocol#protocol_api_keys\n\nIf omitted or empty, and if Role is not specified, then all keys are allowed."
fn spec.ingress.toPorts.rules.kafka.withApiVersion
withApiVersion(apiVersion)
"APIVersion is the version matched against the api version of the\nKafka message. If set, it has to be a string representing a positive\ninteger.\n\nIf omitted or empty, all versions are allowed."
fn spec.ingress.toPorts.rules.kafka.withClientID
withClientID(clientID)
"ClientID is the client identifier as provided in the request.\n\nFrom Kafka protocol documentation:\nThis is a user supplied identifier for the client application. The\nuser can use any identifier they like and it will be used when\nlogging errors, monitoring aggregates, etc. For example, one might\nwant to monitor not just the requests per second overall, but the\nnumber coming from each client application (each of which could\nreside on multiple servers). This id acts as a logical grouping\nacross all requests from a particular client.\n\nIf omitted or empty, all client identifiers are allowed."
fn spec.ingress.toPorts.rules.kafka.withRole
withRole(role)
"Role is a case-insensitive string and describes a group of API keys\nnecessary to perform certain higher-level Kafka operations such as \"produce\"\nor \"consume\". A Role automatically expands into all APIKeys required\nto perform the specified higher-level operation.\n\nThe following values are supported:\n - \"produce\": Allow producing to the topics specified in the rule\n - \"consume\": Allow consuming from the topics specified in the rule\n\nThis field is incompatible with the APIKey field, i.e APIKey and Role\ncannot both be specified in the same rule.\n\nIf omitted or empty, and if APIKey is not specified, then all keys are\nallowed."
fn spec.ingress.toPorts.rules.kafka.withTopic
withTopic(topic)
"Topic is the topic name contained in the message. If a Kafka request\ncontains multiple topics, then all topics must be allowed or the\nmessage will be rejected.\n\nThis constraint is ignored if the matched request message type\ndoesn't contain any topic. Maximum size of Topic can be 249\ncharacters as per recent Kafka spec and allowed characters are\na-z, A-Z, 0-9, -, . and _.\n\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\nversion the length was changed from 255 to 249. For compatibility\nreasons we are using 255.\n\nIf omitted or empty, all topics are allowed."
obj spec.ingress.toPorts.terminatingTLS
"TerminatingTLS is the TLS context for the connection terminated by\nthe L7 proxy. For egress policy this specifies the server-side TLS\nparameters to be applied on the connections originated from the local\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\nthe server-side TLS parameters to be applied on the connections\noriginated from a remote source and terminated by the L7 proxy."
fn spec.ingress.toPorts.terminatingTLS.withCertificate
withCertificate(certificate)
"Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist."
fn spec.ingress.toPorts.terminatingTLS.withPrivateKey
withPrivateKey(privateKey)
"PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist."
fn spec.ingress.toPorts.terminatingTLS.withTrustedCA
withTrustedCA(trustedCA)
"TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist."
obj spec.ingress.toPorts.terminatingTLS.secret
"Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate."
fn spec.ingress.toPorts.terminatingTLS.secret.withName
withName(name)
"Name is the name of the secret."
fn spec.ingress.toPorts.terminatingTLS.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj spec.ingressDeny
"IngressDeny is a list of IngressDenyRule which are enforced at ingress.\nAny rule inserted here will be denied regardless of the allowed ingress\nrules in the 'ingress' field.\nIf omitted or empty, this rule does not apply at ingress."
fn spec.ingressDeny.withFromCIDR
withFromCIDR(fromCIDR)
"FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo not originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1"
fn spec.ingressDeny.withFromCIDRMixin
withFromCIDRMixin(fromCIDR)
"FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo not originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1"
Note: This function appends passed data to existing values
fn spec.ingressDeny.withFromCIDRSet
withFromCIDRSet(fromCIDRSet)
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
fn spec.ingressDeny.withFromCIDRSetMixin
withFromCIDRSetMixin(fromCIDRSet)
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
Note: This function appends passed data to existing values
fn spec.ingressDeny.withFromEndpoints
withFromEndpoints(fromEndpoints)
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
fn spec.ingressDeny.withFromEndpointsMixin
withFromEndpointsMixin(fromEndpoints)
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
Note: This function appends passed data to existing values
fn spec.ingressDeny.withFromEntities
withFromEntities(fromEntities)
"FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\nworld, cluster and host"
fn spec.ingressDeny.withFromEntitiesMixin
withFromEntitiesMixin(fromEntities)
"FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\nworld, cluster and host"
Note: This function appends passed data to existing values
fn spec.ingressDeny.withFromGroups
withFromGroups(fromGroups)
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
fn spec.ingressDeny.withFromGroupsMixin
withFromGroupsMixin(fromGroups)
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
Note: This function appends passed data to existing values
fn spec.ingressDeny.withFromNodes
withFromNodes(fromNodes)
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
fn spec.ingressDeny.withFromNodesMixin
withFromNodesMixin(fromNodes)
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
Note: This function appends passed data to existing values
fn spec.ingressDeny.withFromRequires
withFromRequires(fromRequires)
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
fn spec.ingressDeny.withFromRequiresMixin
withFromRequiresMixin(fromRequires)
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
Note: This function appends passed data to existing values
fn spec.ingressDeny.withIcmps
withIcmps(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\ntype 8 ICMP connections."
fn spec.ingressDeny.withIcmpsMixin
withIcmpsMixin(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\ntype 8 ICMP connections."
Note: This function appends passed data to existing values
fn spec.ingressDeny.withToPorts
withToPorts(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\nconnections on port 80/tcp."
fn spec.ingressDeny.withToPortsMixin
withToPortsMixin(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\nconnections on port 80/tcp."
Note: This function appends passed data to existing values
obj spec.ingressDeny.fromCIDRSet
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
fn spec.ingressDeny.fromCIDRSet.withCidr
withCidr(cidr)
"CIDR is a CIDR prefix / IP Block."
fn spec.ingressDeny.fromCIDRSet.withCidrGroupRef
withCidrGroupRef(cidrGroupRef)
"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from."
fn spec.ingressDeny.fromCIDRSet.withExcept
withExcept(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
fn spec.ingressDeny.fromCIDRSet.withExceptMixin
withExceptMixin(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
Note: This function appends passed data to existing values
obj spec.ingressDeny.fromCIDRSet.cidrGroupSelector
"CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name."
fn spec.ingressDeny.fromCIDRSet.cidrGroupSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingressDeny.fromCIDRSet.cidrGroupSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.ingressDeny.fromCIDRSet.cidrGroupSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.ingressDeny.fromCIDRSet.cidrGroupSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.ingressDeny.fromCIDRSet.cidrGroupSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingressDeny.fromCIDRSet.cidrGroupSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.ingressDeny.fromCIDRSet.cidrGroupSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.ingressDeny.fromCIDRSet.cidrGroupSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.ingressDeny.fromCIDRSet.cidrGroupSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.ingressDeny.fromEndpoints
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
fn spec.ingressDeny.fromEndpoints.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingressDeny.fromEndpoints.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.ingressDeny.fromEndpoints.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.ingressDeny.fromEndpoints.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.ingressDeny.fromEndpoints.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingressDeny.fromEndpoints.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.ingressDeny.fromEndpoints.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.ingressDeny.fromEndpoints.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.ingressDeny.fromEndpoints.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.ingressDeny.fromGroups
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
obj spec.ingressDeny.fromGroups.aws
"AWSGroup is an structure that can be used to whitelisting information from AWS integration"
fn spec.ingressDeny.fromGroups.aws.withLabels
withLabels(labels)
fn spec.ingressDeny.fromGroups.aws.withLabelsMixin
withLabelsMixin(labels)
Note: This function appends passed data to existing values
fn spec.ingressDeny.fromGroups.aws.withRegion
withRegion(region)
fn spec.ingressDeny.fromGroups.aws.withSecurityGroupsIds
withSecurityGroupsIds(securityGroupsIds)
fn spec.ingressDeny.fromGroups.aws.withSecurityGroupsIdsMixin
withSecurityGroupsIdsMixin(securityGroupsIds)
Note: This function appends passed data to existing values
fn spec.ingressDeny.fromGroups.aws.withSecurityGroupsNames
withSecurityGroupsNames(securityGroupsNames)
fn spec.ingressDeny.fromGroups.aws.withSecurityGroupsNamesMixin
withSecurityGroupsNamesMixin(securityGroupsNames)
Note: This function appends passed data to existing values
obj spec.ingressDeny.fromNodes
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
fn spec.ingressDeny.fromNodes.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingressDeny.fromNodes.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.ingressDeny.fromNodes.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.ingressDeny.fromNodes.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.ingressDeny.fromNodes.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingressDeny.fromNodes.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.ingressDeny.fromNodes.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.ingressDeny.fromNodes.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.ingressDeny.fromNodes.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.ingressDeny.fromRequires
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
fn spec.ingressDeny.fromRequires.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingressDeny.fromRequires.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.ingressDeny.fromRequires.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.ingressDeny.fromRequires.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.ingressDeny.fromRequires.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.ingressDeny.fromRequires.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.ingressDeny.fromRequires.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.ingressDeny.fromRequires.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.ingressDeny.fromRequires.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj spec.ingressDeny.icmps
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\ntype 8 ICMP connections."
fn spec.ingressDeny.icmps.withFields
withFields(fields)
"Fields is a list of ICMP fields."
fn spec.ingressDeny.icmps.withFieldsMixin
withFieldsMixin(fields)
"Fields is a list of ICMP fields."
Note: This function appends passed data to existing values
obj spec.ingressDeny.icmps.fields
"Fields is a list of ICMP fields."
fn spec.ingressDeny.icmps.fields.withFamily
withFamily(family)
"Family is a IP address version.\nCurrently, we support IPv4 and IPv6.\nIPv4 is set as default."
fn spec.ingressDeny.icmps.fields.withType
withType(type)
"Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply"
obj spec.ingressDeny.toPorts
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\nconnections on port 80/tcp."
fn spec.ingressDeny.toPorts.withPorts
withPorts(ports)
"Ports is a list of L4 port/protocol"
fn spec.ingressDeny.toPorts.withPortsMixin
withPortsMixin(ports)
"Ports is a list of L4 port/protocol"
Note: This function appends passed data to existing values
obj spec.ingressDeny.toPorts.ports
"Ports is a list of L4 port/protocol"
fn spec.ingressDeny.toPorts.ports.withEndPort
withEndPort(endPort)
"EndPort can only be an L4 port number."
fn spec.ingressDeny.toPorts.ports.withPort
withPort(port)
"Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\"."
fn spec.ingressDeny.toPorts.ports.withProtocol
withProtocol(protocol)
"Protocol is the L4 protocol. If omitted or empty, any protocol\nmatches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this."
obj spec.labels
"Labels is a list of optional strings which can be used to\nre-identify the rule or to store metadata. It is possible to lookup\nor delete strings based on labels. Labels are not required to be\nunique, multiple rules can have overlapping or identical labels."
fn spec.labels.withKey
withKey(key)
fn spec.labels.withSource
withSource(source)
"Source can be one of the above values (e.g.: LabelSourceContainer)."
fn spec.labels.withValue
withValue(value)
obj spec.nodeSelector
"NodeSelector selects all nodes which should be subject to this rule.\nEndpointSelector and NodeSelector cannot be both empty and are mutually\nexclusive. Can only be used in CiliumClusterwideNetworkPolicies."
fn spec.nodeSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.nodeSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn spec.nodeSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn spec.nodeSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj spec.nodeSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn spec.nodeSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn spec.nodeSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn spec.nodeSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn spec.nodeSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs
"Specs is a list of desired Cilium specific rule specification."
fn specs.withDescription
withDescription(description)
"Description is a free form string, it can be used by the creator of\nthe rule to store human readable explanation of the purpose of this\nrule. Rules cannot be identified by comment."
fn specs.withEgress
withEgress(egress)
"Egress is a list of EgressRule which are enforced at egress.\nIf omitted or empty, this rule does not apply at egress."
fn specs.withEgressDeny
withEgressDeny(egressDeny)
"EgressDeny is a list of EgressDenyRule which are enforced at egress.\nAny rule inserted here will be denied regardless of the allowed egress\nrules in the 'egress' field.\nIf omitted or empty, this rule does not apply at egress."
fn specs.withEgressDenyMixin
withEgressDenyMixin(egressDeny)
"EgressDeny is a list of EgressDenyRule which are enforced at egress.\nAny rule inserted here will be denied regardless of the allowed egress\nrules in the 'egress' field.\nIf omitted or empty, this rule does not apply at egress."
Note: This function appends passed data to existing values
fn specs.withEgressMixin
withEgressMixin(egress)
"Egress is a list of EgressRule which are enforced at egress.\nIf omitted or empty, this rule does not apply at egress."
Note: This function appends passed data to existing values
fn specs.withIngress
withIngress(ingress)
"Ingress is a list of IngressRule which are enforced at ingress.\nIf omitted or empty, this rule does not apply at ingress."
fn specs.withIngressDeny
withIngressDeny(ingressDeny)
"IngressDeny is a list of IngressDenyRule which are enforced at ingress.\nAny rule inserted here will be denied regardless of the allowed ingress\nrules in the 'ingress' field.\nIf omitted or empty, this rule does not apply at ingress."
fn specs.withIngressDenyMixin
withIngressDenyMixin(ingressDeny)
"IngressDeny is a list of IngressDenyRule which are enforced at ingress.\nAny rule inserted here will be denied regardless of the allowed ingress\nrules in the 'ingress' field.\nIf omitted or empty, this rule does not apply at ingress."
Note: This function appends passed data to existing values
fn specs.withIngressMixin
withIngressMixin(ingress)
"Ingress is a list of IngressRule which are enforced at ingress.\nIf omitted or empty, this rule does not apply at ingress."
Note: This function appends passed data to existing values
fn specs.withLabels
withLabels(labels)
"Labels is a list of optional strings which can be used to\nre-identify the rule or to store metadata. It is possible to lookup\nor delete strings based on labels. Labels are not required to be\nunique, multiple rules can have overlapping or identical labels."
fn specs.withLabelsMixin
withLabelsMixin(labels)
"Labels is a list of optional strings which can be used to\nre-identify the rule or to store metadata. It is possible to lookup\nor delete strings based on labels. Labels are not required to be\nunique, multiple rules can have overlapping or identical labels."
Note: This function appends passed data to existing values
obj specs.egress
"Egress is a list of EgressRule which are enforced at egress.\nIf omitted or empty, this rule does not apply at egress."
fn specs.egress.withIcmps
withIcmps(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is allowed to initiate\ntype 8 ICMP connections."
fn specs.egress.withIcmpsMixin
withIcmpsMixin(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is allowed to initiate\ntype 8 ICMP connections."
Note: This function appends passed data to existing values
fn specs.egress.withToCIDR
withToCIDR(toCIDR)
"ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24"
fn specs.egress.withToCIDRMixin
withToCIDRMixin(toCIDR)
"ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24"
Note: This function appends passed data to existing values
fn specs.egress.withToCIDRSet
withToCIDRSet(toCIDRSet)
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
fn specs.egress.withToCIDRSetMixin
withToCIDRSetMixin(toCIDRSet)
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
Note: This function appends passed data to existing values
fn specs.egress.withToEndpoints
withToEndpoints(toEndpoints)
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
fn specs.egress.withToEndpointsMixin
withToEndpointsMixin(toEndpoints)
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
Note: This function appends passed data to existing values
fn specs.egress.withToEntities
withToEntities(toEntities)
"ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\nworld, cluster,host,remote-node,kube-apiserver, init,\nhealth,unmanaged and all."
fn specs.egress.withToEntitiesMixin
withToEntitiesMixin(toEntities)
"ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\nworld, cluster,host,remote-node,kube-apiserver, init,\nhealth,unmanaged and all."
Note: This function appends passed data to existing values
fn specs.egress.withToFQDNs
withToFQDNs(toFQDNs)
"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\nfrom DNS resolution of ToFQDN.MatchNames are added to the same\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\nL7 rules within this EgressRule will also apply to these IPs.\nThe DNS -> IP mapping is re-resolved periodically from within the\ncilium-agent, and the IPs in the DNS response are effected in the policy\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\nToFQDN counts as an egress rule and will enforce egress policy when\nPolicyEnforcment=default.\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\nToFQDN rule will not apply to that IP.\nNote: ToFQDN cannot occur in the same policy as other To* rules."
fn specs.egress.withToFQDNsMixin
withToFQDNsMixin(toFQDNs)
"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\nfrom DNS resolution of ToFQDN.MatchNames are added to the same\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\nL7 rules within this EgressRule will also apply to these IPs.\nThe DNS -> IP mapping is re-resolved periodically from within the\ncilium-agent, and the IPs in the DNS response are effected in the policy\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\nToFQDN counts as an egress rule and will enforce egress policy when\nPolicyEnforcment=default.\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\nToFQDN rule will not apply to that IP.\nNote: ToFQDN cannot occur in the same policy as other To* rules."
Note: This function appends passed data to existing values
fn specs.egress.withToGroups
withToGroups(toGroups)
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
fn specs.egress.withToGroupsMixin
withToGroupsMixin(toGroups)
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
Note: This function appends passed data to existing values
fn specs.egress.withToNodes
withToNodes(toNodes)
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
fn specs.egress.withToNodesMixin
withToNodesMixin(toNodes)
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
Note: This function appends passed data to existing values
fn specs.egress.withToPorts
withToPorts(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nconnect to.\n\nExample:\nAny endpoint with the label \"role=frontend\" is allowed to initiate\nconnections to destination port 8080/tcp"
fn specs.egress.withToPortsMixin
withToPortsMixin(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nconnect to.\n\nExample:\nAny endpoint with the label \"role=frontend\" is allowed to initiate\nconnections to destination port 8080/tcp"
Note: This function appends passed data to existing values
fn specs.egress.withToRequires
withToRequires(toRequires)
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
fn specs.egress.withToRequiresMixin
withToRequiresMixin(toRequires)
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
Note: This function appends passed data to existing values
fn specs.egress.withToServices
withToServices(toServices)
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
fn specs.egress.withToServicesMixin
withToServicesMixin(toServices)
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
Note: This function appends passed data to existing values
obj specs.egress.authentication
"Authentication is the required authentication type for the allowed traffic, if any."
fn specs.egress.authentication.withMode
withMode(mode)
"Mode is the required authentication mode for the allowed traffic, if any."
obj specs.egress.icmps
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is allowed to initiate\ntype 8 ICMP connections."
fn specs.egress.icmps.withFields
withFields(fields)
"Fields is a list of ICMP fields."
fn specs.egress.icmps.withFieldsMixin
withFieldsMixin(fields)
"Fields is a list of ICMP fields."
Note: This function appends passed data to existing values
obj specs.egress.icmps.fields
"Fields is a list of ICMP fields."
fn specs.egress.icmps.fields.withFamily
withFamily(family)
"Family is a IP address version.\nCurrently, we support IPv4 and IPv6.\nIPv4 is set as default."
fn specs.egress.icmps.fields.withType
withType(type)
"Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply"
obj specs.egress.toCIDRSet
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
fn specs.egress.toCIDRSet.withCidr
withCidr(cidr)
"CIDR is a CIDR prefix / IP Block."
fn specs.egress.toCIDRSet.withCidrGroupRef
withCidrGroupRef(cidrGroupRef)
"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from."
fn specs.egress.toCIDRSet.withExcept
withExcept(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
fn specs.egress.toCIDRSet.withExceptMixin
withExceptMixin(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
Note: This function appends passed data to existing values
obj specs.egress.toCIDRSet.cidrGroupSelector
"CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name."
fn specs.egress.toCIDRSet.cidrGroupSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egress.toCIDRSet.cidrGroupSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.egress.toCIDRSet.cidrGroupSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.egress.toCIDRSet.cidrGroupSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.egress.toCIDRSet.cidrGroupSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egress.toCIDRSet.cidrGroupSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.egress.toCIDRSet.cidrGroupSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.egress.toCIDRSet.cidrGroupSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.egress.toCIDRSet.cidrGroupSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.egress.toEndpoints
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
fn specs.egress.toEndpoints.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egress.toEndpoints.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.egress.toEndpoints.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.egress.toEndpoints.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.egress.toEndpoints.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egress.toEndpoints.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.egress.toEndpoints.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.egress.toEndpoints.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.egress.toEndpoints.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.egress.toFQDNs
"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\nfrom DNS resolution of ToFQDN.MatchNames are added to the same\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\nL7 rules within this EgressRule will also apply to these IPs.\nThe DNS -> IP mapping is re-resolved periodically from within the\ncilium-agent, and the IPs in the DNS response are effected in the policy\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\nToFQDN counts as an egress rule and will enforce egress policy when\nPolicyEnforcment=default.\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\nToFQDN rule will not apply to that IP.\nNote: ToFQDN cannot occur in the same policy as other To* rules."
fn specs.egress.toFQDNs.withMatchName
withMatchName(matchName)
"MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing."
fn specs.egress.toFQDNs.withMatchPattern
withMatchPattern(matchPattern)
"MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n\nExamples:\n*.cilium.io matches subomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n*cilium.io matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\nsub*.cilium.io matches subdomains of cilium where the subdomain component\nbegins with \"sub\"\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not"
obj specs.egress.toGroups
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
obj specs.egress.toGroups.aws
"AWSGroup is an structure that can be used to whitelisting information from AWS integration"
fn specs.egress.toGroups.aws.withLabels
withLabels(labels)
fn specs.egress.toGroups.aws.withLabelsMixin
withLabelsMixin(labels)
Note: This function appends passed data to existing values
fn specs.egress.toGroups.aws.withRegion
withRegion(region)
fn specs.egress.toGroups.aws.withSecurityGroupsIds
withSecurityGroupsIds(securityGroupsIds)
fn specs.egress.toGroups.aws.withSecurityGroupsIdsMixin
withSecurityGroupsIdsMixin(securityGroupsIds)
Note: This function appends passed data to existing values
fn specs.egress.toGroups.aws.withSecurityGroupsNames
withSecurityGroupsNames(securityGroupsNames)
fn specs.egress.toGroups.aws.withSecurityGroupsNamesMixin
withSecurityGroupsNamesMixin(securityGroupsNames)
Note: This function appends passed data to existing values
obj specs.egress.toNodes
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
fn specs.egress.toNodes.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egress.toNodes.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.egress.toNodes.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.egress.toNodes.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.egress.toNodes.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egress.toNodes.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.egress.toNodes.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.egress.toNodes.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.egress.toNodes.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.egress.toPorts
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nconnect to.\n\nExample:\nAny endpoint with the label \"role=frontend\" is allowed to initiate\nconnections to destination port 8080/tcp"
fn specs.egress.toPorts.withPorts
withPorts(ports)
"Ports is a list of L4 port/protocol"
fn specs.egress.toPorts.withPortsMixin
withPortsMixin(ports)
"Ports is a list of L4 port/protocol"
Note: This function appends passed data to existing values
fn specs.egress.toPorts.withServerNames
withServerNames(serverNames)
"ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake."
fn specs.egress.toPorts.withServerNamesMixin
withServerNamesMixin(serverNames)
"ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake."
Note: This function appends passed data to existing values
obj specs.egress.toPorts.listener
"listener specifies the name of a custom Envoy listener to which this traffic should be\nredirected to."
fn specs.egress.toPorts.listener.withName
withName(name)
"Name is the name of the listener."
fn specs.egress.toPorts.listener.withPriority
withPriority(priority)
"Priority for this Listener that is used when multiple rules would apply different\nlisteners to a policy map entry. Behavior of this is implementation dependent."
obj specs.egress.toPorts.listener.envoyConfig
"EnvoyConfig is a reference to the CEC or CCEC resource in which\nthe listener is defined."
fn specs.egress.toPorts.listener.envoyConfig.withKind
withKind(kind)
"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\nrespectively. The only case this is currently explicitly needed is when referring to a\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\nfrom a cluster scoped policy is not allowed."
fn specs.egress.toPorts.listener.envoyConfig.withName
withName(name)
"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\nthe listener is defined in."
obj specs.egress.toPorts.originatingTLS
"OriginatingTLS is the TLS context for the connections originated by\nthe L7 proxy. For egress policy this specifies the client-side TLS\nparameters for the upstream connection originating from the L7 proxy\nto the remote destination. For ingress policy this specifies the\nclient-side TLS parameters for the connection from the L7 proxy to\nthe local endpoint."
fn specs.egress.toPorts.originatingTLS.withCertificate
withCertificate(certificate)
"Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist."
fn specs.egress.toPorts.originatingTLS.withPrivateKey
withPrivateKey(privateKey)
"PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist."
fn specs.egress.toPorts.originatingTLS.withTrustedCA
withTrustedCA(trustedCA)
"TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist."
obj specs.egress.toPorts.originatingTLS.secret
"Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate."
fn specs.egress.toPorts.originatingTLS.secret.withName
withName(name)
"Name is the name of the secret."
fn specs.egress.toPorts.originatingTLS.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj specs.egress.toPorts.ports
"Ports is a list of L4 port/protocol"
fn specs.egress.toPorts.ports.withEndPort
withEndPort(endPort)
"EndPort can only be an L4 port number."
fn specs.egress.toPorts.ports.withPort
withPort(port)
"Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\"."
fn specs.egress.toPorts.ports.withProtocol
withProtocol(protocol)
"Protocol is the L4 protocol. If omitted or empty, any protocol\nmatches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this."
obj specs.egress.toPorts.rules
"Rules is a list of additional port level rules which must be met in\norder for the PortRule to allow the traffic. If omitted or empty,\nno layer 7 rules are enforced."
fn specs.egress.toPorts.rules.withDns
withDns(dns)
"DNS-specific rules."
fn specs.egress.toPorts.rules.withDnsMixin
withDnsMixin(dns)
"DNS-specific rules."
Note: This function appends passed data to existing values
fn specs.egress.toPorts.rules.withHttp
withHttp(http)
"HTTP specific rules."
fn specs.egress.toPorts.rules.withHttpMixin
withHttpMixin(http)
"HTTP specific rules."
Note: This function appends passed data to existing values
fn specs.egress.toPorts.rules.withKafka
withKafka(kafka)
"Kafka-specific rules."
fn specs.egress.toPorts.rules.withKafkaMixin
withKafkaMixin(kafka)
"Kafka-specific rules."
Note: This function appends passed data to existing values
fn specs.egress.toPorts.rules.withL7
withL7(l7)
"Key-value pair rules."
fn specs.egress.toPorts.rules.withL7Mixin
withL7Mixin(l7)
"Key-value pair rules."
Note: This function appends passed data to existing values
fn specs.egress.toPorts.rules.withL7proto
withL7proto(l7proto)
"Name of the L7 protocol for which the Key-value pair rules apply."
obj specs.egress.toPorts.rules.dns
"DNS-specific rules."
fn specs.egress.toPorts.rules.dns.withMatchName
withMatchName(matchName)
"MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing."
fn specs.egress.toPorts.rules.dns.withMatchPattern
withMatchPattern(matchPattern)
"MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n\nExamples:\n*.cilium.io matches subomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n*cilium.io matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\nsub*.cilium.io matches subdomains of cilium where the subdomain component\nbegins with \"sub\"\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not"
obj specs.egress.toPorts.rules.http
"HTTP specific rules."
fn specs.egress.toPorts.rules.http.withHeaderMatches
withHeaderMatches(headerMatches)
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
fn specs.egress.toPorts.rules.http.withHeaderMatchesMixin
withHeaderMatchesMixin(headerMatches)
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
Note: This function appends passed data to existing values
fn specs.egress.toPorts.rules.http.withHeaders
withHeaders(headers)
"Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present."
fn specs.egress.toPorts.rules.http.withHeadersMixin
withHeadersMixin(headers)
"Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present."
Note: This function appends passed data to existing values
fn specs.egress.toPorts.rules.http.withHost
withHost(host)
"Host is an extended POSIX regex matched against the host header of a\nrequest. Examples:\n\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\n- foo\.bar\.com will only match the host foo.bar.com\n\nIf omitted or empty, the value of the host header is ignored."
fn specs.egress.toPorts.rules.http.withMethod
withMethod(method)
"Method is an extended POSIX regex matched against the method of a\nrequest, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\nIf omitted or empty, all methods are allowed."
fn specs.egress.toPorts.rules.http.withPath
withPath(path)
"Path is an extended POSIX regex matched against the path of a\nrequest. Currently it can contain characters disallowed from the\nconventional \"path\" part of a URL as defined by RFC 3986.\n\nIf omitted or empty, all paths are all allowed."
obj specs.egress.toPorts.rules.http.headerMatches
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
fn specs.egress.toPorts.rules.http.headerMatches.withMismatch
withMismatch(mismatch)
"Mismatch identifies what to do in case there is no match. The default is\nto drop the request. Otherwise the overall rule is still considered as\nmatching, but the mismatches are logged in the access log."
fn specs.egress.toPorts.rules.http.headerMatches.withName
withName(name)
"Name identifies the header."
fn specs.egress.toPorts.rules.http.headerMatches.withValue
withValue(value)
"Value matches the exact value of the header. Can be specified either\nalone or together with \"Secret\"; will be used as the header value if the\nsecret can not be found in the latter case."
obj specs.egress.toPorts.rules.http.headerMatches.secret
"Secret refers to a secret that contains the value to be matched against.\nThe secret must only contain one entry. If the referred secret does not\nexist, and there is no \"Value\" specified, the match will fail."
fn specs.egress.toPorts.rules.http.headerMatches.secret.withName
withName(name)
"Name is the name of the secret."
fn specs.egress.toPorts.rules.http.headerMatches.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj specs.egress.toPorts.rules.kafka
"Kafka-specific rules."
fn specs.egress.toPorts.rules.kafka.withApiKey
withApiKey(apiKey)
"APIKey is a case-insensitive string matched against the key of a\nrequest, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al\nReference: https://kafka.apache.org/protocol#protocol_api_keys\n\nIf omitted or empty, and if Role is not specified, then all keys are allowed."
fn specs.egress.toPorts.rules.kafka.withApiVersion
withApiVersion(apiVersion)
"APIVersion is the version matched against the api version of the\nKafka message. If set, it has to be a string representing a positive\ninteger.\n\nIf omitted or empty, all versions are allowed."
fn specs.egress.toPorts.rules.kafka.withClientID
withClientID(clientID)
"ClientID is the client identifier as provided in the request.\n\nFrom Kafka protocol documentation:\nThis is a user supplied identifier for the client application. The\nuser can use any identifier they like and it will be used when\nlogging errors, monitoring aggregates, etc. For example, one might\nwant to monitor not just the requests per second overall, but the\nnumber coming from each client application (each of which could\nreside on multiple servers). This id acts as a logical grouping\nacross all requests from a particular client.\n\nIf omitted or empty, all client identifiers are allowed."
fn specs.egress.toPorts.rules.kafka.withRole
withRole(role)
"Role is a case-insensitive string and describes a group of API keys\nnecessary to perform certain higher-level Kafka operations such as \"produce\"\nor \"consume\". A Role automatically expands into all APIKeys required\nto perform the specified higher-level operation.\n\nThe following values are supported:\n - \"produce\": Allow producing to the topics specified in the rule\n - \"consume\": Allow consuming from the topics specified in the rule\n\nThis field is incompatible with the APIKey field, i.e APIKey and Role\ncannot both be specified in the same rule.\n\nIf omitted or empty, and if APIKey is not specified, then all keys are\nallowed."
fn specs.egress.toPorts.rules.kafka.withTopic
withTopic(topic)
"Topic is the topic name contained in the message. If a Kafka request\ncontains multiple topics, then all topics must be allowed or the\nmessage will be rejected.\n\nThis constraint is ignored if the matched request message type\ndoesn't contain any topic. Maximum size of Topic can be 249\ncharacters as per recent Kafka spec and allowed characters are\na-z, A-Z, 0-9, -, . and _.\n\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\nversion the length was changed from 255 to 249. For compatibility\nreasons we are using 255.\n\nIf omitted or empty, all topics are allowed."
obj specs.egress.toPorts.terminatingTLS
"TerminatingTLS is the TLS context for the connection terminated by\nthe L7 proxy. For egress policy this specifies the server-side TLS\nparameters to be applied on the connections originated from the local\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\nthe server-side TLS parameters to be applied on the connections\noriginated from a remote source and terminated by the L7 proxy."
fn specs.egress.toPorts.terminatingTLS.withCertificate
withCertificate(certificate)
"Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist."
fn specs.egress.toPorts.terminatingTLS.withPrivateKey
withPrivateKey(privateKey)
"PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist."
fn specs.egress.toPorts.terminatingTLS.withTrustedCA
withTrustedCA(trustedCA)
"TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist."
obj specs.egress.toPorts.terminatingTLS.secret
"Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate."
fn specs.egress.toPorts.terminatingTLS.secret.withName
withName(name)
"Name is the name of the secret."
fn specs.egress.toPorts.terminatingTLS.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj specs.egress.toRequires
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
fn specs.egress.toRequires.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egress.toRequires.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.egress.toRequires.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.egress.toRequires.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.egress.toRequires.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egress.toRequires.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.egress.toRequires.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.egress.toRequires.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.egress.toRequires.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.egress.toServices
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
obj specs.egress.toServices.k8sService
"K8sService selects service by name and namespace pair"
fn specs.egress.toServices.k8sService.withNamespace
withNamespace(namespace)
fn specs.egress.toServices.k8sService.withServiceName
withServiceName(serviceName)
obj specs.egress.toServices.k8sServiceSelector
"K8sServiceSelector selects services by k8s labels and namespace"
fn specs.egress.toServices.k8sServiceSelector.withNamespace
withNamespace(namespace)
obj specs.egress.toServices.k8sServiceSelector.selector
"ServiceSelector is a label selector for k8s services"
fn specs.egress.toServices.k8sServiceSelector.selector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egress.toServices.k8sServiceSelector.selector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.egress.toServices.k8sServiceSelector.selector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.egress.toServices.k8sServiceSelector.selector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.egress.toServices.k8sServiceSelector.selector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egress.toServices.k8sServiceSelector.selector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.egress.toServices.k8sServiceSelector.selector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.egress.toServices.k8sServiceSelector.selector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.egress.toServices.k8sServiceSelector.selector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.egressDeny
"EgressDeny is a list of EgressDenyRule which are enforced at egress.\nAny rule inserted here will be denied regardless of the allowed egress\nrules in the 'egress' field.\nIf omitted or empty, this rule does not apply at egress."
fn specs.egressDeny.withIcmps
withIcmps(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is not allowed to initiate\ntype 8 ICMP connections."
fn specs.egressDeny.withIcmpsMixin
withIcmpsMixin(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is not allowed to initiate\ntype 8 ICMP connections."
Note: This function appends passed data to existing values
fn specs.egressDeny.withToCIDR
withToCIDR(toCIDR)
"ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24"
fn specs.egressDeny.withToCIDRMixin
withToCIDRMixin(toCIDR)
"ToCIDR is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections. Only connections destined for\noutside of the cluster and not targeting the host will be subject\nto CIDR rules. This will match on the destination IP address of\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\nToCIDR and ToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24"
Note: This function appends passed data to existing values
fn specs.egressDeny.withToCIDRSet
withToCIDRSet(toCIDRSet)
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
fn specs.egressDeny.withToCIDRSetMixin
withToCIDRSetMixin(toCIDRSet)
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
Note: This function appends passed data to existing values
fn specs.egressDeny.withToEndpoints
withToEndpoints(toEndpoints)
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
fn specs.egressDeny.withToEndpointsMixin
withToEndpointsMixin(toEndpoints)
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
Note: This function appends passed data to existing values
fn specs.egressDeny.withToEntities
withToEntities(toEntities)
"ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\nworld, cluster,host,remote-node,kube-apiserver, init,\nhealth,unmanaged and all."
fn specs.egressDeny.withToEntitiesMixin
withToEntitiesMixin(toEntities)
"ToEntities is a list of special entities to which the endpoint subject\nto the rule is allowed to initiate connections. Supported entities are\nworld, cluster,host,remote-node,kube-apiserver, init,\nhealth,unmanaged and all."
Note: This function appends passed data to existing values
fn specs.egressDeny.withToGroups
withToGroups(toGroups)
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
fn specs.egressDeny.withToGroupsMixin
withToGroupsMixin(toGroups)
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
Note: This function appends passed data to existing values
fn specs.egressDeny.withToNodes
withToNodes(toNodes)
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
fn specs.egressDeny.withToNodesMixin
withToNodesMixin(toNodes)
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
Note: This function appends passed data to existing values
fn specs.egressDeny.withToPorts
withToPorts(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to connect\nto.\n\nExample:\nAny endpoint with the label \"role=frontend\" is not allowed to initiate\nconnections to destination port 8080/tcp"
fn specs.egressDeny.withToPortsMixin
withToPortsMixin(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to connect\nto.\n\nExample:\nAny endpoint with the label \"role=frontend\" is not allowed to initiate\nconnections to destination port 8080/tcp"
Note: This function appends passed data to existing values
fn specs.egressDeny.withToRequires
withToRequires(toRequires)
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
fn specs.egressDeny.withToRequiresMixin
withToRequiresMixin(toRequires)
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
Note: This function appends passed data to existing values
fn specs.egressDeny.withToServices
withToServices(toServices)
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
fn specs.egressDeny.withToServicesMixin
withToServicesMixin(toServices)
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
Note: This function appends passed data to existing values
obj specs.egressDeny.icmps
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to connect to.\n\nExample:\nAny endpoint with the label \"app=httpd\" is not allowed to initiate\ntype 8 ICMP connections."
fn specs.egressDeny.icmps.withFields
withFields(fields)
"Fields is a list of ICMP fields."
fn specs.egressDeny.icmps.withFieldsMixin
withFieldsMixin(fields)
"Fields is a list of ICMP fields."
Note: This function appends passed data to existing values
obj specs.egressDeny.icmps.fields
"Fields is a list of ICMP fields."
fn specs.egressDeny.icmps.fields.withFamily
withFamily(family)
"Family is a IP address version.\nCurrently, we support IPv4 and IPv6.\nIPv4 is set as default."
fn specs.egressDeny.icmps.fields.withType
withType(type)
"Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply"
obj specs.egressDeny.toCIDRSet
"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\nis allowed to initiate connections to in addition to connections\nwhich are allowed via ToEndpoints, along with a list of subnets contained\nwithin their corresponding IP block to which traffic should not be\nallowed. This will match on the destination IP address of outgoing\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\nToCIDRSet.\n\nExample:\nAny endpoint with the label \"app=database-proxy\" is allowed to\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28."
fn specs.egressDeny.toCIDRSet.withCidr
withCidr(cidr)
"CIDR is a CIDR prefix / IP Block."
fn specs.egressDeny.toCIDRSet.withCidrGroupRef
withCidrGroupRef(cidrGroupRef)
"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from."
fn specs.egressDeny.toCIDRSet.withExcept
withExcept(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
fn specs.egressDeny.toCIDRSet.withExceptMixin
withExceptMixin(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
Note: This function appends passed data to existing values
obj specs.egressDeny.toCIDRSet.cidrGroupSelector
"CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name."
fn specs.egressDeny.toCIDRSet.cidrGroupSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egressDeny.toCIDRSet.cidrGroupSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.egressDeny.toCIDRSet.cidrGroupSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.egressDeny.toCIDRSet.cidrGroupSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.egressDeny.toCIDRSet.cidrGroupSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egressDeny.toCIDRSet.cidrGroupSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.egressDeny.toCIDRSet.cidrGroupSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.egressDeny.toCIDRSet.cidrGroupSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.egressDeny.toCIDRSet.cidrGroupSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.egressDeny.toEndpoints
"ToEndpoints is a list of endpoints identified by an EndpointSelector to\nwhich the endpoints subject to the rule are allowed to communicate.\n\nExample:\nAny endpoint with the label \"role=frontend\" can communicate with any\nendpoint carrying the label \"role=backend\"."
fn specs.egressDeny.toEndpoints.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egressDeny.toEndpoints.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.egressDeny.toEndpoints.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.egressDeny.toEndpoints.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.egressDeny.toEndpoints.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egressDeny.toEndpoints.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.egressDeny.toEndpoints.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.egressDeny.toEndpoints.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.egressDeny.toEndpoints.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.egressDeny.toGroups
"ToGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\ntoGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
obj specs.egressDeny.toGroups.aws
"AWSGroup is an structure that can be used to whitelisting information from AWS integration"
fn specs.egressDeny.toGroups.aws.withLabels
withLabels(labels)
fn specs.egressDeny.toGroups.aws.withLabelsMixin
withLabelsMixin(labels)
Note: This function appends passed data to existing values
fn specs.egressDeny.toGroups.aws.withRegion
withRegion(region)
fn specs.egressDeny.toGroups.aws.withSecurityGroupsIds
withSecurityGroupsIds(securityGroupsIds)
fn specs.egressDeny.toGroups.aws.withSecurityGroupsIdsMixin
withSecurityGroupsIdsMixin(securityGroupsIds)
Note: This function appends passed data to existing values
fn specs.egressDeny.toGroups.aws.withSecurityGroupsNames
withSecurityGroupsNames(securityGroupsNames)
fn specs.egressDeny.toGroups.aws.withSecurityGroupsNamesMixin
withSecurityGroupsNamesMixin(securityGroupsNames)
Note: This function appends passed data to existing values
obj specs.egressDeny.toNodes
"ToNodes is a list of nodes identified by an\nEndpointSelector to which endpoints subject to the rule is allowed to communicate."
fn specs.egressDeny.toNodes.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egressDeny.toNodes.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.egressDeny.toNodes.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.egressDeny.toNodes.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.egressDeny.toNodes.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egressDeny.toNodes.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.egressDeny.toNodes.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.egressDeny.toNodes.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.egressDeny.toNodes.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.egressDeny.toPorts
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to connect\nto.\n\nExample:\nAny endpoint with the label \"role=frontend\" is not allowed to initiate\nconnections to destination port 8080/tcp"
fn specs.egressDeny.toPorts.withPorts
withPorts(ports)
"Ports is a list of L4 port/protocol"
fn specs.egressDeny.toPorts.withPortsMixin
withPortsMixin(ports)
"Ports is a list of L4 port/protocol"
Note: This function appends passed data to existing values
obj specs.egressDeny.toPorts.ports
"Ports is a list of L4 port/protocol"
fn specs.egressDeny.toPorts.ports.withEndPort
withEndPort(endPort)
"EndPort can only be an L4 port number."
fn specs.egressDeny.toPorts.ports.withPort
withPort(port)
"Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\"."
fn specs.egressDeny.toPorts.ports.withProtocol
withProtocol(protocol)
"Protocol is the L4 protocol. If omitted or empty, any protocol\nmatches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this."
obj specs.egressDeny.toRequires
"ToRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be able to connect to other\nendpoints. These additional constraints do no by itself grant access\nprivileges and must always be accompanied with at least one matching\nToEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires any endpoint to which it\ncommunicates to also carry the label \"team=A\"."
fn specs.egressDeny.toRequires.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egressDeny.toRequires.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.egressDeny.toRequires.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.egressDeny.toRequires.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.egressDeny.toRequires.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egressDeny.toRequires.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.egressDeny.toRequires.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.egressDeny.toRequires.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.egressDeny.toRequires.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.egressDeny.toServices
"ToServices is a list of services to which the endpoint subject\nto the rule is allowed to initiate connections.\nCurrently Cilium only supports toServices for K8s services."
obj specs.egressDeny.toServices.k8sService
"K8sService selects service by name and namespace pair"
fn specs.egressDeny.toServices.k8sService.withNamespace
withNamespace(namespace)
fn specs.egressDeny.toServices.k8sService.withServiceName
withServiceName(serviceName)
obj specs.egressDeny.toServices.k8sServiceSelector
"K8sServiceSelector selects services by k8s labels and namespace"
fn specs.egressDeny.toServices.k8sServiceSelector.withNamespace
withNamespace(namespace)
obj specs.egressDeny.toServices.k8sServiceSelector.selector
"ServiceSelector is a label selector for k8s services"
fn specs.egressDeny.toServices.k8sServiceSelector.selector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egressDeny.toServices.k8sServiceSelector.selector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.egressDeny.toServices.k8sServiceSelector.selector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.egressDeny.toServices.k8sServiceSelector.selector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.egressDeny.toServices.k8sServiceSelector.selector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.enableDefaultDeny
"EnableDefaultDeny determines whether this policy configures the\nsubject endpoint(s) to have a default deny mode. If enabled,\nthis causes all traffic not explicitly allowed by a network policy\nto be dropped.\n\nIf not specified, the default is true for each traffic direction\nthat has rules, and false otherwise. For example, if a policy\nonly has Ingress or IngressDeny rules, then the default for\ningress is true and egress is false.\n\nIf multiple policies apply to an endpoint, that endpoint's default deny\nwill be enabled if any policy requests it.\n\nThis is useful for creating broad-based network policies that will not\ncause endpoints to enter default-deny mode."
fn specs.enableDefaultDeny.withEgress
withEgress(egress)
"Whether or not the endpoint should have a default-deny rule applied\nto egress traffic."
fn specs.enableDefaultDeny.withIngress
withIngress(ingress)
"Whether or not the endpoint should have a default-deny rule applied\nto ingress traffic."
obj specs.endpointSelector
"EndpointSelector selects all endpoints which should be subject to\nthis rule. EndpointSelector and NodeSelector cannot be both empty and\nare mutually exclusive."
fn specs.endpointSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.endpointSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.endpointSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.endpointSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.endpointSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.endpointSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.endpointSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.endpointSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.endpointSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.ingress
"Ingress is a list of IngressRule which are enforced at ingress.\nIf omitted or empty, this rule does not apply at ingress."
fn specs.ingress.withFromCIDR
withFromCIDR(fromCIDR)
"FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo not originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1"
fn specs.ingress.withFromCIDRMixin
withFromCIDRMixin(fromCIDR)
"FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo not originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1"
Note: This function appends passed data to existing values
fn specs.ingress.withFromCIDRSet
withFromCIDRSet(fromCIDRSet)
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
fn specs.ingress.withFromCIDRSetMixin
withFromCIDRSetMixin(fromCIDRSet)
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
Note: This function appends passed data to existing values
fn specs.ingress.withFromEndpoints
withFromEndpoints(fromEndpoints)
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
fn specs.ingress.withFromEndpointsMixin
withFromEndpointsMixin(fromEndpoints)
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
Note: This function appends passed data to existing values
fn specs.ingress.withFromEntities
withFromEntities(fromEntities)
"FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\nworld, cluster and host"
fn specs.ingress.withFromEntitiesMixin
withFromEntitiesMixin(fromEntities)
"FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\nworld, cluster and host"
Note: This function appends passed data to existing values
fn specs.ingress.withFromGroups
withFromGroups(fromGroups)
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
fn specs.ingress.withFromGroupsMixin
withFromGroupsMixin(fromGroups)
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
Note: This function appends passed data to existing values
fn specs.ingress.withFromNodes
withFromNodes(fromNodes)
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
fn specs.ingress.withFromNodesMixin
withFromNodesMixin(fromNodes)
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
Note: This function appends passed data to existing values
fn specs.ingress.withFromRequires
withFromRequires(fromRequires)
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
fn specs.ingress.withFromRequiresMixin
withFromRequiresMixin(fromRequires)
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
Note: This function appends passed data to existing values
fn specs.ingress.withIcmps
withIcmps(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\ntype 8 ICMP connections."
fn specs.ingress.withIcmpsMixin
withIcmpsMixin(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\ntype 8 ICMP connections."
Note: This function appends passed data to existing values
fn specs.ingress.withToPorts
withToPorts(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\nconnections on port 80/tcp."
fn specs.ingress.withToPortsMixin
withToPortsMixin(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\nconnections on port 80/tcp."
Note: This function appends passed data to existing values
obj specs.ingress.authentication
"Authentication is the required authentication type for the allowed traffic, if any."
fn specs.ingress.authentication.withMode
withMode(mode)
"Mode is the required authentication mode for the allowed traffic, if any."
obj specs.ingress.fromCIDRSet
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
fn specs.ingress.fromCIDRSet.withCidr
withCidr(cidr)
"CIDR is a CIDR prefix / IP Block."
fn specs.ingress.fromCIDRSet.withCidrGroupRef
withCidrGroupRef(cidrGroupRef)
"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from."
fn specs.ingress.fromCIDRSet.withExcept
withExcept(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
fn specs.ingress.fromCIDRSet.withExceptMixin
withExceptMixin(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
Note: This function appends passed data to existing values
obj specs.ingress.fromCIDRSet.cidrGroupSelector
"CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name."
fn specs.ingress.fromCIDRSet.cidrGroupSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingress.fromCIDRSet.cidrGroupSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.ingress.fromCIDRSet.cidrGroupSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.ingress.fromCIDRSet.cidrGroupSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.ingress.fromCIDRSet.cidrGroupSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingress.fromCIDRSet.cidrGroupSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.ingress.fromCIDRSet.cidrGroupSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.ingress.fromCIDRSet.cidrGroupSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.ingress.fromCIDRSet.cidrGroupSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.ingress.fromEndpoints
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
fn specs.ingress.fromEndpoints.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingress.fromEndpoints.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.ingress.fromEndpoints.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.ingress.fromEndpoints.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.ingress.fromEndpoints.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingress.fromEndpoints.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.ingress.fromEndpoints.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.ingress.fromEndpoints.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.ingress.fromEndpoints.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.ingress.fromGroups
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
obj specs.ingress.fromGroups.aws
"AWSGroup is an structure that can be used to whitelisting information from AWS integration"
fn specs.ingress.fromGroups.aws.withLabels
withLabels(labels)
fn specs.ingress.fromGroups.aws.withLabelsMixin
withLabelsMixin(labels)
Note: This function appends passed data to existing values
fn specs.ingress.fromGroups.aws.withRegion
withRegion(region)
fn specs.ingress.fromGroups.aws.withSecurityGroupsIds
withSecurityGroupsIds(securityGroupsIds)
fn specs.ingress.fromGroups.aws.withSecurityGroupsIdsMixin
withSecurityGroupsIdsMixin(securityGroupsIds)
Note: This function appends passed data to existing values
fn specs.ingress.fromGroups.aws.withSecurityGroupsNames
withSecurityGroupsNames(securityGroupsNames)
fn specs.ingress.fromGroups.aws.withSecurityGroupsNamesMixin
withSecurityGroupsNamesMixin(securityGroupsNames)
Note: This function appends passed data to existing values
obj specs.ingress.fromNodes
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
fn specs.ingress.fromNodes.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingress.fromNodes.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.ingress.fromNodes.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.ingress.fromNodes.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.ingress.fromNodes.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingress.fromNodes.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.ingress.fromNodes.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.ingress.fromNodes.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.ingress.fromNodes.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.ingress.fromRequires
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
fn specs.ingress.fromRequires.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingress.fromRequires.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.ingress.fromRequires.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.ingress.fromRequires.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.ingress.fromRequires.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingress.fromRequires.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.ingress.fromRequires.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.ingress.fromRequires.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.ingress.fromRequires.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.ingress.icmps
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\ntype 8 ICMP connections."
fn specs.ingress.icmps.withFields
withFields(fields)
"Fields is a list of ICMP fields."
fn specs.ingress.icmps.withFieldsMixin
withFieldsMixin(fields)
"Fields is a list of ICMP fields."
Note: This function appends passed data to existing values
obj specs.ingress.icmps.fields
"Fields is a list of ICMP fields."
fn specs.ingress.icmps.fields.withFamily
withFamily(family)
"Family is a IP address version.\nCurrently, we support IPv4 and IPv6.\nIPv4 is set as default."
fn specs.ingress.icmps.fields.withType
withType(type)
"Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply"
obj specs.ingress.toPorts
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can only accept incoming\nconnections on port 80/tcp."
fn specs.ingress.toPorts.withPorts
withPorts(ports)
"Ports is a list of L4 port/protocol"
fn specs.ingress.toPorts.withPortsMixin
withPortsMixin(ports)
"Ports is a list of L4 port/protocol"
Note: This function appends passed data to existing values
fn specs.ingress.toPorts.withServerNames
withServerNames(serverNames)
"ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake."
fn specs.ingress.toPorts.withServerNamesMixin
withServerNamesMixin(serverNames)
"ServerNames is a list of allowed TLS SNI values. If not empty, then\nTLS must be present and one of the provided SNIs must be indicated in the\nTLS handshake."
Note: This function appends passed data to existing values
obj specs.ingress.toPorts.listener
"listener specifies the name of a custom Envoy listener to which this traffic should be\nredirected to."
fn specs.ingress.toPorts.listener.withName
withName(name)
"Name is the name of the listener."
fn specs.ingress.toPorts.listener.withPriority
withPriority(priority)
"Priority for this Listener that is used when multiple rules would apply different\nlisteners to a policy map entry. Behavior of this is implementation dependent."
obj specs.ingress.toPorts.listener.envoyConfig
"EnvoyConfig is a reference to the CEC or CCEC resource in which\nthe listener is defined."
fn specs.ingress.toPorts.listener.envoyConfig.withKind
withKind(kind)
"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\nrespectively. The only case this is currently explicitly needed is when referring to a\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\nfrom a cluster scoped policy is not allowed."
fn specs.ingress.toPorts.listener.envoyConfig.withName
withName(name)
"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\nthe listener is defined in."
obj specs.ingress.toPorts.originatingTLS
"OriginatingTLS is the TLS context for the connections originated by\nthe L7 proxy. For egress policy this specifies the client-side TLS\nparameters for the upstream connection originating from the L7 proxy\nto the remote destination. For ingress policy this specifies the\nclient-side TLS parameters for the connection from the L7 proxy to\nthe local endpoint."
fn specs.ingress.toPorts.originatingTLS.withCertificate
withCertificate(certificate)
"Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist."
fn specs.ingress.toPorts.originatingTLS.withPrivateKey
withPrivateKey(privateKey)
"PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist."
fn specs.ingress.toPorts.originatingTLS.withTrustedCA
withTrustedCA(trustedCA)
"TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist."
obj specs.ingress.toPorts.originatingTLS.secret
"Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate."
fn specs.ingress.toPorts.originatingTLS.secret.withName
withName(name)
"Name is the name of the secret."
fn specs.ingress.toPorts.originatingTLS.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj specs.ingress.toPorts.ports
"Ports is a list of L4 port/protocol"
fn specs.ingress.toPorts.ports.withEndPort
withEndPort(endPort)
"EndPort can only be an L4 port number."
fn specs.ingress.toPorts.ports.withPort
withPort(port)
"Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\"."
fn specs.ingress.toPorts.ports.withProtocol
withProtocol(protocol)
"Protocol is the L4 protocol. If omitted or empty, any protocol\nmatches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this."
obj specs.ingress.toPorts.rules
"Rules is a list of additional port level rules which must be met in\norder for the PortRule to allow the traffic. If omitted or empty,\nno layer 7 rules are enforced."
fn specs.ingress.toPorts.rules.withDns
withDns(dns)
"DNS-specific rules."
fn specs.ingress.toPorts.rules.withDnsMixin
withDnsMixin(dns)
"DNS-specific rules."
Note: This function appends passed data to existing values
fn specs.ingress.toPorts.rules.withHttp
withHttp(http)
"HTTP specific rules."
fn specs.ingress.toPorts.rules.withHttpMixin
withHttpMixin(http)
"HTTP specific rules."
Note: This function appends passed data to existing values
fn specs.ingress.toPorts.rules.withKafka
withKafka(kafka)
"Kafka-specific rules."
fn specs.ingress.toPorts.rules.withKafkaMixin
withKafkaMixin(kafka)
"Kafka-specific rules."
Note: This function appends passed data to existing values
fn specs.ingress.toPorts.rules.withL7
withL7(l7)
"Key-value pair rules."
fn specs.ingress.toPorts.rules.withL7Mixin
withL7Mixin(l7)
"Key-value pair rules."
Note: This function appends passed data to existing values
fn specs.ingress.toPorts.rules.withL7proto
withL7proto(l7proto)
"Name of the L7 protocol for which the Key-value pair rules apply."
obj specs.ingress.toPorts.rules.dns
"DNS-specific rules."
fn specs.ingress.toPorts.rules.dns.withMatchName
withMatchName(matchName)
"MatchName matches literal DNS names. A trailing \".\" is automatically added\nwhen missing."
fn specs.ingress.toPorts.rules.dns.withMatchPattern
withMatchPattern(matchPattern)
"MatchPattern allows using wildcards to match DNS names. All wildcards are\ncase insensitive. The wildcards are:\n- \"\" matches 0 or more DNS valid characters, and may occur anywhere in\nthe pattern. As a special case a \"\" as the leftmost character, without a\nfollowing \".\" matches all subdomains as well as the name to the right.\nA trailing \".\" is automatically added when missing.\n\nExamples:\n*.cilium.io matches subomains of cilium at that level\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\n*cilium.io matches cilium.io and all subdomains ends with \"cilium.io\"\n except those containing \".\" separator, subcilium.io and sub-cilium.io match,\n www.cilium.io and blog.cilium.io does not\nsub*.cilium.io matches subdomains of cilium where the subdomain component\nbegins with \"sub\"\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\n blog.cilium.io, cilium.io and google.com do not"
obj specs.ingress.toPorts.rules.http
"HTTP specific rules."
fn specs.ingress.toPorts.rules.http.withHeaderMatches
withHeaderMatches(headerMatches)
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
fn specs.ingress.toPorts.rules.http.withHeaderMatchesMixin
withHeaderMatchesMixin(headerMatches)
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
Note: This function appends passed data to existing values
fn specs.ingress.toPorts.rules.http.withHeaders
withHeaders(headers)
"Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present."
fn specs.ingress.toPorts.rules.http.withHeadersMixin
withHeadersMixin(headers)
"Headers is a list of HTTP headers which must be present in the\nrequest. If omitted or empty, requests are allowed regardless of\nheaders present."
Note: This function appends passed data to existing values
fn specs.ingress.toPorts.rules.http.withHost
withHost(host)
"Host is an extended POSIX regex matched against the host header of a\nrequest. Examples:\n\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\n- foo\.bar\.com will only match the host foo.bar.com\n\nIf omitted or empty, the value of the host header is ignored."
fn specs.ingress.toPorts.rules.http.withMethod
withMethod(method)
"Method is an extended POSIX regex matched against the method of a\nrequest, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\nIf omitted or empty, all methods are allowed."
fn specs.ingress.toPorts.rules.http.withPath
withPath(path)
"Path is an extended POSIX regex matched against the path of a\nrequest. Currently it can contain characters disallowed from the\nconventional \"path\" part of a URL as defined by RFC 3986.\n\nIf omitted or empty, all paths are all allowed."
obj specs.ingress.toPorts.rules.http.headerMatches
"HeaderMatches is a list of HTTP headers which must be\npresent and match against the given values. Mismatch field can be used\nto specify what to do when there is no match."
fn specs.ingress.toPorts.rules.http.headerMatches.withMismatch
withMismatch(mismatch)
"Mismatch identifies what to do in case there is no match. The default is\nto drop the request. Otherwise the overall rule is still considered as\nmatching, but the mismatches are logged in the access log."
fn specs.ingress.toPorts.rules.http.headerMatches.withName
withName(name)
"Name identifies the header."
fn specs.ingress.toPorts.rules.http.headerMatches.withValue
withValue(value)
"Value matches the exact value of the header. Can be specified either\nalone or together with \"Secret\"; will be used as the header value if the\nsecret can not be found in the latter case."
obj specs.ingress.toPorts.rules.http.headerMatches.secret
"Secret refers to a secret that contains the value to be matched against.\nThe secret must only contain one entry. If the referred secret does not\nexist, and there is no \"Value\" specified, the match will fail."
fn specs.ingress.toPorts.rules.http.headerMatches.secret.withName
withName(name)
"Name is the name of the secret."
fn specs.ingress.toPorts.rules.http.headerMatches.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj specs.ingress.toPorts.rules.kafka
"Kafka-specific rules."
fn specs.ingress.toPorts.rules.kafka.withApiKey
withApiKey(apiKey)
"APIKey is a case-insensitive string matched against the key of a\nrequest, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", et al\nReference: https://kafka.apache.org/protocol#protocol_api_keys\n\nIf omitted or empty, and if Role is not specified, then all keys are allowed."
fn specs.ingress.toPorts.rules.kafka.withApiVersion
withApiVersion(apiVersion)
"APIVersion is the version matched against the api version of the\nKafka message. If set, it has to be a string representing a positive\ninteger.\n\nIf omitted or empty, all versions are allowed."
fn specs.ingress.toPorts.rules.kafka.withClientID
withClientID(clientID)
"ClientID is the client identifier as provided in the request.\n\nFrom Kafka protocol documentation:\nThis is a user supplied identifier for the client application. The\nuser can use any identifier they like and it will be used when\nlogging errors, monitoring aggregates, etc. For example, one might\nwant to monitor not just the requests per second overall, but the\nnumber coming from each client application (each of which could\nreside on multiple servers). This id acts as a logical grouping\nacross all requests from a particular client.\n\nIf omitted or empty, all client identifiers are allowed."
fn specs.ingress.toPorts.rules.kafka.withRole
withRole(role)
"Role is a case-insensitive string and describes a group of API keys\nnecessary to perform certain higher-level Kafka operations such as \"produce\"\nor \"consume\". A Role automatically expands into all APIKeys required\nto perform the specified higher-level operation.\n\nThe following values are supported:\n - \"produce\": Allow producing to the topics specified in the rule\n - \"consume\": Allow consuming from the topics specified in the rule\n\nThis field is incompatible with the APIKey field, i.e APIKey and Role\ncannot both be specified in the same rule.\n\nIf omitted or empty, and if APIKey is not specified, then all keys are\nallowed."
fn specs.ingress.toPorts.rules.kafka.withTopic
withTopic(topic)
"Topic is the topic name contained in the message. If a Kafka request\ncontains multiple topics, then all topics must be allowed or the\nmessage will be rejected.\n\nThis constraint is ignored if the matched request message type\ndoesn't contain any topic. Maximum size of Topic can be 249\ncharacters as per recent Kafka spec and allowed characters are\na-z, A-Z, 0-9, -, . and _.\n\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\nversion the length was changed from 255 to 249. For compatibility\nreasons we are using 255.\n\nIf omitted or empty, all topics are allowed."
obj specs.ingress.toPorts.terminatingTLS
"TerminatingTLS is the TLS context for the connection terminated by\nthe L7 proxy. For egress policy this specifies the server-side TLS\nparameters to be applied on the connections originated from the local\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\nthe server-side TLS parameters to be applied on the connections\noriginated from a remote source and terminated by the L7 proxy."
fn specs.ingress.toPorts.terminatingTLS.withCertificate
withCertificate(certificate)
"Certificate is the file name or k8s secret item name for the certificate\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\nitem must exist."
fn specs.ingress.toPorts.terminatingTLS.withPrivateKey
withPrivateKey(privateKey)
"PrivateKey is the file name or k8s secret item name for the private key\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\nexists. If given, the item must exist."
fn specs.ingress.toPorts.terminatingTLS.withTrustedCA
withTrustedCA(trustedCA)
"TrustedCA is the file name or k8s secret item name for the trusted CA.\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\nexist."
obj specs.ingress.toPorts.terminatingTLS.secret
"Secret is the secret that contains the certificates and private key for\nthe TLS context.\nBy default, Cilium will search in this secret for the following items:\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\n - 'tls.crt' - Which represents the public key certificate.\n - 'tls.key' - Which represents the private key matching the public key\n certificate."
fn specs.ingress.toPorts.terminatingTLS.secret.withName
withName(name)
"Name is the name of the secret."
fn specs.ingress.toPorts.terminatingTLS.secret.withNamespace
withNamespace(namespace)
"Namespace is the namespace in which the secret exists. Context of use\ndetermines the default value if left out (e.g., \"default\")."
obj specs.ingressDeny
"IngressDeny is a list of IngressDenyRule which are enforced at ingress.\nAny rule inserted here will be denied regardless of the allowed ingress\nrules in the 'ingress' field.\nIf omitted or empty, this rule does not apply at ingress."
fn specs.ingressDeny.withFromCIDR
withFromCIDR(fromCIDR)
"FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo not originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1"
fn specs.ingressDeny.withFromCIDRMixin
withFromCIDRMixin(fromCIDR)
"FromCIDR is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from. Only connections which\ndo not originate from the cluster or from the local host are subject\nto CIDR rules. In order to allow in-cluster connectivity, use the\nFromEndpoints field. This will match on the source IP address of\nincoming connections. Adding a prefix into FromCIDR or into\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\nallowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.3.9.1"
Note: This function appends passed data to existing values
fn specs.ingressDeny.withFromCIDRSet
withFromCIDRSet(fromCIDRSet)
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
fn specs.ingressDeny.withFromCIDRSetMixin
withFromCIDRSetMixin(fromCIDRSet)
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
Note: This function appends passed data to existing values
fn specs.ingressDeny.withFromEndpoints
withFromEndpoints(fromEndpoints)
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
fn specs.ingressDeny.withFromEndpointsMixin
withFromEndpointsMixin(fromEndpoints)
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
Note: This function appends passed data to existing values
fn specs.ingressDeny.withFromEntities
withFromEntities(fromEntities)
"FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\nworld, cluster and host"
fn specs.ingressDeny.withFromEntitiesMixin
withFromEntitiesMixin(fromEntities)
"FromEntities is a list of special entities which the endpoint subject\nto the rule is allowed to receive connections from. Supported entities are\nworld, cluster and host"
Note: This function appends passed data to existing values
fn specs.ingressDeny.withFromGroups
withFromGroups(fromGroups)
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
fn specs.ingressDeny.withFromGroupsMixin
withFromGroupsMixin(fromGroups)
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
Note: This function appends passed data to existing values
fn specs.ingressDeny.withFromNodes
withFromNodes(fromNodes)
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
fn specs.ingressDeny.withFromNodesMixin
withFromNodesMixin(fromNodes)
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
Note: This function appends passed data to existing values
fn specs.ingressDeny.withFromRequires
withFromRequires(fromRequires)
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
fn specs.ingressDeny.withFromRequiresMixin
withFromRequiresMixin(fromRequires)
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
Note: This function appends passed data to existing values
fn specs.ingressDeny.withIcmps
withIcmps(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\ntype 8 ICMP connections."
fn specs.ingressDeny.withIcmpsMixin
withIcmpsMixin(icmps)
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\ntype 8 ICMP connections."
Note: This function appends passed data to existing values
fn specs.ingressDeny.withToPorts
withToPorts(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\nconnections on port 80/tcp."
fn specs.ingressDeny.withToPortsMixin
withToPortsMixin(toPorts)
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\nconnections on port 80/tcp."
Note: This function appends passed data to existing values
obj specs.ingressDeny.fromCIDRSet
"FromCIDRSet is a list of IP blocks which the endpoint subject to the\nrule is allowed to receive connections from in addition to FromEndpoints,\nalong with a list of subnets contained within their corresponding IP block\nfrom which traffic should not be allowed.\nThis will match on the source IP address of incoming connections. Adding\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\n\nExample:\nAny endpoint with the label \"app=my-legacy-pet\" is allowed to receive\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12."
fn specs.ingressDeny.fromCIDRSet.withCidr
withCidr(cidr)
"CIDR is a CIDR prefix / IP Block."
fn specs.ingressDeny.fromCIDRSet.withCidrGroupRef
withCidrGroupRef(cidrGroupRef)
"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\nconnections from."
fn specs.ingressDeny.fromCIDRSet.withExcept
withExcept(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
fn specs.ingressDeny.fromCIDRSet.withExceptMixin
withExceptMixin(except)
"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\nis not allowed to initiate connections to. These CIDR prefixes should be\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\nsupported yet.\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\napply to any other CIDR prefixes in any other CIDRRules."
Note: This function appends passed data to existing values
obj specs.ingressDeny.fromCIDRSet.cidrGroupSelector
"CIDRGroupSelector selects CiliumCIDRGroups by their labels,\nrather than by name."
fn specs.ingressDeny.fromCIDRSet.cidrGroupSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingressDeny.fromCIDRSet.cidrGroupSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.ingressDeny.fromCIDRSet.cidrGroupSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.ingressDeny.fromCIDRSet.cidrGroupSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.ingressDeny.fromCIDRSet.cidrGroupSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingressDeny.fromCIDRSet.cidrGroupSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.ingressDeny.fromCIDRSet.cidrGroupSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.ingressDeny.fromCIDRSet.cidrGroupSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.ingressDeny.fromCIDRSet.cidrGroupSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.ingressDeny.fromEndpoints
"FromEndpoints is a list of endpoints identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule.\n\nExample:\nAny endpoint with the label \"role=backend\" can be consumed by any\nendpoint carrying the label \"role=frontend\"."
fn specs.ingressDeny.fromEndpoints.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingressDeny.fromEndpoints.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.ingressDeny.fromEndpoints.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.ingressDeny.fromEndpoints.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.ingressDeny.fromEndpoints.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingressDeny.fromEndpoints.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.ingressDeny.fromEndpoints.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.ingressDeny.fromEndpoints.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.ingressDeny.fromEndpoints.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.ingressDeny.fromGroups
"FromGroups is a directive that allows the integration with multiple outside\nproviders. Currently, only AWS is supported, and the rule can select by\nmultiple sub directives:\n\nExample:\nFromGroups:\n- aws:\n securityGroupsIds:\n - 'sg-XXXXXXXXXXXXX'"
obj specs.ingressDeny.fromGroups.aws
"AWSGroup is an structure that can be used to whitelisting information from AWS integration"
fn specs.ingressDeny.fromGroups.aws.withLabels
withLabels(labels)
fn specs.ingressDeny.fromGroups.aws.withLabelsMixin
withLabelsMixin(labels)
Note: This function appends passed data to existing values
fn specs.ingressDeny.fromGroups.aws.withRegion
withRegion(region)
fn specs.ingressDeny.fromGroups.aws.withSecurityGroupsIds
withSecurityGroupsIds(securityGroupsIds)
fn specs.ingressDeny.fromGroups.aws.withSecurityGroupsIdsMixin
withSecurityGroupsIdsMixin(securityGroupsIds)
Note: This function appends passed data to existing values
fn specs.ingressDeny.fromGroups.aws.withSecurityGroupsNames
withSecurityGroupsNames(securityGroupsNames)
fn specs.ingressDeny.fromGroups.aws.withSecurityGroupsNamesMixin
withSecurityGroupsNamesMixin(securityGroupsNames)
Note: This function appends passed data to existing values
obj specs.ingressDeny.fromNodes
"FromNodes is a list of nodes identified by an\nEndpointSelector which are allowed to communicate with the endpoint\nsubject to the rule."
fn specs.ingressDeny.fromNodes.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingressDeny.fromNodes.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.ingressDeny.fromNodes.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.ingressDeny.fromNodes.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.ingressDeny.fromNodes.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingressDeny.fromNodes.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.ingressDeny.fromNodes.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.ingressDeny.fromNodes.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.ingressDeny.fromNodes.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.ingressDeny.fromRequires
"FromRequires is a list of additional constraints which must be met\nin order for the selected endpoints to be reachable. These\nadditional constraints do no by itself grant access privileges and\nmust always be accompanied with at least one matching FromEndpoints.\n\nExample:\nAny Endpoint with the label \"team=A\" requires consuming endpoint\nto also carry the label \"team=A\"."
fn specs.ingressDeny.fromRequires.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingressDeny.fromRequires.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.ingressDeny.fromRequires.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.ingressDeny.fromRequires.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.ingressDeny.fromRequires.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.ingressDeny.fromRequires.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.ingressDeny.fromRequires.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.ingressDeny.fromRequires.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.ingressDeny.fromRequires.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values
obj specs.ingressDeny.icmps
"ICMPs is a list of ICMP rule identified by type number\nwhich the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\ntype 8 ICMP connections."
fn specs.ingressDeny.icmps.withFields
withFields(fields)
"Fields is a list of ICMP fields."
fn specs.ingressDeny.icmps.withFieldsMixin
withFieldsMixin(fields)
"Fields is a list of ICMP fields."
Note: This function appends passed data to existing values
obj specs.ingressDeny.icmps.fields
"Fields is a list of ICMP fields."
fn specs.ingressDeny.icmps.fields.withFamily
withFamily(family)
"Family is a IP address version.\nCurrently, we support IPv4 and IPv6.\nIPv4 is set as default."
fn specs.ingressDeny.icmps.fields.withType
withType(type)
"Type is a ICMP-type.\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \"EchoReply\").\nAllowed ICMP types are:\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\n\t\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\n\t\t\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\n\t\t\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\n\t\t\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\n\t\t\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\n\t\t\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\n\t\t\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\n\t\t\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\n\t\t\t ExtendedEchoRequest | ExtendedEchoReply"
obj specs.ingressDeny.toPorts
"ToPorts is a list of destination ports identified by port number and\nprotocol which the endpoint subject to the rule is not allowed to\nreceive connections on.\n\nExample:\nAny endpoint with the label \"app=httpd\" can not accept incoming\nconnections on port 80/tcp."
fn specs.ingressDeny.toPorts.withPorts
withPorts(ports)
"Ports is a list of L4 port/protocol"
fn specs.ingressDeny.toPorts.withPortsMixin
withPortsMixin(ports)
"Ports is a list of L4 port/protocol"
Note: This function appends passed data to existing values
obj specs.ingressDeny.toPorts.ports
"Ports is a list of L4 port/protocol"
fn specs.ingressDeny.toPorts.ports.withEndPort
withEndPort(endPort)
"EndPort can only be an L4 port number."
fn specs.ingressDeny.toPorts.ports.withPort
withPort(port)
"Port can be an L4 port number, or a name in the form of \"http\"\nor \"http-8080\"."
fn specs.ingressDeny.toPorts.ports.withProtocol
withProtocol(protocol)
"Protocol is the L4 protocol. If omitted or empty, any protocol\nmatches. Accepted values: \"TCP\", \"UDP\", \"SCTP\", \"ANY\"\n\nMatching on ICMP is not supported.\n\nNamed port specified for a container may narrow this down, but may not\ncontradict this."
obj specs.labels
"Labels is a list of optional strings which can be used to\nre-identify the rule or to store metadata. It is possible to lookup\nor delete strings based on labels. Labels are not required to be\nunique, multiple rules can have overlapping or identical labels."
fn specs.labels.withKey
withKey(key)
fn specs.labels.withSource
withSource(source)
"Source can be one of the above values (e.g.: LabelSourceContainer)."
fn specs.labels.withValue
withValue(value)
obj specs.nodeSelector
"NodeSelector selects all nodes which should be subject to this rule.\nEndpointSelector and NodeSelector cannot be both empty and are mutually\nexclusive. Can only be used in CiliumClusterwideNetworkPolicies."
fn specs.nodeSelector.withMatchExpressions
withMatchExpressions(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.nodeSelector.withMatchExpressionsMixin
withMatchExpressionsMixin(matchExpressions)
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
Note: This function appends passed data to existing values
fn specs.nodeSelector.withMatchLabels
withMatchLabels(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
fn specs.nodeSelector.withMatchLabelsMixin
withMatchLabelsMixin(matchLabels)
"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\nmap is equivalent to an element of matchExpressions, whose key field is \"key\", the\noperator is \"In\", and the values array contains only \"value\". The requirements are ANDed."
Note: This function appends passed data to existing values
obj specs.nodeSelector.matchExpressions
"matchExpressions is a list of label selector requirements. The requirements are ANDed."
fn specs.nodeSelector.matchExpressions.withKey
withKey(key)
"key is the label key that the selector applies to."
fn specs.nodeSelector.matchExpressions.withOperator
withOperator(operator)
"operator represents a key's relationship to a set of values.\nValid operators are In, NotIn, Exists and DoesNotExist."
fn specs.nodeSelector.matchExpressions.withValues
withValues(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
fn specs.nodeSelector.matchExpressions.withValuesMixin
withValuesMixin(values)
"values is an array of string values. If the operator is In or NotIn,\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\nthe values array must be empty. This array is replaced during a strategic\nmerge patch."
Note: This function appends passed data to existing values