diff --git a/api/operator/v1/vlagent_types.go b/api/operator/v1/vlagent_types.go
index 1407a4240..1861df48e 100644
--- a/api/operator/v1/vlagent_types.go
+++ b/api/operator/v1/vlagent_types.go
@@ -64,6 +64,9 @@ type VLAgentSpec struct {
// PodDisruptionBudget created by operator
// +optional
PodDisruptionBudget *vmv1beta1.EmbeddedPodDisruptionBudgetSpec `json:"podDisruptionBudget,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *vmv1beta1.EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// Storage configures storage for StatefulSet
// +optional
Storage *vmv1beta1.StorageSpec `json:"storage,omitempty"`
diff --git a/api/operator/v1/vlcluster_types.go b/api/operator/v1/vlcluster_types.go
index 6cf483472..52ac18233 100644
--- a/api/operator/v1/vlcluster_types.go
+++ b/api/operator/v1/vlcluster_types.go
@@ -241,6 +241,9 @@ type VLInsert struct {
// Configures vertical pod autoscaling.
// +optional
VPA *vmv1beta1.EmbeddedVPA `json:"vpa,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *vmv1beta1.EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// SyslogSpec defines syslog listener configuration
// +optional
SyslogSpec *SyslogServerSpec `json:"syslogSpec,omitempty"`
@@ -428,6 +431,9 @@ type VLSelect struct {
// Configures vertical pod autoscaling.
// +optional
VPA *vmv1beta1.EmbeddedVPA `json:"vpa,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *vmv1beta1.EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// UpdateStrategy - overrides default update strategy.
// +kubebuilder:validation:Enum=Recreate;RollingUpdate
@@ -555,6 +561,9 @@ type VLStorage struct {
// Configures vertical pod autoscaling.
// +optional
VPA *vmv1beta1.EmbeddedVPA `json:"vpa,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *vmv1beta1.EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// StorageDataPath - path to storage data
// +optional
diff --git a/api/operator/v1/vlsingle_types.go b/api/operator/v1/vlsingle_types.go
index 97dcb325d..ff7262a24 100644
--- a/api/operator/v1/vlsingle_types.go
+++ b/api/operator/v1/vlsingle_types.go
@@ -106,6 +106,9 @@ type VLSingleSpec struct {
// SyslogSpec defines syslog listener configuration
// +optional
SyslogSpec *SyslogServerSpec `json:"syslogSpec,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *vmv1beta1.EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
}
// VLSingleStatus defines the observed state of VLSingle
diff --git a/api/operator/v1/vmanomaly_types.go b/api/operator/v1/vmanomaly_types.go
index 32316f188..9ef1f3a0a 100644
--- a/api/operator/v1/vmanomaly_types.go
+++ b/api/operator/v1/vmanomaly_types.go
@@ -61,6 +61,9 @@ type VMAnomalySpec struct {
// PodDisruptionBudget created by operator
// +optional
PodDisruptionBudget *vmv1beta1.EmbeddedPodDisruptionBudgetSpec `json:"podDisruptionBudget,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *vmv1beta1.EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// ConfigRawYaml - raw configuration for anomaly,
// it helps it to start without secret.
// priority -> hardcoded ConfigRaw -> ConfigRaw, provided by user -> ConfigSecret.
diff --git a/api/operator/v1/vtcluster_types.go b/api/operator/v1/vtcluster_types.go
index dbb4daa8a..4cdc5b697 100644
--- a/api/operator/v1/vtcluster_types.go
+++ b/api/operator/v1/vtcluster_types.go
@@ -236,6 +236,9 @@ type VTInsert struct {
// Configures vertical pod autoscaling.
// +optional
VPA *vmv1beta1.EmbeddedVPA `json:"vpa,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *vmv1beta1.EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// UpdateStrategy - overrides default update strategy.
// +kubebuilder:validation:Enum=Recreate;RollingUpdate
@@ -335,6 +338,9 @@ type VTSelect struct {
// Configures vertical pod autoscaling.
// +optional
VPA *vmv1beta1.EmbeddedVPA `json:"vpa,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *vmv1beta1.EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// UpdateStrategy - overrides default update strategy.
// +kubebuilder:validation:Enum=Recreate;RollingUpdate
@@ -465,6 +471,9 @@ type VTStorage struct {
// Configures vertical pod autoscaling.
// +optional
VPA *vmv1beta1.EmbeddedVPA `json:"vpa,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *vmv1beta1.EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// StorageDataPath - path to storage data
// +optional
diff --git a/api/operator/v1/vtsingle_types.go b/api/operator/v1/vtsingle_types.go
index d312e6342..0f71ef963 100644
--- a/api/operator/v1/vtsingle_types.go
+++ b/api/operator/v1/vtsingle_types.go
@@ -100,6 +100,9 @@ type VTSingleSpec struct {
// it can be overwritten with component specific image.tag value.
// +optional
ComponentVersion string `json:"componentVersion,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *vmv1beta1.EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
}
// VTSingleStatus defines the observed state of VTSingle
diff --git a/api/operator/v1/zz_generated.deepcopy.go b/api/operator/v1/zz_generated.deepcopy.go
index 8ed149ec0..736f195d3 100644
--- a/api/operator/v1/zz_generated.deepcopy.go
+++ b/api/operator/v1/zz_generated.deepcopy.go
@@ -456,6 +456,11 @@ func (in *VLAgentSpec) DeepCopyInto(out *VLAgentSpec) {
*out = new(v1beta1.EmbeddedPodDisruptionBudgetSpec)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(v1beta1.EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.Storage != nil {
in, out := &in.Storage, &out.Storage
*out = new(v1beta1.StorageSpec)
@@ -682,6 +687,11 @@ func (in *VLInsert) DeepCopyInto(out *VLInsert) {
*out = new(v1beta1.EmbeddedVPA)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(v1beta1.EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.SyslogSpec != nil {
in, out := &in.SyslogSpec, &out.SyslogSpec
*out = new(SyslogServerSpec)
@@ -743,6 +753,11 @@ func (in *VLSelect) DeepCopyInto(out *VLSelect) {
*out = new(v1beta1.EmbeddedVPA)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(v1beta1.EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.UpdateStrategy != nil {
in, out := &in.UpdateStrategy, &out.UpdateStrategy
*out = new(appsv1.DeploymentStrategyType)
@@ -870,6 +885,11 @@ func (in *VLSingleSpec) DeepCopyInto(out *VLSingleSpec) {
*out = new(SyslogServerSpec)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(v1beta1.EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VLSingleSpec.
@@ -943,6 +963,11 @@ func (in *VLStorage) DeepCopyInto(out *VLStorage) {
*out = new(v1beta1.EmbeddedVPA)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(v1beta1.EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.Storage != nil {
in, out := &in.Storage, &out.Storage
*out = new(v1beta1.StorageSpec)
@@ -1292,6 +1317,11 @@ func (in *VMAnomalySpec) DeepCopyInto(out *VMAnomalySpec) {
*out = new(v1beta1.EmbeddedPodDisruptionBudgetSpec)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(v1beta1.EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.ConfigSecret != nil {
in, out := &in.ConfigSecret, &out.ConfigSecret
*out = new(corev1.SecretKeySelector)
@@ -1581,6 +1611,11 @@ func (in *VTInsert) DeepCopyInto(out *VTInsert) {
*out = new(v1beta1.EmbeddedVPA)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(v1beta1.EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.UpdateStrategy != nil {
in, out := &in.UpdateStrategy, &out.UpdateStrategy
*out = new(appsv1.DeploymentStrategyType)
@@ -1637,6 +1672,11 @@ func (in *VTSelect) DeepCopyInto(out *VTSelect) {
*out = new(v1beta1.EmbeddedVPA)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(v1beta1.EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.UpdateStrategy != nil {
in, out := &in.UpdateStrategy, &out.UpdateStrategy
*out = new(appsv1.DeploymentStrategyType)
@@ -1754,6 +1794,11 @@ func (in *VTSingleSpec) DeepCopyInto(out *VTSingleSpec) {
*out = new(v1beta1.VMServiceScrapeSpec)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(v1beta1.EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
}
// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new VTSingleSpec.
@@ -1827,6 +1872,11 @@ func (in *VTStorage) DeepCopyInto(out *VTStorage) {
*out = new(v1beta1.EmbeddedVPA)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(v1beta1.EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.Storage != nil {
in, out := &in.Storage, &out.Storage
*out = new(v1beta1.StorageSpec)
diff --git a/api/operator/v1beta1/vmagent_types.go b/api/operator/v1beta1/vmagent_types.go
index 7eecbd56f..6575eb7d8 100644
--- a/api/operator/v1beta1/vmagent_types.go
+++ b/api/operator/v1beta1/vmagent_types.go
@@ -79,6 +79,9 @@ type VMAgentSpec struct {
// PodDisruptionBudget created by operator
// +optional
PodDisruptionBudget *EmbeddedPodDisruptionBudgetSpec `json:"podDisruptionBudget,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// DaemonSetMode enables DaemonSet deployment mode instead of Deployment.
// Supports only VMPodScrape
// (available from v0.55.0).
diff --git a/api/operator/v1beta1/vmalert_types.go b/api/operator/v1beta1/vmalert_types.go
index 0b9076c2e..3007b08ef 100644
--- a/api/operator/v1beta1/vmalert_types.go
+++ b/api/operator/v1beta1/vmalert_types.go
@@ -135,6 +135,9 @@ type VMAlertSpec struct {
// PodDisruptionBudget created by operator
// +optional
PodDisruptionBudget *EmbeddedPodDisruptionBudgetSpec `json:"podDisruptionBudget,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// License allows to configure license key to be used for enterprise features.
// Using license key is supported starting from VictoriaMetrics v1.94.0.
// See [here](https://docs.victoriametrics.com/victoriametrics/enterprise/)
diff --git a/api/operator/v1beta1/vmalertmanager_types.go b/api/operator/v1beta1/vmalertmanager_types.go
index 7e6750020..377103ff6 100644
--- a/api/operator/v1beta1/vmalertmanager_types.go
+++ b/api/operator/v1beta1/vmalertmanager_types.go
@@ -139,6 +139,9 @@ type VMAlertmanagerSpec struct {
// PodDisruptionBudget created by operator
// +optional
PodDisruptionBudget *EmbeddedPodDisruptionBudgetSpec `json:"podDisruptionBudget,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// SelectAllByDefault changes default behavior for empty CRD selectors, such ConfigSelector.
// with selectAllByDefault: true and undefined ConfigSelector and ConfigNamespaceSelector
// Operator selects all exist alertManagerConfigs
diff --git a/api/operator/v1beta1/vmauth_types.go b/api/operator/v1beta1/vmauth_types.go
index f7a661f97..7376d26e8 100644
--- a/api/operator/v1beta1/vmauth_types.go
+++ b/api/operator/v1beta1/vmauth_types.go
@@ -75,6 +75,9 @@ type VMAuthSpec struct {
// PodDisruptionBudget created by operator
// +optional
PodDisruptionBudget *EmbeddedPodDisruptionBudgetSpec `json:"podDisruptionBudget,omitempty" yaml:"podDisruptionBudget,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *EmbeddedNetworkPolicy `json:"networkPolicy,omitempty" yaml:"networkPolicy,omitempty"`
// Ingress enables ingress configuration for VMAuth.
Ingress *EmbeddedIngress `json:"ingress,omitempty"`
// HTTPRoute enables httproute configuration for VMAuth.
diff --git a/api/operator/v1beta1/vmcluster_types.go b/api/operator/v1beta1/vmcluster_types.go
index e72a19374..cacadfeee 100644
--- a/api/operator/v1beta1/vmcluster_types.go
+++ b/api/operator/v1beta1/vmcluster_types.go
@@ -371,6 +371,9 @@ type VMSelect struct {
// Configures vertical pod autoscaling.
// +optional
VPA *EmbeddedVPA `json:"vpa,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// RollingUpdateStrategy defines strategy for application updates
// Default is OnDelete, in this case operator handles update process
@@ -454,6 +457,9 @@ type VMInsert struct {
// Configures vertical pod autoscaling.
// +optional
VPA *EmbeddedVPA `json:"vpa,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// Discovery overrides the cluster-level discovery config for vminsert.
// +optional
@@ -542,6 +548,9 @@ type VMStorage struct {
// PodDisruptionBudget created by operator
// +optional
PodDisruptionBudget *EmbeddedPodDisruptionBudgetSpec `json:"podDisruptionBudget,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// MaintenanceInsertNodeIDs - excludes given node ids from insert requests routing, must contain pod suffixes - for pod-0, id will be 0 and etc.
// lets say, you have pod-0, pod-1, pod-2, pod-3. to exclude pod-0 and pod-3 from insert routing, define nodeIDs: [0,3].
// Useful at storage expanding, when you want to rebalance some data at cluster.
@@ -1121,6 +1130,9 @@ type VMAuthLoadBalancerSpec struct {
// PodDisruptionBudget created by operator
// +optional
PodDisruptionBudget *EmbeddedPodDisruptionBudgetSpec `json:"podDisruptionBudget,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
// UpdateStrategy - overrides default update strategy.
// Available from operator v0.64.0
diff --git a/api/operator/v1beta1/vmextra_types.go b/api/operator/v1beta1/vmextra_types.go
index 2b84efb84..daeefe892 100644
--- a/api/operator/v1beta1/vmextra_types.go
+++ b/api/operator/v1beta1/vmextra_types.go
@@ -18,6 +18,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/util/intstr"
@@ -497,6 +498,17 @@ func (cr *EmbeddedVPA) Validate() error {
return nil
}
+// EmbeddedNetworkPolicy defines configuration for a NetworkPolicy protecting pods owned by the CR.
+type EmbeddedNetworkPolicy struct {
+ // Ingress defines the list of ingress rules applied to pods selected by this CR.
+ // Each rule allows traffic which matches both the from and ports sections.
+ // +optional
+ Ingress []networkingv1.NetworkPolicyIngressRule `json:"ingress,omitempty"`
+ // Egress defines the list of egress rules applied to pods selected by this CR.
+ // +optional
+ Egress []networkingv1.NetworkPolicyEgressRule `json:"egress,omitempty"`
+}
+
// DiscoverySelector can be used at CRD components discovery
type DiscoverySelector struct {
Namespace *NamespaceSelector `json:"namespaceSelector,omitempty"`
diff --git a/api/operator/v1beta1/vmrule_types.go b/api/operator/v1beta1/vmrule_types.go
index 16e5f2e29..96fc3e6a5 100644
--- a/api/operator/v1beta1/vmrule_types.go
+++ b/api/operator/v1beta1/vmrule_types.go
@@ -97,9 +97,11 @@ type RuleGroup struct {
type Rule struct {
// Record represents a query, that will be recorded to dataSource
// +optional
+ // +kubebuilder:default=""
Record string `json:"record,omitempty" yaml:"record,omitempty"`
// Alert is a name for alert
// +optional
+ // +kubebuilder:default=""
Alert string `json:"alert,omitempty" yaml:"alert,omitempty"`
// Expr is query, that will be evaluated at dataSource
// +optional
diff --git a/api/operator/v1beta1/vmsingle_types.go b/api/operator/v1beta1/vmsingle_types.go
index d78356e8b..c1b46af3a 100644
--- a/api/operator/v1beta1/vmsingle_types.go
+++ b/api/operator/v1beta1/vmsingle_types.go
@@ -101,6 +101,9 @@ type VMSingleSpec struct {
// +optional
ComponentVersion string `json:"componentVersion,omitempty"`
+ // NetworkPolicy defines network access rules for pods created by this CR.
+ // +optional
+ NetworkPolicy *EmbeddedNetworkPolicy `json:"networkPolicy,omitempty"`
CommonRelabelParams `json:",inline,omitempty"`
CommonScrapeParams `json:",inline,omitempty"`
CommonConfigReloaderParams `json:",inline,omitempty"`
diff --git a/api/operator/v1beta1/zz_generated.deepcopy.go b/api/operator/v1beta1/zz_generated.deepcopy.go
index 90854863a..40dc75056 100644
--- a/api/operator/v1beta1/zz_generated.deepcopy.go
+++ b/api/operator/v1beta1/zz_generated.deepcopy.go
@@ -1425,6 +1425,35 @@ func (in *EmbeddedIngress) DeepCopy() *EmbeddedIngress {
return out
}
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *EmbeddedNetworkPolicy) DeepCopyInto(out *EmbeddedNetworkPolicy) {
+ *out = *in
+ if in.Ingress != nil {
+ in, out := &in.Ingress, &out.Ingress
+ *out = make([]networkingv1.NetworkPolicyIngressRule, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+ if in.Egress != nil {
+ in, out := &in.Egress, &out.Egress
+ *out = make([]networkingv1.NetworkPolicyEgressRule, len(*in))
+ for i := range *in {
+ (*in)[i].DeepCopyInto(&(*out)[i])
+ }
+ }
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EmbeddedNetworkPolicy.
+func (in *EmbeddedNetworkPolicy) DeepCopy() *EmbeddedNetworkPolicy {
+ if in == nil {
+ return nil
+ }
+ out := new(EmbeddedNetworkPolicy)
+ in.DeepCopyInto(out)
+ return out
+}
+
// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (in *EmbeddedObjectMetadata) DeepCopyInto(out *EmbeddedObjectMetadata) {
*out = *in
@@ -4831,6 +4860,11 @@ func (in *VMAgentSpec) DeepCopyInto(out *VMAgentSpec) {
*out = new(EmbeddedPodDisruptionBudgetSpec)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.DaemonSetUpdateStrategy != nil {
in, out := &in.DaemonSetUpdateStrategy, &out.DaemonSetUpdateStrategy
*out = new(appsv1.DaemonSetUpdateStrategyType)
@@ -5151,6 +5185,11 @@ func (in *VMAlertSpec) DeepCopyInto(out *VMAlertSpec) {
*out = new(EmbeddedPodDisruptionBudgetSpec)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.License != nil {
in, out := &in.License, &out.License
*out = new(License)
@@ -5461,6 +5500,11 @@ func (in *VMAlertmanagerSpec) DeepCopyInto(out *VMAlertmanagerSpec) {
*out = new(EmbeddedPodDisruptionBudgetSpec)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.ConfigSelector != nil {
in, out := &in.ConfigSelector, &out.ConfigSelector
*out = new(metav1.LabelSelector)
@@ -5691,6 +5735,11 @@ func (in *VMAuthLoadBalancerSpec) DeepCopyInto(out *VMAuthLoadBalancerSpec) {
*out = new(EmbeddedPodDisruptionBudgetSpec)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.UpdateStrategy != nil {
in, out := &in.UpdateStrategy, &out.UpdateStrategy
*out = new(appsv1.DeploymentStrategyType)
@@ -5763,6 +5812,11 @@ func (in *VMAuthSpec) DeepCopyInto(out *VMAuthSpec) {
*out = new(EmbeddedPodDisruptionBudgetSpec)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.Ingress != nil {
in, out := &in.Ingress, &out.Ingress
*out = new(EmbeddedIngress)
@@ -6200,6 +6254,11 @@ func (in *VMInsert) DeepCopyInto(out *VMInsert) {
*out = new(EmbeddedVPA)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.Discovery != nil {
in, out := &in.Discovery, &out.Discovery
*out = new(VMClusterDiscovery)
@@ -7086,6 +7145,11 @@ func (in *VMSelect) DeepCopyInto(out *VMSelect) {
*out = new(EmbeddedVPA)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.RollingUpdateStrategyBehavior != nil {
in, out := &in.RollingUpdateStrategyBehavior, &out.RollingUpdateStrategyBehavior
*out = new(StatefulSetUpdateStrategyBehavior)
@@ -7342,6 +7406,11 @@ func (in *VMSingleSpec) DeepCopyInto(out *VMSingleSpec) {
*out = new(APIServerConfig)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
in.CommonRelabelParams.DeepCopyInto(&out.CommonRelabelParams)
in.CommonScrapeParams.DeepCopyInto(&out.CommonScrapeParams)
in.CommonConfigReloaderParams.DeepCopyInto(&out.CommonConfigReloaderParams)
@@ -7526,6 +7595,11 @@ func (in *VMStorage) DeepCopyInto(out *VMStorage) {
*out = new(EmbeddedPodDisruptionBudgetSpec)
(*in).DeepCopyInto(*out)
}
+ if in.NetworkPolicy != nil {
+ in, out := &in.NetworkPolicy, &out.NetworkPolicy
+ *out = new(EmbeddedNetworkPolicy)
+ (*in).DeepCopyInto(*out)
+ }
if in.MaintenanceInsertNodeIDs != nil {
in, out := &in.MaintenanceInsertNodeIDs, &out.MaintenanceInsertNodeIDs
*out = make([]int32, len(*in))
diff --git a/config/crd/overlay/crd.descriptionless.yaml b/config/crd/overlay/crd.descriptionless.yaml
index f8a096e51..ee5df0bed 100644
--- a/config/crd/overlay/crd.descriptionless.yaml
+++ b/config/crd/overlay/crd.descriptionless.yaml
@@ -444,6 +444,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -1426,6 +1611,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -2043,6 +2413,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -2936,6 +3491,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -3714,6 +4454,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -5266,6 +6191,191 @@ spec:
type: integer
minScrapeInterval:
type: string
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeScrapeNamespaceSelector:
properties:
matchExpressions:
@@ -10579,6 +11689,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -11600,6 +12895,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -12935,6 +14415,191 @@ spec:
- url
type: object
type: object
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -14788,6 +16453,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -15942,6 +17792,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -16492,6 +18527,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -17566,6 +19786,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -21270,6 +23675,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -34528,6 +37118,7 @@ spec:
items:
properties:
alert:
+ default: ""
type: string
annotations:
additionalProperties:
@@ -34546,6 +37137,7 @@ spec:
type: string
type: object
record:
+ default: ""
type: string
update_entries_limit:
type: integer
@@ -42752,6 +45344,191 @@ spec:
type: integer
minScrapeInterval:
type: string
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeScrapeNamespaceSelector:
properties:
matchExpressions:
@@ -45654,6 +48431,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -46218,6 +49180,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -47113,6 +50260,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -47775,6 +51107,191 @@ spec:
minReadySeconds:
format: int32
type: integer
+ networkPolicy:
+ properties:
+ egress:
+ items:
+ properties:
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ items:
+ properties:
+ from:
+ items:
+ properties:
+ ipBlock:
+ properties:
+ cidr:
+ type: string
+ except:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ properties:
+ matchExpressions:
+ items:
+ properties:
+ key:
+ type: string
+ operator:
+ type: string
+ values:
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ items:
+ properties:
+ endPort:
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ x-kubernetes-int-or-string: true
+ protocol:
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
diff --git a/config/crd/overlay/crd.yaml b/config/crd/overlay/crd.yaml
index ce6476d46..a160a97ed 100644
--- a/config/crd/overlay/crd.yaml
+++ b/config/crd/overlay/crd.yaml
@@ -917,6 +917,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods created
+ by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied to
+ pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -2880,6 +3267,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods
+ created by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied
+ to pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -4081,6 +4855,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods
+ created by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied
+ to pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -5783,6 +6944,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods
+ created by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied
+ to pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -7216,6 +8764,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods created
+ by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied to
+ pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -10338,6 +12273,393 @@ spec:
MinScrapeInterval allows limiting minimal scrape interval for VMServiceScrape, VMPodScrape and other scrapes
If interval is lower than defined limit, `minScrapeInterval` will be used.
type: string
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods created
+ by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied to
+ pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeScrapeNamespaceSelector:
description: |-
NodeScrapeNamespaceSelector defines Namespaces to be selected for VMNodeScrape discovery.
@@ -20549,6 +22871,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods created
+ by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied to
+ pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -22600,6 +25309,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods created
+ by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied to
+ pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -25233,6 +28329,393 @@ spec:
- url
type: object
type: object
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods created
+ by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied to
+ pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -28889,6 +32372,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods created
+ by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied to
+ pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -31054,6 +34924,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods
+ created by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied
+ to pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -32133,6 +36390,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods
+ created by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied
+ to pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -34292,6 +38936,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods
+ created by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied
+ to pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -41887,6 +46918,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for
+ pods created by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied
+ to pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port
+ to allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list
+ of label selector requirements. The
+ requirements are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key
+ that the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port
+ to allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -70304,6 +75722,7 @@ spec:
description: Rule describes an alerting or recording rule.
properties:
alert:
+ default: ""
description: Alert is a name for alert
type: string
annotations:
@@ -70337,6 +75756,7 @@ spec:
description: Labels will be added to rule configuration
type: object
record:
+ default: ""
description: Record represents a query, that will be recorded
to dataSource
type: string
@@ -85283,6 +90703,393 @@ spec:
MinScrapeInterval allows limiting minimal scrape interval for VMServiceScrape, VMPodScrape and other scrapes
If interval is lower than defined limit, `minScrapeInterval` will be used.
type: string
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods created
+ by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied to
+ pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeScrapeNamespaceSelector:
description: |-
NodeScrapeNamespaceSelector defines Namespaces to be selected for VMNodeScrape discovery.
@@ -90802,6 +96609,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods
+ created by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied
+ to pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -91897,6 +98091,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods
+ created by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied
+ to pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -93606,6 +100187,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods
+ created by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied
+ to pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of
+ label selector requirements. The requirements
+ are ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that
+ the selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to
+ allow traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
@@ -94863,6 +101831,393 @@ spec:
Has no effect for VLogs and VMSingle
format: int32
type: integer
+ networkPolicy:
+ description: NetworkPolicy defines network access rules for pods created
+ by this CR.
+ properties:
+ egress:
+ description: Egress defines the list of egress rules applied to
+ pods selected by this CR.
+ items:
+ description: |-
+ NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+ This type is beta-level in 1.8
+ properties:
+ ports:
+ description: |-
+ ports is a list of destination ports for outgoing traffic.
+ Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ to:
+ description: |-
+ to is a list of destinations for outgoing traffic of pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all destinations (traffic not restricted by
+ destination). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the to list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ ingress:
+ description: |-
+ Ingress defines the list of ingress rules applied to pods selected by this CR.
+ Each rule allows traffic which matches both the from and ports sections.
+ items:
+ description: |-
+ NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
+ matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
+ properties:
+ from:
+ description: |-
+ from is a list of sources which should be able to access the pods selected for this rule.
+ Items in this list are combined using a logical OR operation. If this field is
+ empty or missing, this rule matches all sources (traffic not restricted by
+ source). If this field is present and contains at least one item, this rule
+ allows traffic only if the traffic matches at least one item in the from list.
+ items:
+ description: |-
+ NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of
+ fields are allowed
+ properties:
+ ipBlock:
+ description: |-
+ ipBlock defines policy on a particular IPBlock. If this field is set then
+ neither of the other fields can be.
+ properties:
+ cidr:
+ description: |-
+ cidr is a string representing the IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ type: string
+ except:
+ description: |-
+ except is a slice of CIDRs that should not be included within an IPBlock
+ Valid examples are "192.168.1.0/24" or "2001:db8::/64"
+ Except values will be rejected if they are outside the cidr range
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - cidr
+ type: object
+ namespaceSelector:
+ description: |-
+ namespaceSelector selects namespaces using cluster-scoped labels. This field follows
+ standard label selector semantics; if present but empty, it selects all namespaces.
+
+ If podSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the namespaces selected by namespaceSelector.
+ Otherwise it selects all pods in the namespaces selected by namespaceSelector.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ podSelector:
+ description: |-
+ podSelector is a label selector which selects pods. This field follows standard label
+ selector semantics; if present but empty, it selects all pods.
+
+ If namespaceSelector is also set, then the NetworkPolicyPeer as a whole selects
+ the pods matching podSelector in the Namespaces selected by NamespaceSelector.
+ Otherwise it selects the pods matching podSelector in the policy's own namespace.
+ properties:
+ matchExpressions:
+ description: matchExpressions is a list of label
+ selector requirements. The requirements are
+ ANDed.
+ items:
+ description: |-
+ A label selector requirement is a selector that contains values, a key, and an operator that
+ relates the key and values.
+ properties:
+ key:
+ description: key is the label key that the
+ selector applies to.
+ type: string
+ operator:
+ description: |-
+ operator represents a key's relationship to a set of values.
+ Valid operators are In, NotIn, Exists and DoesNotExist.
+ type: string
+ values:
+ description: |-
+ values is an array of string values. If the operator is In or NotIn,
+ the values array must be non-empty. If the operator is Exists or DoesNotExist,
+ the values array must be empty. This array is replaced during a strategic
+ merge patch.
+ items:
+ type: string
+ type: array
+ x-kubernetes-list-type: atomic
+ required:
+ - key
+ - operator
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ matchLabels:
+ additionalProperties:
+ type: string
+ description: |-
+ matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels
+ map is equivalent to an element of matchExpressions, whose key field is "key", the
+ operator is "In", and the values array contains only "value". The requirements are ANDed.
+ type: object
+ type: object
+ x-kubernetes-map-type: atomic
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ ports:
+ description: |-
+ ports is a list of ports which should be made accessible on the pods selected for
+ this rule. Each item in this list is combined using a logical OR. If this field is
+ empty or missing, this rule matches all ports (traffic not restricted by port).
+ If this field is present and contains at least one item, then this rule allows
+ traffic only if the traffic matches at least one port in the list.
+ items:
+ description: NetworkPolicyPort describes a port to allow
+ traffic on
+ properties:
+ endPort:
+ description: |-
+ endPort indicates that the range of ports from port to endPort if set, inclusive,
+ should be allowed by the policy. This field cannot be defined if the port field
+ is not defined or if the port field is defined as a named (string) port.
+ The endPort must be equal or greater than port.
+ format: int32
+ type: integer
+ port:
+ anyOf:
+ - type: integer
+ - type: string
+ description: |-
+ port represents the port on the given protocol. This can either be a numerical or named
+ port on a pod. If this field is not provided, this matches all port names and
+ numbers.
+ If present, only traffic on the specified protocol AND port will be matched.
+ x-kubernetes-int-or-string: true
+ protocol:
+ description: |-
+ protocol represents the protocol (TCP, UDP, or SCTP) which traffic must match.
+ If not specified, this field defaults to TCP.
+ type: string
+ type: object
+ type: array
+ x-kubernetes-list-type: atomic
+ type: object
+ type: array
+ type: object
nodeSelector:
additionalProperties:
type: string
diff --git a/docs/CHANGELOG.md b/docs/CHANGELOG.md
index 7a6ff24b0..63a1c218b 100644
--- a/docs/CHANGELOG.md
+++ b/docs/CHANGELOG.md
@@ -13,6 +13,8 @@ aliases:
## tip
+* FEATURE: [vmoperator](https://docs.victoriametrics.com/operator/): add `networkPolicy` field to all supported CRDs (`VMSingle`, `VMAgent`, `VMAlert`, `VMAlertmanager`, `VMAuth`, `VLSingle`, `VLAgent`, `VTSingle`, `VMAnomaly`, and all cluster sub-components). When set, the operator creates and manages a `NetworkPolicy` resource that restricts ingress/egress to the component's pods. See [#2977](https://github.com/VictoriaMetrics/helm-charts/issues/2977).
+
## [v0.72.0](https://github.com/VictoriaMetrics/operator/releases/tag/v0.72.0)
**Release date:** 15 June 2026
diff --git a/docs/api.md b/docs/api.md
index 2d7dbf43c..2f73f774c 100644
--- a/docs/api.md
+++ b/docs/api.md
@@ -233,6 +233,7 @@ Appears in: [VLAgent](#vlagent)
| logLevel#
_string_ | _(Optional)_
LogLevel for VLAgent to be configured with.
INFO, WARN, ERROR, FATAL, PANIC |
| managedMetadata#
_[ManagedObjectsMetadata](#managedobjectsmetadata)_ | _(Required)_
ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| persistentVolumeClaimRetentionPolicy#
_[StatefulSetPersistentVolumeClaimRetentionPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#statefulsetpersistentvolumeclaimretentionpolicy-v1-apps)_ | _(Optional)_
PersistentVolumeClaimRetentionPolicy allows configuration of PVC retention policy |
@@ -331,6 +332,7 @@ Appears in: [VLClusterSpec](#vlclusterspec)
| logFormat#
_string_ | _(Optional)_
LogFormat for VLSelect to be configured with.
default or json |
| logLevel#
_string_ | _(Optional)_
LogLevel for VLSelect to be configured with. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| podDisruptionBudget#
_[EmbeddedPodDisruptionBudgetSpec](#embeddedpoddisruptionbudgetspec)_ | _(Optional)_
PodDisruptionBudget created by operator |
@@ -394,6 +396,7 @@ Appears in: [VLClusterSpec](#vlclusterspec)
| logFormat#
_string_ | _(Optional)_
LogFormat for VLSelect to be configured with.
default or json |
| logLevel#
_string_ | _(Optional)_
LogLevel for VLSelect to be configured with. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| podDisruptionBudget#
_[EmbeddedPodDisruptionBudgetSpec](#embeddedpoddisruptionbudgetspec)_ | _(Optional)_
PodDisruptionBudget created by operator |
@@ -471,6 +474,7 @@ Appears in: [VLSingle](#vlsingle)
| logNewStreams#
_boolean_ | _(Required)_
LogNewStreams Whether to log creation of new streams; this can be useful for debugging of high cardinality issues with log streams; see https://docs.victoriametrics.com/victorialogs/keyconcepts/#stream-fields |
| managedMetadata#
_[ManagedObjectsMetadata](#managedobjectsmetadata)_ | _(Required)_
ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| podMetadata#
_[EmbeddedObjectMetadata](#embeddedobjectmetadata)_ | _(Optional)_
PodMetadata configures Labels and Annotations which are propagated to the VLSingle pods. |
@@ -541,6 +545,7 @@ Appears in: [VLClusterSpec](#vlclusterspec)
| maintenanceInsertNodeIDs#
_integer array_ | _(Optional)_
MaintenanceInsertNodeIDs - excludes given node ids from insert requests routing, must contain pod suffixes - for pod-0, id will be 0 and etc.
lets say, you have pod-0, pod-1, pod-2, pod-3. to exclude pod-0 and pod-3 from insert routing, define nodeIDs: [0,3].
Useful at storage expanding, when you want to rebalance some data at cluster. |
| maintenanceSelectNodeIDs#
_integer array_ | _(Optional)_
MaintenanceSelectNodeIDs - excludes given node ids from select requests routing, must contain pod suffixes - for pod-0, id will be 0 and etc. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| persistentVolumeClaimRetentionPolicy#
_[StatefulSetPersistentVolumeClaimRetentionPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#statefulsetpersistentvolumeclaimretentionpolicy-v1-apps)_ | _(Optional)_
PersistentVolumeClaimRetentionPolicy allows configuration of PVC retention policy |
@@ -744,6 +749,7 @@ Appears in: [VMAnomaly](#vmanomaly)
| managedMetadata#
_[ManagedObjectsMetadata](#managedobjectsmetadata)_ | _(Required)_
ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
| monitoring#
_[VMAnomalyMonitoringSpec](#vmanomalymonitoringspec)_ | _(Required)_
Monitoring configures how expose anomaly metrics
See https://docs.victoriametrics.com/anomaly-detection/components/monitoring/ |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| persistentVolumeClaimRetentionPolicy#
_[StatefulSetPersistentVolumeClaimRetentionPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#statefulsetpersistentvolumeclaimretentionpolicy-v1-apps)_ | _(Optional)_
PersistentVolumeClaimRetentionPolicy allows configuration of PVC retention policy |
@@ -871,6 +877,7 @@ Appears in: [VTClusterSpec](#vtclusterspec)
| logFormat#
_string_ | _(Optional)_
LogFormat for VTInsert to be configured with.
default or json |
| logLevel#
_string_ | _(Optional)_
LogLevel for VTInsert to be configured with. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| podDisruptionBudget#
_[EmbeddedPodDisruptionBudgetSpec](#embeddedpoddisruptionbudgetspec)_ | _(Optional)_
PodDisruptionBudget created by operator |
@@ -933,6 +940,7 @@ Appears in: [VTClusterSpec](#vtclusterspec)
| logFormat#
_string_ | _(Optional)_
LogFormat for VTSelect to be configured with.
default or json |
| logLevel#
_string_ | _(Optional)_
LogLevel for VTSelect to be configured with. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| podDisruptionBudget#
_[EmbeddedPodDisruptionBudgetSpec](#embeddedpoddisruptionbudgetspec)_ | _(Optional)_
PodDisruptionBudget created by operator |
@@ -1009,6 +1017,7 @@ Appears in: [VTSingle](#vtsingle)
| logNewStreams#
_boolean_ | _(Required)_
LogNewStreams Whether to log creation of new streams; this can be useful for debugging of high cardinality issues with log streams;
see https://docs.victoriametrics.com/victoriatraces/#configure-and-run-victoriatraces |
| managedMetadata#
_[ManagedObjectsMetadata](#managedobjectsmetadata)_ | _(Required)_
ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| podMetadata#
_[EmbeddedObjectMetadata](#embeddedobjectmetadata)_ | _(Optional)_
PodMetadata configures Labels and Annotations which are propagated to the VTSingle pods. |
@@ -1078,6 +1087,7 @@ Appears in: [VTClusterSpec](#vtclusterspec)
| maintenanceInsertNodeIDs#
_integer array_ | _(Optional)_
MaintenanceInsertNodeIDs - excludes given node ids from insert requests routing, must contain pod suffixes - for pod-0, id will be 0 and etc.
lets say, you have pod-0, pod-1, pod-2, pod-3. to exclude pod-0 and pod-3 from insert routing, define nodeIDs: [0,3].
Useful at storage expanding, when you want to rebalance some data at cluster. |
| maintenanceSelectNodeIDs#
_integer array_ | _(Optional)_
MaintenanceSelectNodeIDs - excludes given node ids from select requests routing, must contain pod suffixes - for pod-0, id will be 0 and etc. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| persistentVolumeClaimRetentionPolicy#
_[StatefulSetPersistentVolumeClaimRetentionPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#statefulsetpersistentvolumeclaimretentionpolicy-v1-apps)_ | _(Optional)_
PersistentVolumeClaimRetentionPolicy allows configuration of PVC retention policy |
@@ -1971,6 +1981,17 @@ Appears in: [VMAuthSpec](#vmauthspec)
| tlsHosts#
_string array_ | _(Required)_
TlsHosts configures TLS access for ingress, tlsSecretName must be defined for it. |
| tlsSecretName#
_string_ | _(Optional)_
TlsSecretName defines secretname at the VMAuth namespace with cert and key
https://kubernetes.io/docs/concepts/services-networking/ingress/#tls |
+#### EmbeddedNetworkPolicy
+
+EmbeddedNetworkPolicy defines configuration for a NetworkPolicy protecting pods owned by the CR.
+
+Appears in: [VLAgentSpec](#vlagentspec), [VLInsert](#vlinsert), [VLSelect](#vlselect), [VLSingleSpec](#vlsinglespec), [VLStorage](#vlstorage), [VMAgentSpec](#vmagentspec), [VMAlertSpec](#vmalertspec), [VMAlertmanagerSpec](#vmalertmanagerspec), [VMAnomalySpec](#vmanomalyspec), [VMAuthLoadBalancerSpec](#vmauthloadbalancerspec), [VMAuthSpec](#vmauthspec), [VMInsert](#vminsert), [VMSelect](#vmselect), [VMSingleSpec](#vmsinglespec), [VMStorage](#vmstorage), [VTInsert](#vtinsert), [VTSelect](#vtselect), [VTSingleSpec](#vtsinglespec), [VTStorage](#vtstorage)
+
+| Field | Description |
+| --- | --- |
+| egress#
_[NetworkPolicyEgressRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#networkpolicyegressrule-v1-networking) array_ | _(Optional)_
Egress defines the list of egress rules applied to pods selected by this CR. |
+| ingress#
_[NetworkPolicyIngressRule](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#networkpolicyingressrule-v1-networking) array_ | _(Optional)_
Ingress defines the list of ingress rules applied to pods selected by this CR.
Each rule allows traffic which matches both the from and ports sections. |
+
#### EmbeddedObjectMetadata
EmbeddedObjectMetadata contains a subset of the fields included in k8s.io/apimachinery/pkg/apis/meta/v1.ObjectMeta
@@ -3711,6 +3732,7 @@ Appears in: [VMAgent](#vmagent)
| maxScrapeInterval#
_string_ | _(Required)_
MaxScrapeInterval allows limiting maximum scrape interval for VMServiceScrape, VMPodScrape and other scrapes
If interval is higher than defined limit, `maxScrapeInterval` will be used. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
| minScrapeInterval#
_string_ | _(Required)_
MinScrapeInterval allows limiting minimal scrape interval for VMServiceScrape, VMPodScrape and other scrapes
If interval is lower than defined limit, `minScrapeInterval` will be used. |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeScrapeNamespaceSelector#
_[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#labelselector-v1-meta)_ | _(Optional)_
NodeScrapeNamespaceSelector defines Namespaces to be selected for VMNodeScrape discovery.
Works in combination with Selector.
NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault |
| nodeScrapeRelabelTemplate#
_[RelabelConfig](#relabelconfig) array_ | _(Optional)_
NodeScrapeRelabelTemplate defines relabel config, that will be added to each VMNodeScrape.
it's useful for adding specific labels to all targets |
| nodeScrapeSelector#
_[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#labelselector-v1-meta)_ | _(Optional)_
NodeScrapeSelector defines VMNodeScrape to be selected for scraping.
Works in combination with NamespaceSelector.
NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault |
@@ -3892,6 +3914,7 @@ Appears in: [VMAlert](#vmalert)
| logLevel#
_string_ | _(Optional)_
LogLevel for VMAlert to be configured with. |
| managedMetadata#
_[ManagedObjectsMetadata](#managedobjectsmetadata)_ | _(Required)_
ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| notifier#
_[VMAlertNotifierSpec](#vmalertnotifierspec)_ | _(Optional)_
Notifier prometheus alertmanager endpoint spec. Required at least one of notifier or notifiers when there are alerting rules. e.g. http://127.0.0.1:9093
If specified both notifier and notifiers, notifier will be added as last element to notifiers.
only one of notifier options could be chosen: notifierConfigRef or notifiers + notifier |
| notifierConfigRef#
_[SecretKeySelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#secretkeyselector-v1-core)_ | _(Optional)_
NotifierConfigRef reference for secret with notifier configuration for vmalert
only one of notifier options could be chosen: notifierConfigRef or notifiers + notifier |
@@ -4043,6 +4066,7 @@ Appears in: [VMAlertmanager](#vmalertmanager)
| logLevel#
_string_ | _(Optional)_
Log level for VMAlertmanager to be configured with. |
| managedMetadata#
_[ManagedObjectsMetadata](#managedobjectsmetadata)_ | _(Required)_
ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| persistentVolumeClaimRetentionPolicy#
_[StatefulSetPersistentVolumeClaimRetentionPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#statefulsetpersistentvolumeclaimretentionpolicy-v1-apps)_ | _(Optional)_
PersistentVolumeClaimRetentionPolicy allows configuration of PVC retention policy |
@@ -4169,6 +4193,7 @@ Appears in: [VMAuthLoadBalancer](#vmauthloadbalancer)
| logFormat#
_string_ | _(Optional)_
LogFormat for vmauth
default or json |
| logLevel#
_string_ | _(Optional)_
LogLevel for vmauth container. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| podDisruptionBudget#
_[EmbeddedPodDisruptionBudgetSpec](#embeddedpoddisruptionbudgetspec)_ | _(Optional)_
PodDisruptionBudget created by operator |
@@ -4251,6 +4276,7 @@ Appears in: [VMAuth](#vmauth), [VMDistributedAuth](#vmdistributedauth)
| managedMetadata#
_[ManagedObjectsMetadata](#managedobjectsmetadata)_ | _(Required)_
ManagedMetadata defines metadata that will be added to the all objects
created by operator for the given CustomResource |
| max_concurrent_requests#
_integer_ | _(Optional)_
MaxConcurrentRequests defines max concurrent requests per user
300 is default value for vmauth |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| podDisruptionBudget#
_[EmbeddedPodDisruptionBudgetSpec](#embeddedpoddisruptionbudgetspec)_ | _(Optional)_
PodDisruptionBudget created by operator |
@@ -4427,6 +4453,7 @@ Appears in: [VMClusterSpec](#vmclusterspec)
| logFormat#
_string_ | _(Optional)_
LogFormat for VMInsert to be configured with.
default or json |
| logLevel#
_string_ | _(Optional)_
LogLevel for VMInsert to be configured with. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| podDisruptionBudget#
_[EmbeddedPodDisruptionBudgetSpec](#embeddedpoddisruptionbudgetspec)_ | _(Optional)_
PodDisruptionBudget created by operator |
@@ -4795,6 +4822,7 @@ Appears in: [VMClusterSpec](#vmclusterspec)
| logFormat#
_string_ | _(Optional)_
LogFormat for VMSelect to be configured with.
default or json |
| logLevel#
_string_ | _(Optional)_
LogLevel for VMSelect to be configured with. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| persistentVolumeClaimRetentionPolicy#
_[StatefulSetPersistentVolumeClaimRetentionPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#statefulsetpersistentvolumeclaimretentionpolicy-v1-apps)_ | _(Optional)_
PersistentVolumeClaimRetentionPolicy allows configuration of PVC retention policy |
@@ -4926,6 +4954,7 @@ Appears in: [VMSingle](#vmsingle)
| maxScrapeInterval#
_string_ | _(Required)_
MaxScrapeInterval allows limiting maximum scrape interval for VMServiceScrape, VMPodScrape and other scrapes
If interval is higher than defined limit, `maxScrapeInterval` will be used. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
| minScrapeInterval#
_string_ | _(Required)_
MinScrapeInterval allows limiting minimal scrape interval for VMServiceScrape, VMPodScrape and other scrapes
If interval is lower than defined limit, `minScrapeInterval` will be used. |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeScrapeNamespaceSelector#
_[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#labelselector-v1-meta)_ | _(Optional)_
NodeScrapeNamespaceSelector defines Namespaces to be selected for VMNodeScrape discovery.
Works in combination with Selector.
NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault |
| nodeScrapeRelabelTemplate#
_[RelabelConfig](#relabelconfig) array_ | _(Optional)_
NodeScrapeRelabelTemplate defines relabel config, that will be added to each VMNodeScrape.
it's useful for adding specific labels to all targets |
| nodeScrapeSelector#
_[LabelSelector](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#labelselector-v1-meta)_ | _(Optional)_
NodeScrapeSelector defines VMNodeScrape to be selected for scraping.
Works in combination with NamespaceSelector.
NamespaceSelector nil - only objects at VMAgent or VMSingle namespace.
Selector nil - only objects at NamespaceSelector namespaces.
If both nil - behaviour controlled by selectAllByDefault |
@@ -5046,6 +5075,7 @@ Appears in: [VMClusterSpec](#vmclusterspec)
| maintenanceInsertNodeIDs#
_integer array_ | _(Optional)_
MaintenanceInsertNodeIDs - excludes given node ids from insert requests routing, must contain pod suffixes - for pod-0, id will be 0 and etc.
lets say, you have pod-0, pod-1, pod-2, pod-3. to exclude pod-0 and pod-3 from insert routing, define nodeIDs: [0,3].
Useful at storage expanding, when you want to rebalance some data at cluster. |
| maintenanceSelectNodeIDs#
_integer array_ | _(Optional)_
MaintenanceSelectNodeIDs - excludes given node ids from select requests routing, must contain pod suffixes - for pod-0, id will be 0 and etc. |
| minReadySeconds#
_integer_ | _(Optional)_
MinReadySeconds defines a minimum number of seconds to wait before starting update next pod
if previous in healthy state
Has no effect for VLogs and VMSingle |
+| networkPolicy#
_[EmbeddedNetworkPolicy](#embeddednetworkpolicy)_ | _(Optional)_
NetworkPolicy defines network access rules for pods created by this CR. |
| nodeSelector#
_object (keys:string, values:string)_ | _(Optional)_
NodeSelector Define which Nodes the Pods are scheduled on. |
| paused#
_boolean_ | _(Optional)_
Paused If set to true all actions on the underlying managed objects are not
going to be performed, except for delete actions. |
| persistentVolumeClaimRetentionPolicy#
_[StatefulSetPersistentVolumeClaimRetentionPolicy](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.35/#statefulsetpersistentvolumeclaimretentionpolicy-v1-apps)_ | _(Optional)_
PersistentVolumeClaimRetentionPolicy allows configuration of PVC retention policy |
diff --git a/internal/controller/operator/factory/build/networkpolicy.go b/internal/controller/operator/factory/build/networkpolicy.go
new file mode 100644
index 000000000..60bb0e72e
--- /dev/null
+++ b/internal/controller/operator/factory/build/networkpolicy.go
@@ -0,0 +1,37 @@
+package build
+
+import (
+ networkingv1 "k8s.io/api/networking/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ vmv1beta1 "github.com/VictoriaMetrics/operator/api/operator/v1beta1"
+)
+
+// NetworkPolicy creates a NetworkPolicy for the given CRD.
+// The PodSelector is set to the CR's selector labels so it covers all pods owned by the CR.
+// PolicyTypes are inferred from the presence of Ingress/Egress rules in spec.
+func NetworkPolicy(cr builderOpts, spec *vmv1beta1.EmbeddedNetworkPolicy) *networkingv1.NetworkPolicy {
+ np := &networkingv1.NetworkPolicy{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: cr.PrefixedName(),
+ Namespace: cr.GetNamespace(),
+ Annotations: cr.FinalAnnotations(),
+ Labels: cr.FinalLabels(),
+ OwnerReferences: []metav1.OwnerReference{cr.AsOwner()},
+ },
+ Spec: networkingv1.NetworkPolicySpec{
+ PodSelector: metav1.LabelSelector{
+ MatchLabels: cr.SelectorLabels(),
+ },
+ },
+ }
+ if len(spec.Ingress) > 0 {
+ np.Spec.PolicyTypes = append(np.Spec.PolicyTypes, networkingv1.PolicyTypeIngress)
+ np.Spec.Ingress = spec.Ingress
+ }
+ if len(spec.Egress) > 0 {
+ np.Spec.PolicyTypes = append(np.Spec.PolicyTypes, networkingv1.PolicyTypeEgress)
+ np.Spec.Egress = spec.Egress
+ }
+ return np
+}
diff --git a/internal/controller/operator/factory/build/networkpolicy_test.go b/internal/controller/operator/factory/build/networkpolicy_test.go
new file mode 100644
index 000000000..ef19f58c9
--- /dev/null
+++ b/internal/controller/operator/factory/build/networkpolicy_test.go
@@ -0,0 +1,89 @@
+package build
+
+import (
+ "testing"
+
+ "github.com/stretchr/testify/assert"
+ networkingv1 "k8s.io/api/networking/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+ vmv1beta1 "github.com/VictoriaMetrics/operator/api/operator/v1beta1"
+)
+
+func TestNetworkPolicy(t *testing.T) {
+ cr := &vmv1beta1.VMSingle{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "test",
+ Namespace: "default",
+ },
+ }
+
+ type opts struct {
+ spec *vmv1beta1.EmbeddedNetworkPolicy
+ validate func(np *networkingv1.NetworkPolicy)
+ }
+
+ f := func(o opts) {
+ t.Helper()
+ np := NetworkPolicy(cr, o.spec)
+ assert.Equal(t, "vmsingle-test", np.Name)
+ assert.Equal(t, "default", np.Namespace)
+ assert.Equal(t, cr.SelectorLabels(), np.Spec.PodSelector.MatchLabels)
+ o.validate(np)
+ }
+
+ // no rules — no policy types
+ f(opts{
+ spec: &vmv1beta1.EmbeddedNetworkPolicy{},
+ validate: func(np *networkingv1.NetworkPolicy) {
+ assert.Empty(t, np.Spec.PolicyTypes)
+ assert.Empty(t, np.Spec.Ingress)
+ assert.Empty(t, np.Spec.Egress)
+ },
+ })
+
+ // ingress only
+ f(opts{
+ spec: &vmv1beta1.EmbeddedNetworkPolicy{
+ Ingress: []networkingv1.NetworkPolicyIngressRule{
+ {Ports: []networkingv1.NetworkPolicyPort{{}}},
+ },
+ },
+ validate: func(np *networkingv1.NetworkPolicy) {
+ assert.Equal(t, []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}, np.Spec.PolicyTypes)
+ assert.Len(t, np.Spec.Ingress, 1)
+ assert.Empty(t, np.Spec.Egress)
+ },
+ })
+
+ // egress only
+ f(opts{
+ spec: &vmv1beta1.EmbeddedNetworkPolicy{
+ Egress: []networkingv1.NetworkPolicyEgressRule{
+ {Ports: []networkingv1.NetworkPolicyPort{{}}},
+ },
+ },
+ validate: func(np *networkingv1.NetworkPolicy) {
+ assert.Equal(t, []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, np.Spec.PolicyTypes)
+ assert.Empty(t, np.Spec.Ingress)
+ assert.Len(t, np.Spec.Egress, 1)
+ },
+ })
+
+ // ingress and egress
+ f(opts{
+ spec: &vmv1beta1.EmbeddedNetworkPolicy{
+ Ingress: []networkingv1.NetworkPolicyIngressRule{
+ {Ports: []networkingv1.NetworkPolicyPort{{}}},
+ },
+ Egress: []networkingv1.NetworkPolicyEgressRule{
+ {Ports: []networkingv1.NetworkPolicyPort{{}}},
+ },
+ },
+ validate: func(np *networkingv1.NetworkPolicy) {
+ assert.Equal(t, []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress}, np.Spec.PolicyTypes)
+ assert.Len(t, np.Spec.Ingress, 1)
+ assert.Len(t, np.Spec.Egress, 1)
+ },
+ })
+}
diff --git a/internal/controller/operator/factory/finalize/cluster.go b/internal/controller/operator/factory/finalize/cluster.go
index 1594af6e9..24d0c8af7 100644
--- a/internal/controller/operator/factory/finalize/cluster.go
+++ b/internal/controller/operator/factory/finalize/cluster.go
@@ -162,21 +162,23 @@ func OnClusterLoadBalancerDelete(ctx context.Context, rclient client.Client, cr
// ChildCleaner cleans dependent resources for cluster CRs excluding ones
// which are listed in cleaner maps
type ChildCleaner struct {
- pdbs sets.Set[string]
- hpas sets.Set[string]
- vpas sets.Set[string]
- services sets.Set[string]
- scrapes sets.Set[string]
+ pdbs sets.Set[string]
+ hpas sets.Set[string]
+ vpas sets.Set[string]
+ services sets.Set[string]
+ scrapes sets.Set[string]
+ networkPolicies sets.Set[string]
}
// NewChildCleaner initializes ChildCleaner
func NewChildCleaner() *ChildCleaner {
return &ChildCleaner{
- pdbs: sets.New[string](),
- hpas: sets.New[string](),
- vpas: sets.New[string](),
- services: sets.New[string](),
- scrapes: sets.New[string](),
+ pdbs: sets.New[string](),
+ hpas: sets.New[string](),
+ vpas: sets.New[string](),
+ services: sets.New[string](),
+ scrapes: sets.New[string](),
+ networkPolicies: sets.New[string](),
}
}
@@ -195,6 +197,11 @@ func (cc *ChildCleaner) KeepVPA(v string) {
cc.vpas.Insert(v)
}
+// KeepNetworkPolicy adds given NetworkPolicy's name to a map of resource names to be excluded from deletion
+func (cc *ChildCleaner) KeepNetworkPolicy(v string) {
+ cc.networkPolicies.Insert(v)
+}
+
// KeepService adds given HorizontalPodAutoscaler's name to a map of resource names to be excluded from deletion
func (cc *ChildCleaner) KeepService(v string) {
cc.services.Insert(v)
@@ -217,6 +224,9 @@ func (cc *ChildCleaner) RemoveOrphaned(ctx context.Context, rclient client.Clien
if err := RemoveOrphanedVPAs(ctx, rclient, b, cc.vpas, true); err != nil {
return fmt.Errorf("cannot remove orphaned VPAs: %w", err)
}
+ if err := RemoveOrphanedNetworkPolicies(ctx, rclient, b, cc.networkPolicies, true); err != nil {
+ return fmt.Errorf("cannot remove orphaned NetworkPolicies: %w", err)
+ }
if err := RemoveOrphanedVMServiceScrapes(ctx, rclient, b, cc.scrapes, true); err != nil {
return fmt.Errorf("cannot remove orphaned vmservicescrapes: %w", err)
}
diff --git a/internal/controller/operator/factory/finalize/orphaned.go b/internal/controller/operator/factory/finalize/orphaned.go
index d32c14030..6085a1924 100644
--- a/internal/controller/operator/factory/finalize/orphaned.go
+++ b/internal/controller/operator/factory/finalize/orphaned.go
@@ -88,6 +88,16 @@ func RemoveOrphanedVPAs(ctx context.Context, rclient client.Client, cr crObject,
return removeOrphaned(ctx, rclient, cr, gvk, keepNames, shouldRemove)
}
+// RemoveOrphanedNetworkPolicies removes NetworkPolicies detached from given object
+func RemoveOrphanedNetworkPolicies(ctx context.Context, rclient client.Client, cr crObject, keepNames sets.Set[string], shouldRemove bool) error {
+ gvk := schema.GroupVersionKind{
+ Group: "networking.k8s.io",
+ Version: "v1",
+ Kind: "NetworkPolicy",
+ }
+ return removeOrphaned(ctx, rclient, cr, gvk, keepNames, shouldRemove)
+}
+
// RemoveOrphanedVMServiceScrapes removes VMServiceScrapes detached from given object
func RemoveOrphanedVMServiceScrapes(ctx context.Context, rclient client.Client, cr crObject, keepNames sets.Set[string], shouldRemove bool) error {
if build.IsControllerDisabled("VMServiceScrape") {
diff --git a/internal/controller/operator/factory/reconcile/networkpolicy.go b/internal/controller/operator/factory/reconcile/networkpolicy.go
new file mode 100644
index 000000000..0b850bc70
--- /dev/null
+++ b/internal/controller/operator/factory/reconcile/networkpolicy.go
@@ -0,0 +1,51 @@
+package reconcile
+
+import (
+ "context"
+ "fmt"
+ "strings"
+
+ networkingv1 "k8s.io/api/networking/v1"
+ k8serrors "k8s.io/apimachinery/pkg/api/errors"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/types"
+ "sigs.k8s.io/controller-runtime/pkg/client"
+
+ "github.com/VictoriaMetrics/operator/internal/controller/operator/factory/logger"
+)
+
+// NetworkPolicy creates or updates a NetworkPolicy
+func NetworkPolicy(ctx context.Context, rclient client.Client, newObj, prevObj *networkingv1.NetworkPolicy, owner *metav1.OwnerReference) error {
+ nsn := types.NamespacedName{Name: newObj.Name, Namespace: newObj.Namespace}
+ var prevMeta *metav1.ObjectMeta
+ if prevObj != nil {
+ prevMeta = &prevObj.ObjectMeta
+ }
+ removeFinalizer := true
+ return retryOnConflict(func() error {
+ var existingObj networkingv1.NetworkPolicy
+ if err := rclient.Get(ctx, nsn, &existingObj); err != nil {
+ if k8serrors.IsNotFound(err) {
+ logger.WithContext(ctx).Info(fmt.Sprintf("creating new NetworkPolicy=%s", nsn.String()))
+ return rclient.Create(ctx, newObj)
+ }
+ return fmt.Errorf("cannot get existing NetworkPolicy=%s: %w", nsn.String(), err)
+ }
+ if err := collectGarbage(ctx, rclient, &existingObj, removeFinalizer); err != nil {
+ return err
+ }
+ metaChanged, err := mergeMeta(&existingObj, newObj, prevMeta, owner, removeFinalizer)
+ if err != nil {
+ return err
+ }
+ logMessageMetadata := []string{fmt.Sprintf("name=%s, is_prev_nil=%t", nsn.String(), prevObj == nil)}
+ specDiff := diffDeepDerivative(newObj.Spec, existingObj.Spec, "spec")
+ needsUpdate := metaChanged || len(specDiff) > 0
+ if !needsUpdate {
+ return nil
+ }
+ existingObj.Spec = newObj.Spec
+ logger.WithContext(ctx).Info(fmt.Sprintf("updating NetworkPolicy %s", strings.Join(logMessageMetadata, ", ")), "spec_diff", specDiff)
+ return rclient.Update(ctx, &existingObj)
+ })
+}
diff --git a/internal/controller/operator/factory/reconcile/networkpolicy_test.go b/internal/controller/operator/factory/reconcile/networkpolicy_test.go
new file mode 100644
index 000000000..24bb2ecfa
--- /dev/null
+++ b/internal/controller/operator/factory/reconcile/networkpolicy_test.go
@@ -0,0 +1,92 @@
+package reconcile
+
+import (
+ "context"
+ "testing"
+ "testing/synctest"
+
+ "github.com/stretchr/testify/assert"
+ networkingv1 "k8s.io/api/networking/v1"
+ metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+ "k8s.io/apimachinery/pkg/runtime"
+ "k8s.io/apimachinery/pkg/types"
+
+ "github.com/VictoriaMetrics/operator/internal/controller/operator/factory/k8stools"
+)
+
+func TestNetworkPolicyReconcile(t *testing.T) {
+ type opts struct {
+ new, prev *networkingv1.NetworkPolicy
+ predefinedObjects []runtime.Object
+ actions []k8stools.ClientAction
+ }
+
+ getNP := func(fns ...func(np *networkingv1.NetworkPolicy)) *networkingv1.NetworkPolicy {
+ np := &networkingv1.NetworkPolicy{
+ ObjectMeta: metav1.ObjectMeta{
+ Name: "test-np",
+ Namespace: "default",
+ },
+ Spec: networkingv1.NetworkPolicySpec{
+ PodSelector: metav1.LabelSelector{
+ MatchLabels: map[string]string{"app": "test"},
+ },
+ PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
+ Ingress: []networkingv1.NetworkPolicyIngressRule{
+ {Ports: []networkingv1.NetworkPolicyPort{{}}},
+ },
+ },
+ }
+ for _, fn := range fns {
+ fn(np)
+ }
+ return np
+ }
+
+ f := func(o opts) {
+ t.Helper()
+ ctx := context.Background()
+ cl := k8stools.GetTestClientWithActions(o.predefinedObjects)
+ synctest.Test(t, func(t *testing.T) {
+ assert.NoError(t, NetworkPolicy(ctx, cl, o.new, o.prev, nil))
+ assert.Equal(t, o.actions, cl.Actions)
+ })
+ }
+
+ nn := types.NamespacedName{Name: "test-np", Namespace: "default"}
+
+ // create
+ f(opts{
+ new: getNP(),
+ actions: []k8stools.ClientAction{
+ {Verb: "Get", Kind: "NetworkPolicy", Resource: nn},
+ {Verb: "Create", Kind: "NetworkPolicy", Resource: nn},
+ },
+ })
+
+ // no updates
+ f(opts{
+ new: getNP(),
+ prev: getNP(),
+ predefinedObjects: []runtime.Object{getNP()},
+ actions: []k8stools.ClientAction{
+ {Verb: "Get", Kind: "NetworkPolicy", Resource: nn},
+ },
+ })
+
+ // update spec — add egress
+ f(opts{
+ new: getNP(func(np *networkingv1.NetworkPolicy) {
+ np.Spec.PolicyTypes = append(np.Spec.PolicyTypes, networkingv1.PolicyTypeEgress)
+ np.Spec.Egress = []networkingv1.NetworkPolicyEgressRule{
+ {Ports: []networkingv1.NetworkPolicyPort{{}}},
+ }
+ }),
+ prev: getNP(),
+ predefinedObjects: []runtime.Object{getNP()},
+ actions: []k8stools.ClientAction{
+ {Verb: "Get", Kind: "NetworkPolicy", Resource: nn},
+ {Verb: "Update", Kind: "NetworkPolicy", Resource: nn},
+ },
+ })
+}
diff --git a/internal/controller/operator/factory/vlagent/vlagent.go b/internal/controller/operator/factory/vlagent/vlagent.go
index b1e970fc6..7a33a1bb4 100644
--- a/internal/controller/operator/factory/vlagent/vlagent.go
+++ b/internal/controller/operator/factory/vlagent/vlagent.go
@@ -11,6 +11,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -132,6 +133,15 @@ func CreateOrUpdate(ctx context.Context, cr *vmv1.VLAgent, rclient client.Client
return fmt.Errorf("cannot update pod disruption budget for vlagent: %w", err)
}
}
+ if cr.Spec.NetworkPolicy != nil {
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.NetworkPolicy != nil {
+ prevNP = build.NetworkPolicy(prevCR, prevCR.Spec.NetworkPolicy)
+ }
+ if err := reconcile.NetworkPolicy(ctx, rclient, build.NetworkPolicy(cr, cr.Spec.NetworkPolicy), prevNP, &owner); err != nil {
+ return fmt.Errorf("cannot update network policy for vlagent: %w", err)
+ }
+ }
return createOrUpdateDeploy(ctx, rclient, cr, prevCR)
}
@@ -716,6 +726,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VLAgent
if cr.Spec.PodDisruptionBudget == nil {
objsToRemove = append(objsToRemove, &policyv1.PodDisruptionBudget{ObjectMeta: objMeta})
}
+ if cr.Spec.NetworkPolicy == nil {
+ objsToRemove = append(objsToRemove, &networkingv1.NetworkPolicy{ObjectMeta: objMeta})
+ }
if !cr.IsOwnsServiceAccount() {
objsToRemove = append(objsToRemove, &corev1.ServiceAccount{ObjectMeta: objMeta})
if !cr.Spec.K8sCollector.Enabled && config.IsClusterWideAccessAllowed() {
diff --git a/internal/controller/operator/factory/vlcluster/vlcluster.go b/internal/controller/operator/factory/vlcluster/vlcluster.go
index 63f95372d..9b0473e6a 100644
--- a/internal/controller/operator/factory/vlcluster/vlcluster.go
+++ b/internal/controller/operator/factory/vlcluster/vlcluster.go
@@ -101,6 +101,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VLClust
if newStorage.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newStorage.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if newStorage.HPA != nil {
cc.KeepHPA(commonName)
}
@@ -125,6 +128,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VLClust
if newSelect.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newSelect.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if newSelect.HPA != nil {
cc.KeepHPA(commonName)
}
@@ -154,6 +160,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VLClust
if newInsert.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newInsert.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if newInsert.HPA != nil {
cc.KeepHPA(commonName)
}
@@ -178,6 +187,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VLClust
if newLB.Spec.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newLB.Spec.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if !ptr.Deref(newLB.Spec.DisableSelfServiceScrape, false) {
cc.KeepScrape(commonName)
}
diff --git a/internal/controller/operator/factory/vlcluster/vlinsert.go b/internal/controller/operator/factory/vlcluster/vlinsert.go
index 24a7ff2f8..3fdf63cab 100644
--- a/internal/controller/operator/factory/vlcluster/vlinsert.go
+++ b/internal/controller/operator/factory/vlcluster/vlinsert.go
@@ -10,6 +10,7 @@ import (
autoscalingv1 "k8s.io/api/autoscaling/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
@@ -33,6 +34,19 @@ func createOrUpdateVLInsert(ctx context.Context, rclient client.Client, cr, prev
if err := createOrUpdatePodDisruptionBudgetForVLInsert(ctx, rclient, cr, prevCR); err != nil {
return err
}
+ if cr.Spec.VLInsert.NetworkPolicy != nil {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentInsert)
+ np := build.NetworkPolicy(b, cr.Spec.VLInsert.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.VLInsert != nil && prevCR.Spec.VLInsert.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentInsert)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.VLInsert.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ if err := reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner); err != nil {
+ return err
+ }
+ }
if err := createOrUpdateVLInsertDeployment(ctx, rclient, cr, prevCR); err != nil {
return err
}
diff --git a/internal/controller/operator/factory/vlcluster/vlselect.go b/internal/controller/operator/factory/vlcluster/vlselect.go
index b9b8de37c..c62439faa 100644
--- a/internal/controller/operator/factory/vlcluster/vlselect.go
+++ b/internal/controller/operator/factory/vlcluster/vlselect.go
@@ -10,6 +10,7 @@ import (
autoscalingv1 "k8s.io/api/autoscaling/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
@@ -43,6 +44,19 @@ func createOrUpdateVLSelect(ctx context.Context, rclient client.Client, cr, prev
return err
}
}
+ if cr.Spec.VLSelect.NetworkPolicy != nil {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentSelect)
+ np := build.NetworkPolicy(b, cr.Spec.VLSelect.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.VLSelect != nil && prevCR.Spec.VLSelect.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentSelect)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.VLSelect.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ if err := reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner); err != nil {
+ return err
+ }
+ }
if err := createOrUpdateVLSelectHPA(ctx, rclient, cr, prevCR); err != nil {
return err
}
diff --git a/internal/controller/operator/factory/vlcluster/vlstorage.go b/internal/controller/operator/factory/vlcluster/vlstorage.go
index fd552f958..c5b29fe85 100644
--- a/internal/controller/operator/factory/vlcluster/vlstorage.go
+++ b/internal/controller/operator/factory/vlcluster/vlstorage.go
@@ -10,6 +10,7 @@ import (
autoscalingv1 "k8s.io/api/autoscaling/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
@@ -43,6 +44,19 @@ func createOrUpdateVLStorage(ctx context.Context, rclient client.Client, cr, pre
return err
}
}
+ if cr.Spec.VLStorage.NetworkPolicy != nil {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentStorage)
+ np := build.NetworkPolicy(b, cr.Spec.VLStorage.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.VLStorage != nil && prevCR.Spec.VLStorage.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentStorage)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.VLStorage.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ if err := reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner); err != nil {
+ return err
+ }
+ }
if err := createOrUpdateVLStorageHPA(ctx, rclient, cr, prevCR); err != nil {
return err
}
diff --git a/internal/controller/operator/factory/vlcluster/vmauth_lb.go b/internal/controller/operator/factory/vlcluster/vmauth_lb.go
index a649cbc30..8a69489f7 100644
--- a/internal/controller/operator/factory/vlcluster/vmauth_lb.go
+++ b/internal/controller/operator/factory/vlcluster/vmauth_lb.go
@@ -9,6 +9,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
@@ -64,6 +65,19 @@ func createOrUpdateVMAuthLB(ctx context.Context, rclient client.Client, cr, prev
return fmt.Errorf("cannot create or update PodDisruptionBudget for vmauth lb: %w", err)
}
}
+ if cr.Spec.RequestsLoadBalancer.Spec.NetworkPolicy != nil {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentBalancer)
+ np := build.NetworkPolicy(b, cr.Spec.RequestsLoadBalancer.Spec.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.RequestsLoadBalancer.Spec.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentBalancer)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.RequestsLoadBalancer.Spec.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ if err := reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner); err != nil {
+ return fmt.Errorf("cannot create or update NetworkPolicy for vmauth lb: %w", err)
+ }
+ }
if err := createOrUpdateVMAuthLBHPA(ctx, rclient, cr, prevCR); err != nil {
return fmt.Errorf("cannot create or update HPA for vmauth lb: %w", err)
}
diff --git a/internal/controller/operator/factory/vlsingle/vlsingle.go b/internal/controller/operator/factory/vlsingle/vlsingle.go
index 16ef130f9..f997b6749 100644
--- a/internal/controller/operator/factory/vlsingle/vlsingle.go
+++ b/internal/controller/operator/factory/vlsingle/vlsingle.go
@@ -8,6 +8,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/util/intstr"
@@ -96,6 +97,15 @@ func CreateOrUpdate(ctx context.Context, rclient client.Client, cr *vmv1.VLSingl
if err := createOrUpdateService(ctx, rclient, cr, prevCR); err != nil {
return err
}
+ if cr.Spec.NetworkPolicy != nil {
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.NetworkPolicy != nil {
+ prevNP = build.NetworkPolicy(prevCR, prevCR.Spec.NetworkPolicy)
+ }
+ if err := reconcile.NetworkPolicy(ctx, rclient, build.NetworkPolicy(cr, cr.Spec.NetworkPolicy), prevNP, &owner); err != nil {
+ return fmt.Errorf("cannot update network policy for vlsingle: %w", err)
+ }
+ }
var prevDeploy *appsv1.Deployment
if prevCR != nil {
@@ -351,6 +361,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VLSingl
var objsToRemove []client.Object
objMeta := metav1.ObjectMeta{Name: cr.PrefixedName(), Namespace: cr.Namespace}
+ if cr.Spec.NetworkPolicy == nil {
+ objsToRemove = append(objsToRemove, &networkingv1.NetworkPolicy{ObjectMeta: objMeta})
+ }
if !cr.IsOwnsServiceAccount() {
objsToRemove = append(objsToRemove, &corev1.ServiceAccount{ObjectMeta: objMeta})
}
diff --git a/internal/controller/operator/factory/vmagent/vmagent.go b/internal/controller/operator/factory/vmagent/vmagent.go
index b9ce4c4e1..df68a76e1 100644
--- a/internal/controller/operator/factory/vmagent/vmagent.go
+++ b/internal/controller/operator/factory/vmagent/vmagent.go
@@ -14,6 +14,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -151,6 +152,15 @@ func CreateOrUpdate(ctx context.Context, cr *vmv1beta1.VMAgent, rclient client.C
if err := createOrUpdateHPA(ctx, rclient, cr, prevCR); err != nil {
return err
}
+ if cr.Spec.NetworkPolicy != nil {
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.NetworkPolicy != nil {
+ prevNP = build.NetworkPolicy(prevCR, prevCR.Spec.NetworkPolicy)
+ }
+ if err := reconcile.NetworkPolicy(ctx, rclient, build.NetworkPolicy(cr, cr.Spec.NetworkPolicy), prevNP, &owner); err != nil {
+ return fmt.Errorf("cannot update network policy for vmagent: %w", err)
+ }
+ }
ac := getAssetsCache(ctx, rclient, cr)
extraCount, err := createOrUpdateScrapeConfig(ctx, rclient, cr, prevCR, nil, ac)
@@ -1242,6 +1252,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1beta1.VM
if cr.Spec.HPA == nil {
objsToRemove = append(objsToRemove, &autoscalingv2.HorizontalPodAutoscaler{ObjectMeta: objMeta})
}
+ if cr.Spec.NetworkPolicy == nil {
+ objsToRemove = append(objsToRemove, &networkingv1.NetworkPolicy{ObjectMeta: objMeta})
+ }
if !cr.IsOwnsServiceAccount() {
objsToRemove = append(objsToRemove, &corev1.ServiceAccount{ObjectMeta: objMeta})
rbacMeta := metav1.ObjectMeta{Name: cr.GetRBACName()}
diff --git a/internal/controller/operator/factory/vmagent/vmagent_reconcile_test.go b/internal/controller/operator/factory/vmagent/vmagent_reconcile_test.go
index ad2c147df..76d1c2825 100644
--- a/internal/controller/operator/factory/vmagent/vmagent_reconcile_test.go
+++ b/internal/controller/operator/factory/vmagent/vmagent_reconcile_test.go
@@ -170,6 +170,7 @@ func Test_CreateOrUpdate_Actions(t *testing.T) {
actions: []k8stools.ClientAction{
{Verb: "Get", Kind: "DaemonSet", Resource: vmagentName},
{Verb: "Get", Kind: "HorizontalPodAutoscaler", Resource: vmagentName},
+ {Verb: "Get", Kind: "NetworkPolicy", Resource: vmagentName},
{Verb: "Get", Kind: "ServiceAccount", Resource: vmagentName},
{Verb: "Get", Kind: "ClusterRole", Resource: clusterRoleName},
{Verb: "Get", Kind: "ClusterRoleBinding", Resource: clusterRoleName},
diff --git a/internal/controller/operator/factory/vmalert/vmalert.go b/internal/controller/operator/factory/vmalert/vmalert.go
index f51f1f8b6..26c0b659e 100644
--- a/internal/controller/operator/factory/vmalert/vmalert.go
+++ b/internal/controller/operator/factory/vmalert/vmalert.go
@@ -10,6 +10,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
@@ -139,6 +140,15 @@ func CreateOrUpdate(ctx context.Context, cr *vmv1beta1.VMAlert, rclient client.C
return fmt.Errorf("cannot update pod disruption budget for vmalert: %w", err)
}
}
+ if cr.Spec.NetworkPolicy != nil {
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.NetworkPolicy != nil {
+ prevNP = build.NetworkPolicy(prevCR, prevCR.Spec.NetworkPolicy)
+ }
+ if err := reconcile.NetworkPolicy(ctx, rclient, build.NetworkPolicy(cr, cr.Spec.NetworkPolicy), prevNP, &owner); err != nil {
+ return fmt.Errorf("cannot update network policy for vmalert: %w", err)
+ }
+ }
var prevDeploy *appsv1.Deployment
if prevCR != nil {
@@ -792,6 +802,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1beta1.VM
if cr.Spec.PodDisruptionBudget == nil {
objsToRemove = append(objsToRemove, &policyv1.PodDisruptionBudget{ObjectMeta: objMeta})
}
+ if cr.Spec.NetworkPolicy == nil {
+ objsToRemove = append(objsToRemove, &networkingv1.NetworkPolicy{ObjectMeta: objMeta})
+ }
if !cr.IsOwnsServiceAccount() {
objsToRemove = append(objsToRemove, &corev1.ServiceAccount{ObjectMeta: objMeta})
}
diff --git a/internal/controller/operator/factory/vmalert/vmalert_reconcile_test.go b/internal/controller/operator/factory/vmalert/vmalert_reconcile_test.go
index 2cb2e9b7b..45391479c 100644
--- a/internal/controller/operator/factory/vmalert/vmalert_reconcile_test.go
+++ b/internal/controller/operator/factory/vmalert/vmalert_reconcile_test.go
@@ -156,6 +156,7 @@ func Test_CreateOrUpdate_Actions(t *testing.T) {
}, want{
actions: []k8stools.ClientAction{
{Verb: "Get", Kind: "PodDisruptionBudget", Resource: vmalertName},
+ {Verb: "Get", Kind: "NetworkPolicy", Resource: vmalertName},
{Verb: "Get", Kind: "ServiceAccount", Resource: vmalertName},
{Verb: "Get", Kind: "Service", Resource: vmalertName},
{Verb: "Get", Kind: "VMServiceScrape", Resource: vmalertName},
diff --git a/internal/controller/operator/factory/vmalertmanager/alertmanager.go b/internal/controller/operator/factory/vmalertmanager/alertmanager.go
index 93f4372d3..959a6c620 100644
--- a/internal/controller/operator/factory/vmalertmanager/alertmanager.go
+++ b/internal/controller/operator/factory/vmalertmanager/alertmanager.go
@@ -6,6 +6,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/sets"
@@ -60,6 +61,15 @@ func CreateOrUpdateAlertManager(ctx context.Context, cr *vmv1beta1.VMAlertmanage
return err
}
}
+ if cr.Spec.NetworkPolicy != nil {
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.NetworkPolicy != nil {
+ prevNP = build.NetworkPolicy(prevCR, prevCR.Spec.NetworkPolicy)
+ }
+ if err := reconcile.NetworkPolicy(ctx, rclient, build.NetworkPolicy(cr, cr.Spec.NetworkPolicy), prevNP, &owner); err != nil {
+ return fmt.Errorf("cannot update network policy for vmalertmanager: %w", err)
+ }
+ }
var prevSts *appsv1.StatefulSet
if prevCR != nil {
var err error
@@ -102,6 +112,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1beta1.VM
if cr.Spec.PodDisruptionBudget == nil {
objsToRemove = append(objsToRemove, &policyv1.PodDisruptionBudget{ObjectMeta: objMeta})
}
+ if cr.Spec.NetworkPolicy == nil {
+ objsToRemove = append(objsToRemove, &networkingv1.NetworkPolicy{ObjectMeta: objMeta})
+ }
if !cr.IsOwnsServiceAccount() {
objsToRemove = append(objsToRemove, &corev1.ServiceAccount{ObjectMeta: objMeta})
}
diff --git a/internal/controller/operator/factory/vmalertmanager/vmalertmanager_reconcile_test.go b/internal/controller/operator/factory/vmalertmanager/vmalertmanager_reconcile_test.go
index 9075f068b..53b63ab89 100644
--- a/internal/controller/operator/factory/vmalertmanager/vmalertmanager_reconcile_test.go
+++ b/internal/controller/operator/factory/vmalertmanager/vmalertmanager_reconcile_test.go
@@ -187,6 +187,7 @@ func Test_CreateOrUpdate_Actions(t *testing.T) {
want{
actions: []k8stools.ClientAction{
{Verb: "Get", Kind: "PodDisruptionBudget", Resource: vmalertmanagerName},
+ {Verb: "Get", Kind: "NetworkPolicy", Resource: vmalertmanagerName},
{Verb: "Get", Kind: "ServiceAccount", Resource: vmalertmanagerName},
{Verb: "Get", Kind: "Role", Resource: vmalertmanagerName},
{Verb: "Get", Kind: "RoleBinding", Resource: vmalertmanagerName},
diff --git a/internal/controller/operator/factory/vmanomaly/statefulset.go b/internal/controller/operator/factory/vmanomaly/statefulset.go
index fe31571d6..4efd30927 100644
--- a/internal/controller/operator/factory/vmanomaly/statefulset.go
+++ b/internal/controller/operator/factory/vmanomaly/statefulset.go
@@ -8,6 +8,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
utilerrors "k8s.io/apimachinery/pkg/util/errors"
@@ -96,6 +97,15 @@ func CreateOrUpdate(ctx context.Context, cr *vmv1.VMAnomaly, rclient client.Clie
if err != nil {
return fmt.Errorf("cannot build new statefulSet for vmanomaly: %w", err)
}
+ if cr.Spec.NetworkPolicy != nil {
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.NetworkPolicy != nil {
+ prevNP = build.NetworkPolicy(prevCR, prevCR.Spec.NetworkPolicy)
+ }
+ if err := reconcile.NetworkPolicy(ctx, rclient, build.NetworkPolicy(cr, cr.Spec.NetworkPolicy), prevNP, &owner); err != nil {
+ return fmt.Errorf("cannot update network policy for vmanomaly: %w", err)
+ }
+ }
return createOrUpdateApp(ctx, rclient, cr, prevCR, newAppTpl, prevAppTpl)
}
@@ -181,6 +191,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VMAnoma
objMeta := metav1.ObjectMeta{Name: cr.PrefixedName(), Namespace: cr.Namespace}
var objsToRemove []client.Object
+ if cr.Spec.NetworkPolicy == nil {
+ objsToRemove = append(objsToRemove, &networkingv1.NetworkPolicy{ObjectMeta: objMeta})
+ }
if !cr.IsOwnsServiceAccount() {
objsToRemove = append(objsToRemove, &corev1.ServiceAccount{ObjectMeta: objMeta})
}
diff --git a/internal/controller/operator/factory/vmanomaly/vmanomaly_reconcile_test.go b/internal/controller/operator/factory/vmanomaly/vmanomaly_reconcile_test.go
index 454957c07..4babb4ecc 100644
--- a/internal/controller/operator/factory/vmanomaly/vmanomaly_reconcile_test.go
+++ b/internal/controller/operator/factory/vmanomaly/vmanomaly_reconcile_test.go
@@ -248,6 +248,7 @@ schedulers:
},
want{
actions: []k8stools.ClientAction{
+ {Verb: "Get", Kind: "NetworkPolicy", Resource: vmanomalyName},
{Verb: "Get", Kind: "ServiceAccount", Resource: vmanomalyName},
{Verb: "Get", Kind: "Service", Resource: vmanomalyName},
{Verb: "Get", Kind: "VMPodScrape", Resource: vmanomalyName},
diff --git a/internal/controller/operator/factory/vmauth/vmauth.go b/internal/controller/operator/factory/vmauth/vmauth.go
index 42a5a84ef..47ecb2c97 100644
--- a/internal/controller/operator/factory/vmauth/vmauth.go
+++ b/internal/controller/operator/factory/vmauth/vmauth.go
@@ -100,6 +100,15 @@ func CreateOrUpdate(ctx context.Context, cr *vmv1beta1.VMAuth, rclient client.Cl
return fmt.Errorf("cannot update pod disruption budget for vmauth: %w", err)
}
}
+ if cr.Spec.NetworkPolicy != nil {
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.NetworkPolicy != nil {
+ prevNP = build.NetworkPolicy(prevCR, prevCR.Spec.NetworkPolicy)
+ }
+ if err := reconcile.NetworkPolicy(ctx, rclient, build.NetworkPolicy(cr, cr.Spec.NetworkPolicy), prevNP, &owner); err != nil {
+ return fmt.Errorf("cannot update network policy for vmauth: %w", err)
+ }
+ }
var prevDeploy *appsv1.Deployment
if prevCR != nil {
var err error
@@ -650,6 +659,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1beta1.VM
if cr.Spec.PodDisruptionBudget == nil {
objsToRemove = append(objsToRemove, &policyv1.PodDisruptionBudget{ObjectMeta: objMeta})
}
+ if cr.Spec.NetworkPolicy == nil {
+ objsToRemove = append(objsToRemove, &networkingv1.NetworkPolicy{ObjectMeta: objMeta})
+ }
if cfg.GatewayAPIEnabled && cr.Spec.HTTPRoute == nil {
objsToRemove = append(objsToRemove, &gwapiv1.HTTPRoute{ObjectMeta: objMeta})
}
diff --git a/internal/controller/operator/factory/vmauth/vmauth_reconcile_test.go b/internal/controller/operator/factory/vmauth/vmauth_reconcile_test.go
index ce87cc3da..8ef2fd707 100644
--- a/internal/controller/operator/factory/vmauth/vmauth_reconcile_test.go
+++ b/internal/controller/operator/factory/vmauth/vmauth_reconcile_test.go
@@ -156,6 +156,7 @@ func Test_CreateOrUpdate_Actions(t *testing.T) {
{Verb: "Get", Kind: "Deployment", Resource: vmauthName},
{Verb: "Get", Kind: "Deployment", Resource: vmauthName},
{Verb: "Get", Kind: "PodDisruptionBudget", Resource: vmauthName},
+ {Verb: "Get", Kind: "NetworkPolicy", Resource: vmauthName},
{Verb: "Get", Kind: "Ingress", Resource: vmauthName},
{Verb: "Get", Kind: "HorizontalPodAutoscaler", Resource: vmauthName},
},
diff --git a/internal/controller/operator/factory/vmcluster/vmcluster.go b/internal/controller/operator/factory/vmcluster/vmcluster.go
index 4712927dd..aec041c78 100644
--- a/internal/controller/operator/factory/vmcluster/vmcluster.go
+++ b/internal/controller/operator/factory/vmcluster/vmcluster.go
@@ -11,6 +11,7 @@ import (
autoscalingv1 "k8s.io/api/autoscaling/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
@@ -88,6 +89,11 @@ func CreateOrUpdate(ctx context.Context, cr *vmv1beta1.VMCluster, rclient client
return err
}
}
+ if cr.Spec.VMStorage.NetworkPolicy != nil {
+ if err := createOrUpdateNetworkPolicyForVMStorage(ctx, rclient, cr, prevCR); err != nil {
+ return err
+ }
+ }
if err := createOrUpdateVMStorage(ctx, rclient, cr, prevCR); err != nil {
return err
}
@@ -109,6 +115,11 @@ func CreateOrUpdate(ctx context.Context, cr *vmv1beta1.VMCluster, rclient client
return err
}
}
+ if cr.Spec.VMSelect.NetworkPolicy != nil {
+ if err := createOrUpdateNetworkPolicyForVMSelect(ctx, rclient, cr, prevCR); err != nil {
+ return err
+ }
+ }
if err := createOrUpdateVMSelect(ctx, rclient, cr, prevCR); err != nil {
return err
}
@@ -131,6 +142,11 @@ func CreateOrUpdate(ctx context.Context, cr *vmv1beta1.VMCluster, rclient client
return err
}
}
+ if cr.Spec.VMInsert.NetworkPolicy != nil {
+ if err := createOrUpdateNetworkPolicyForVMInsert(ctx, rclient, cr, prevCR); err != nil {
+ return err
+ }
+ }
if err := createOrUpdateVMInsert(ctx, rclient, cr, prevCR); err != nil {
return err
}
@@ -763,6 +779,18 @@ func createOrUpdatePodDisruptionBudgetForVMSelect(ctx context.Context, rclient c
return reconcile.PDB(ctx, rclient, pdb, prevPDB, &owner)
}
+func createOrUpdateNetworkPolicyForVMSelect(ctx context.Context, rclient client.Client, cr, prevCR *vmv1beta1.VMCluster) error {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentSelect)
+ np := build.NetworkPolicy(b, cr.Spec.VMSelect.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.VMSelect != nil && prevCR.Spec.VMSelect.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentSelect)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.VMSelect.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ return reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner)
+}
+
func genVMInsertSpec(cr *vmv1beta1.VMCluster) (*appsv1.Deployment, error) {
podSpec, err := makePodSpecForVMInsert(cr)
@@ -974,6 +1002,18 @@ func createOrUpdatePodDisruptionBudgetForVMInsert(ctx context.Context, rclient c
return reconcile.PDB(ctx, rclient, pdb, prevPDB, &owner)
}
+func createOrUpdateNetworkPolicyForVMInsert(ctx context.Context, rclient client.Client, cr, prevCR *vmv1beta1.VMCluster) error {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentInsert)
+ np := build.NetworkPolicy(b, cr.Spec.VMInsert.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.VMInsert != nil && prevCR.Spec.VMInsert.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentInsert)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.VMInsert.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ return reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner)
+}
+
func buildVMStorageSpec(ctx context.Context, cr *vmv1beta1.VMCluster) (*appsv1.StatefulSet, error) {
commonName := cr.PrefixedName(vmv1beta1.ClusterComponentStorage)
@@ -1244,6 +1284,18 @@ func createOrUpdatePodDisruptionBudgetForVMStorage(ctx context.Context, rclient
return reconcile.PDB(ctx, rclient, pdb, prevPDB, &owner)
}
+func createOrUpdateNetworkPolicyForVMStorage(ctx context.Context, rclient client.Client, cr, prevCR *vmv1beta1.VMCluster) error {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentStorage)
+ np := build.NetworkPolicy(b, cr.Spec.VMStorage.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.VMStorage != nil && prevCR.Spec.VMStorage.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentStorage)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.VMStorage.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ return reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner)
+}
+
func createOrUpdateVMInsertHPA(ctx context.Context, rclient client.Client, cr, prevCR *vmv1beta1.VMCluster) error {
if cr.Spec.VMInsert.HPA == nil {
return nil
@@ -1382,6 +1434,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1beta1.VM
if newStorage.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newStorage.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if newStorage.HPA != nil {
cc.KeepHPA(commonName)
}
@@ -1406,6 +1461,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1beta1.VM
if newSelect.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newSelect.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if newSelect.HPA != nil {
cc.KeepHPA(commonName)
}
@@ -1435,6 +1493,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1beta1.VM
if newInsert.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newInsert.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if newInsert.HPA != nil {
cc.KeepHPA(commonName)
}
@@ -1459,6 +1520,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1beta1.VM
if newLB.Spec.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newLB.Spec.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if !ptr.Deref(newLB.Spec.DisableSelfServiceScrape, false) {
cc.KeepScrape(commonName)
}
@@ -1722,6 +1786,11 @@ func createOrUpdateVMAuthLB(ctx context.Context, rclient client.Client, cr, prev
return fmt.Errorf("cannot create or update PodDisruptionBudget for vmauth lb: %w", err)
}
}
+ if cr.Spec.RequestsLoadBalancer.Spec.NetworkPolicy != nil {
+ if err := createOrUpdateNetworkPolicyForVMAuthLB(ctx, rclient, cr, prevCR); err != nil {
+ return fmt.Errorf("cannot create or update NetworkPolicy for vmauth lb: %w", err)
+ }
+ }
if err := createOrUpdateVMAuthLBHPA(ctx, rclient, cr, prevCR); err != nil {
return fmt.Errorf("cannot create or update HPA for vmauth lb: %w", err)
}
@@ -1768,3 +1837,15 @@ func createOrUpdatePodDisruptionBudgetForVMAuthLB(ctx context.Context, rclient c
owner := cr.AsOwner()
return reconcile.PDB(ctx, rclient, pdb, prevPDB, &owner)
}
+
+func createOrUpdateNetworkPolicyForVMAuthLB(ctx context.Context, rclient client.Client, cr, prevCR *vmv1beta1.VMCluster) error {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentBalancer)
+ np := build.NetworkPolicy(b, cr.Spec.RequestsLoadBalancer.Spec.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.RequestsLoadBalancer.Spec.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentBalancer)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.RequestsLoadBalancer.Spec.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ return reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner)
+}
diff --git a/internal/controller/operator/factory/vmsingle/vmsingle.go b/internal/controller/operator/factory/vmsingle/vmsingle.go
index 3ef4c6553..b8290b860 100644
--- a/internal/controller/operator/factory/vmsingle/vmsingle.go
+++ b/internal/controller/operator/factory/vmsingle/vmsingle.go
@@ -9,6 +9,7 @@ import (
"gopkg.in/yaml.v2"
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
rbacv1 "k8s.io/api/rbac/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
@@ -110,6 +111,15 @@ func CreateOrUpdate(ctx context.Context, cr *vmv1beta1.VMSingle, rclient client.
if err := createOrUpdateService(ctx, rclient, cr, prevCR); err != nil {
return err
}
+ if cr.Spec.NetworkPolicy != nil {
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.NetworkPolicy != nil {
+ prevNP = build.NetworkPolicy(prevCR, prevCR.Spec.NetworkPolicy)
+ }
+ if err := reconcile.NetworkPolicy(ctx, rclient, build.NetworkPolicy(cr, cr.Spec.NetworkPolicy), prevNP, &owner); err != nil {
+ return fmt.Errorf("cannot update network policy for vmsingle: %w", err)
+ }
+ }
ac := getAssetsCache(ctx, rclient, cr)
extraCount, err := createOrUpdateScrapeConfig(ctx, rclient, cr, prevCR, nil, ac)
@@ -672,6 +682,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1beta1.VM
objMeta := metav1.ObjectMeta{Name: cr.PrefixedName(), Namespace: cr.Namespace}
var objsToRemove []client.Object
+ if cr.Spec.NetworkPolicy == nil {
+ objsToRemove = append(objsToRemove, &networkingv1.NetworkPolicy{ObjectMeta: objMeta})
+ }
if !cr.IsOwnsServiceAccount() {
objsToRemove = append(objsToRemove, &corev1.ServiceAccount{ObjectMeta: objMeta})
rbacMeta := metav1.ObjectMeta{Name: cr.GetRBACName()}
diff --git a/internal/controller/operator/factory/vmsingle/vmsingle_reconcile_test.go b/internal/controller/operator/factory/vmsingle/vmsingle_reconcile_test.go
index 5e593a102..10f967e08 100644
--- a/internal/controller/operator/factory/vmsingle/vmsingle_reconcile_test.go
+++ b/internal/controller/operator/factory/vmsingle/vmsingle_reconcile_test.go
@@ -139,6 +139,7 @@ func Test_CreateOrUpdate_Actions(t *testing.T) {
},
want{
actions: []k8stools.ClientAction{
+ {Verb: "Get", Kind: "NetworkPolicy", Resource: vmsingleName},
{Verb: "Get", Kind: "ServiceAccount", Resource: vmsingleName},
{Verb: "Get", Kind: "Service", Resource: vmsingleName},
{Verb: "Get", Kind: "VMServiceScrape", Resource: vmsingleName},
diff --git a/internal/controller/operator/factory/vtcluster/cluster.go b/internal/controller/operator/factory/vtcluster/cluster.go
index 76ff0121d..47645dc42 100644
--- a/internal/controller/operator/factory/vtcluster/cluster.go
+++ b/internal/controller/operator/factory/vtcluster/cluster.go
@@ -101,6 +101,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VTClust
if newStorage.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newStorage.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if newStorage.HPA != nil {
cc.KeepHPA(commonName)
}
@@ -125,6 +128,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VTClust
if newSelect.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newSelect.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if newSelect.HPA != nil {
cc.KeepHPA(commonName)
}
@@ -154,6 +160,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VTClust
if newInsert.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newInsert.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if newInsert.HPA != nil {
cc.KeepHPA(commonName)
}
@@ -178,6 +187,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VTClust
if newLB.Spec.PodDisruptionBudget != nil {
cc.KeepPDB(commonName)
}
+ if newLB.Spec.NetworkPolicy != nil {
+ cc.KeepNetworkPolicy(commonName)
+ }
if !ptr.Deref(newLB.Spec.DisableSelfServiceScrape, false) {
cc.KeepScrape(commonName)
}
diff --git a/internal/controller/operator/factory/vtcluster/insert.go b/internal/controller/operator/factory/vtcluster/insert.go
index 22fe0243d..454dbcb42 100644
--- a/internal/controller/operator/factory/vtcluster/insert.go
+++ b/internal/controller/operator/factory/vtcluster/insert.go
@@ -10,6 +10,7 @@ import (
autoscalingv1 "k8s.io/api/autoscaling/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
@@ -33,6 +34,19 @@ func createOrUpdateVTInsert(ctx context.Context, rclient client.Client, cr, prev
if err := createOrUpdatePodDisruptionBudgetForVTInsert(ctx, rclient, cr, prevCR); err != nil {
return err
}
+ if cr.Spec.Insert.NetworkPolicy != nil {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentInsert)
+ np := build.NetworkPolicy(b, cr.Spec.Insert.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.Insert != nil && prevCR.Spec.Insert.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentInsert)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.Insert.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ if err := reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner); err != nil {
+ return err
+ }
+ }
if err := createOrUpdateVTInsertDeployment(ctx, rclient, cr, prevCR); err != nil {
return err
}
diff --git a/internal/controller/operator/factory/vtcluster/select.go b/internal/controller/operator/factory/vtcluster/select.go
index 81cc8f395..7969e1432 100644
--- a/internal/controller/operator/factory/vtcluster/select.go
+++ b/internal/controller/operator/factory/vtcluster/select.go
@@ -10,6 +10,7 @@ import (
autoscalingv1 "k8s.io/api/autoscaling/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
@@ -43,6 +44,19 @@ func createOrUpdateVTSelect(ctx context.Context, rclient client.Client, cr, prev
return err
}
}
+ if cr.Spec.Select.NetworkPolicy != nil {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentSelect)
+ np := build.NetworkPolicy(b, cr.Spec.Select.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.Select != nil && prevCR.Spec.Select.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentSelect)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.Select.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ if err := reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner); err != nil {
+ return err
+ }
+ }
if err := createOrUpdateVTSelectHPA(ctx, rclient, cr, prevCR); err != nil {
return err
}
diff --git a/internal/controller/operator/factory/vtcluster/storage.go b/internal/controller/operator/factory/vtcluster/storage.go
index af5e1b246..d82c9b081 100644
--- a/internal/controller/operator/factory/vtcluster/storage.go
+++ b/internal/controller/operator/factory/vtcluster/storage.go
@@ -10,6 +10,7 @@ import (
autoscalingv1 "k8s.io/api/autoscaling/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/util/intstr"
@@ -44,6 +45,19 @@ func createOrUpdateVTStorage(ctx context.Context, rclient client.Client, cr, pre
return err
}
}
+ if cr.Spec.Storage.NetworkPolicy != nil {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentStorage)
+ np := build.NetworkPolicy(b, cr.Spec.Storage.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.Storage != nil && prevCR.Spec.Storage.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentStorage)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.Storage.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ if err := reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner); err != nil {
+ return err
+ }
+ }
if err := createOrUpdateVTStorageHPA(ctx, rclient, cr, prevCR); err != nil {
return err
}
diff --git a/internal/controller/operator/factory/vtcluster/vmauth_lb.go b/internal/controller/operator/factory/vtcluster/vmauth_lb.go
index f3f41b10b..d6a58eb89 100644
--- a/internal/controller/operator/factory/vtcluster/vmauth_lb.go
+++ b/internal/controller/operator/factory/vtcluster/vmauth_lb.go
@@ -8,6 +8,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
autoscalingv2 "k8s.io/api/autoscaling/v2"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
policyv1 "k8s.io/api/policy/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
@@ -62,6 +63,19 @@ func createOrUpdateVMAuthLB(ctx context.Context, rclient client.Client, cr, prev
return fmt.Errorf("cannot create or update PodDisruptionBudget for vmauth lb: %w", err)
}
}
+ if cr.Spec.RequestsLoadBalancer.Spec.NetworkPolicy != nil {
+ b := build.NewChildBuilder(cr, vmv1beta1.ClusterComponentBalancer)
+ np := build.NetworkPolicy(b, cr.Spec.RequestsLoadBalancer.Spec.NetworkPolicy)
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.RequestsLoadBalancer.Spec.NetworkPolicy != nil {
+ b = build.NewChildBuilder(prevCR, vmv1beta1.ClusterComponentBalancer)
+ prevNP = build.NetworkPolicy(b, prevCR.Spec.RequestsLoadBalancer.Spec.NetworkPolicy)
+ }
+ owner := cr.AsOwner()
+ if err := reconcile.NetworkPolicy(ctx, rclient, np, prevNP, &owner); err != nil {
+ return fmt.Errorf("cannot create or update NetworkPolicy for vmauth lb: %w", err)
+ }
+ }
if err := createOrUpdateVMAuthLBHPA(ctx, rclient, cr, prevCR); err != nil {
return fmt.Errorf("cannot create or update HPA for vmauth lb: %w", err)
}
diff --git a/internal/controller/operator/factory/vtsingle/vtsingle.go b/internal/controller/operator/factory/vtsingle/vtsingle.go
index 89488d8d0..fa2e58f5e 100644
--- a/internal/controller/operator/factory/vtsingle/vtsingle.go
+++ b/internal/controller/operator/factory/vtsingle/vtsingle.go
@@ -8,6 +8,7 @@ import (
appsv1 "k8s.io/api/apps/v1"
corev1 "k8s.io/api/core/v1"
+ networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/labels"
"k8s.io/apimachinery/pkg/util/intstr"
@@ -96,6 +97,15 @@ func CreateOrUpdate(ctx context.Context, rclient client.Client, cr *vmv1.VTSingl
if err := createOrUpdateService(ctx, rclient, cr, prevCR); err != nil {
return err
}
+ if cr.Spec.NetworkPolicy != nil {
+ var prevNP *networkingv1.NetworkPolicy
+ if prevCR != nil && prevCR.Spec.NetworkPolicy != nil {
+ prevNP = build.NetworkPolicy(prevCR, prevCR.Spec.NetworkPolicy)
+ }
+ if err := reconcile.NetworkPolicy(ctx, rclient, build.NetworkPolicy(cr, cr.Spec.NetworkPolicy), prevNP, &owner); err != nil {
+ return fmt.Errorf("cannot update network policy for vtsingle: %w", err)
+ }
+ }
var prevDeploy *appsv1.Deployment
if prevCR != nil {
@@ -337,6 +347,9 @@ func deleteOrphaned(ctx context.Context, rclient client.Client, cr *vmv1.VTSingl
objMeta := metav1.ObjectMeta{Name: cr.PrefixedName(), Namespace: cr.Namespace}
var objsToRemove []client.Object
+ if cr.Spec.NetworkPolicy == nil {
+ objsToRemove = append(objsToRemove, &networkingv1.NetworkPolicy{ObjectMeta: objMeta})
+ }
if !cr.IsOwnsServiceAccount() {
objsToRemove = append(objsToRemove, &corev1.ServiceAccount{ObjectMeta: objMeta})
}
diff --git a/internal/controller/operator/factory/vtsingle/vtsingle_reconcile_test.go b/internal/controller/operator/factory/vtsingle/vtsingle_reconcile_test.go
index 874106000..2de8d561f 100644
--- a/internal/controller/operator/factory/vtsingle/vtsingle_reconcile_test.go
+++ b/internal/controller/operator/factory/vtsingle/vtsingle_reconcile_test.go
@@ -138,6 +138,7 @@ func Test_CreateOrUpdate_Actions(t *testing.T) {
},
want{
actions: []k8stools.ClientAction{
+ {Verb: "Get", Kind: "NetworkPolicy", Resource: vtsingleName},
{Verb: "Get", Kind: "ServiceAccount", Resource: vtsingleName},
{Verb: "Get", Kind: "Service", Resource: vtsingleName},
{Verb: "Get", Kind: "VMServiceScrape", Resource: vtsingleName},