CUE Central Registry

cue.dev/x/k8s.io@v0.7.0

api/networking/v1/schema.cue raw

  1package v1
  2
  3import (
  4	"cue.dev/x/k8s.io/apimachinery/pkg/apis/meta/v1"
  5	v1_9 "cue.dev/x/k8s.io/api/core/v1"
  6	"cue.dev/x/k8s.io/apimachinery/pkg/util/intstr"
  7)
  8
  9// HTTPIngressPath associates a path with a backend. Incoming urls
 10// matching the path are forwarded to the backend.
 11#HTTPIngressPath: {
 12	// backend defines the referenced service endpoint to which the
 13	// traffic will be forwarded to.
 14	"backend"!: #IngressBackend
 15
 16	// path is matched against the path of an incoming request.
 17	// Currently it can contain characters disallowed from the
 18	// conventional "path" part of a URL as defined by RFC 3986.
 19	// Paths must begin with a '/' and must be present when using
 20	// PathType with value "Exact" or "Prefix".
 21	"path"?: string
 22
 23	// pathType determines the interpretation of the path matching.
 24	// PathType can be one of the following values: * Exact: Matches
 25	// the URL path exactly. * Prefix: Matches based on a URL path
 26	// prefix split by '/'. Matching is
 27	// done on a path element by element basis. A path element refers
 28	// is the
 29	// list of labels in the path split by the '/' separator. A
 30	// request is a
 31	// match for path p if every p is an element-wise prefix of p of
 32	// the
 33	// request path. Note that if the last element of the path is a
 34	// substring
 35	// of the last element in request path, it is not a match (e.g.
 36	// /foo/bar
 37	// matches /foo/bar/baz, but does not match /foo/barbaz).
 38	// * ImplementationSpecific: Interpretation of the Path matching
 39	// is up to
 40	// the IngressClass. Implementations can treat this as a separate
 41	// PathType
 42	// or treat it identically to Prefix or Exact path types.
 43	// Implementations are required to support all path types.
 44	"pathType"!: string
 45}
 46
 47// HTTPIngressRuleValue is a list of http selectors pointing to
 48// backends. In the example: http://<host>/<path>?<searchpart> ->
 49// backend where where parts of the url correspond to RFC 3986,
 50// this resource will be used to match against everything after
 51// the last '/' and before the first '?' or '#'.
 52#HTTPIngressRuleValue: {
 53	// paths is a collection of paths that map requests to backends.
 54	"paths"!: [...#HTTPIngressPath]
 55}
 56
 57// IPAddress represents a single IP of a single IP Family. The
 58// object is designed to be used by APIs that operate on IP
 59// addresses. The object is used by the Service core API for
 60// allocation of IP addresses. An IP address can be represented
 61// in different formats, to guarantee the uniqueness of the IP,
 62// the name of the object is the IP address in canonical format,
 63// four decimal digits separated by dots suppressing leading
 64// zeros for IPv4 and the representation defined by RFC 5952 for
 65// IPv6. Valid: 192.168.1.5 or 2001:db8::1 or
 66// 2001:db8:aaaa:bbbb:cccc:dddd:eeee:1 Invalid: 10.01.2.3 or
 67// 2001:db8:0:0:0::1
 68#IPAddress: {
 69	// APIVersion defines the versioned schema of this representation
 70	// of an object. Servers should convert recognized schemas to the
 71	// latest internal value, and may reject unrecognized values.
 72	// More info:
 73	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 74	"apiVersion": "networking.k8s.io/v1"
 75
 76	// Kind is a string value representing the REST resource this
 77	// object represents. Servers may infer this from the endpoint
 78	// the client submits requests to. Cannot be updated. In
 79	// CamelCase. More info:
 80	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
 81	"kind": "IPAddress"
 82
 83	// Standard object's metadata. More info:
 84	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
 85	"metadata"?: v1.#ObjectMeta
 86
 87	// spec is the desired state of the IPAddress. More info:
 88	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
 89	"spec"?: #IPAddressSpec
 90}
 91
 92// IPAddressList contains a list of IPAddress.
 93#IPAddressList: {
 94	// APIVersion defines the versioned schema of this representation
 95	// of an object. Servers should convert recognized schemas to the
 96	// latest internal value, and may reject unrecognized values.
 97	// More info:
 98	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
 99	"apiVersion": "networking.k8s.io/v1"
100
101	// items is the list of IPAddresses.
102	"items"!: [...#IPAddress]
103
104	// Kind is a string value representing the REST resource this
105	// object represents. Servers may infer this from the endpoint
106	// the client submits requests to. Cannot be updated. In
107	// CamelCase. More info:
108	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
109	"kind": "IPAddressList"
110
111	// Standard object's metadata. More info:
112	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
113	"metadata"?: v1.#ListMeta
114}
115
116// IPAddressSpec describe the attributes in an IP Address.
117#IPAddressSpec: {
118	// ParentRef references the resource that an IPAddress is attached
119	// to. An IPAddress must reference a parent object.
120	"parentRef"!: #ParentReference
121}
122
123// IPBlock describes a particular CIDR (Ex.
124// "192.168.1.0/24","2001:db8::/64") that is allowed to the pods
125// matched by a NetworkPolicySpec's podSelector. The except entry
126// describes CIDRs that should not be included within this rule.
127#IPBlock: {
128	// cidr is a string representing the IPBlock Valid examples are
129	// "192.168.1.0/24" or "2001:db8::/64"
130	"cidr"!: string
131
132	// except is a slice of CIDRs that should not be included within
133	// an IPBlock Valid examples are "192.168.1.0/24" or
134	// "2001:db8::/64" Except values will be rejected if they are
135	// outside the cidr range
136	"except"?: [...string]
137}
138
139// Ingress is a collection of rules that allow inbound connections
140// to reach the endpoints defined by a backend. An Ingress can be
141// configured to give services externally-reachable urls, load
142// balance traffic, terminate SSL, offer name based virtual
143// hosting etc.
144#Ingress: {
145	// APIVersion defines the versioned schema of this representation
146	// of an object. Servers should convert recognized schemas to the
147	// latest internal value, and may reject unrecognized values.
148	// More info:
149	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
150	"apiVersion": "networking.k8s.io/v1"
151
152	// Kind is a string value representing the REST resource this
153	// object represents. Servers may infer this from the endpoint
154	// the client submits requests to. Cannot be updated. In
155	// CamelCase. More info:
156	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
157	"kind": "Ingress"
158
159	// Standard object's metadata. More info:
160	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
161	"metadata"?: v1.#ObjectMeta
162
163	// spec is the desired state of the Ingress. More info:
164	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
165	"spec"?: #IngressSpec
166
167	// status is the current state of the Ingress. More info:
168	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
169	"status"?: #IngressStatus
170}
171
172// IngressBackend describes all endpoints for a given service and
173// port.
174#IngressBackend: {
175	// resource is an ObjectRef to another Kubernetes resource in the
176	// namespace of the Ingress object. If resource is specified, a
177	// service.Name and service.Port must not be specified. This is a
178	// mutually exclusive setting with "Service".
179	"resource"?: v1_9.#TypedLocalObjectReference
180
181	// service references a service as a backend. This is a mutually
182	// exclusive setting with "Resource".
183	"service"?: #IngressServiceBackend
184}
185
186// IngressClass represents the class of the Ingress, referenced by
187// the Ingress Spec. The
188// `ingressclass.kubernetes.io/is-default-class` annotation can
189// be used to indicate that an IngressClass should be considered
190// default. When a single IngressClass resource has this
191// annotation set to true, new Ingress resources without a class
192// specified will be assigned this default class.
193#IngressClass: {
194	// APIVersion defines the versioned schema of this representation
195	// of an object. Servers should convert recognized schemas to the
196	// latest internal value, and may reject unrecognized values.
197	// More info:
198	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
199	"apiVersion": "networking.k8s.io/v1"
200
201	// Kind is a string value representing the REST resource this
202	// object represents. Servers may infer this from the endpoint
203	// the client submits requests to. Cannot be updated. In
204	// CamelCase. More info:
205	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
206	"kind": "IngressClass"
207
208	// Standard object's metadata. More info:
209	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
210	"metadata"?: v1.#ObjectMeta
211
212	// spec is the desired state of the IngressClass. More info:
213	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
214	"spec"?: #IngressClassSpec
215}
216
217// IngressClassList is a collection of IngressClasses.
218#IngressClassList: {
219	// APIVersion defines the versioned schema of this representation
220	// of an object. Servers should convert recognized schemas to the
221	// latest internal value, and may reject unrecognized values.
222	// More info:
223	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
224	"apiVersion": "networking.k8s.io/v1"
225
226	// items is the list of IngressClasses.
227	"items"!: [...#IngressClass]
228
229	// Kind is a string value representing the REST resource this
230	// object represents. Servers may infer this from the endpoint
231	// the client submits requests to. Cannot be updated. In
232	// CamelCase. More info:
233	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
234	"kind": "IngressClassList"
235
236	// Standard list metadata.
237	"metadata"?: v1.#ListMeta
238}
239
240// IngressClassParametersReference identifies an API object. This
241// can be used to specify a cluster or namespace-scoped resource.
242#IngressClassParametersReference: {
243	// apiGroup is the group for the resource being referenced. If
244	// APIGroup is not specified, the specified Kind must be in the
245	// core API group. For any other third-party types, APIGroup is
246	// required.
247	"apiGroup"?: string
248
249	// kind is the type of resource being referenced.
250	"kind"!: string
251
252	// name is the name of resource being referenced.
253	"name"!: string
254
255	// namespace is the namespace of the resource being referenced.
256	// This field is required when scope is set to "Namespace" and
257	// must be unset when scope is set to "Cluster".
258	"namespace"?: string
259
260	// scope represents if this refers to a cluster or namespace
261	// scoped resource. This may be set to "Cluster" (default) or
262	// "Namespace".
263	"scope"?: string
264}
265
266// IngressClassSpec provides information about the class of an
267// Ingress.
268#IngressClassSpec: {
269	// controller refers to the name of the controller that should
270	// handle this class. This allows for different "flavors" that
271	// are controlled by the same controller. For example, you may
272	// have different parameters for the same implementing
273	// controller. This should be specified as a domain-prefixed path
274	// no more than 250 characters in length, e.g.
275	// "acme.io/ingress-controller". This field is immutable.
276	"controller"?: string
277
278	// parameters is a link to a custom resource containing additional
279	// configuration for the controller. This is optional if the
280	// controller does not require extra parameters.
281	"parameters"?: #IngressClassParametersReference
282}
283
284// IngressList is a collection of Ingress.
285#IngressList: {
286	// APIVersion defines the versioned schema of this representation
287	// of an object. Servers should convert recognized schemas to the
288	// latest internal value, and may reject unrecognized values.
289	// More info:
290	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
291	"apiVersion": "networking.k8s.io/v1"
292
293	// items is the list of Ingress.
294	"items"!: [...#Ingress]
295
296	// Kind is a string value representing the REST resource this
297	// object represents. Servers may infer this from the endpoint
298	// the client submits requests to. Cannot be updated. In
299	// CamelCase. More info:
300	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
301	"kind": "IngressList"
302
303	// Standard object's metadata. More info:
304	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
305	"metadata"?: v1.#ListMeta
306}
307
308// IngressLoadBalancerIngress represents the status of a
309// load-balancer ingress point.
310#IngressLoadBalancerIngress: {
311	// hostname is set for load-balancer ingress points that are DNS
312	// based.
313	"hostname"?: string
314
315	// ip is set for load-balancer ingress points that are IP based.
316	"ip"?: string
317
318	// ports provides information about the ports exposed by this
319	// LoadBalancer.
320	"ports"?: [...#IngressPortStatus]
321}
322
323// IngressLoadBalancerStatus represents the status of a
324// load-balancer.
325#IngressLoadBalancerStatus: {
326	// ingress is a list containing ingress points for the
327	// load-balancer.
328	"ingress"?: [...#IngressLoadBalancerIngress]
329}
330
331// IngressPortStatus represents the error condition of a service
332// port
333#IngressPortStatus: {
334	// error is to record the problem with the service port The format
335	// of the error shall comply with the following rules: - built-in
336	// error values shall be specified in this file and those shall
337	// use
338	// CamelCase names
339	// - cloud provider specific error values must have names that
340	// comply with the
341	// format foo.example.com/CamelCase.
342	"error"?: string
343
344	// port is the port number of the ingress port.
345	"port"!: int32 & int
346
347	// protocol is the protocol of the ingress port. The supported
348	// values are: "TCP", "UDP", "SCTP"
349	"protocol"!: string
350}
351
352// IngressRule represents the rules mapping the paths under a
353// specified host to the related backend services. Incoming
354// requests are first evaluated for a host match, then routed to
355// the backend associated with the matching IngressRuleValue.
356#IngressRule: {
357	// host is the fully qualified domain name of a network host, as
358	// defined by RFC 3986. Note the following deviations from the
359	// "host" part of the URI as defined in RFC 3986: 1. IPs are not
360	// allowed. Currently an IngressRuleValue can only apply to
361	// the IP in the Spec of the parent Ingress.
362	// 2. The `:` delimiter is not respected because ports are not
363	// allowed.
364	// Currently the port of an Ingress is implicitly :80 for http and
365	// :443 for https.
366	// Both these may change in the future. Incoming requests are
367	// matched against the host before the IngressRuleValue. If the
368	// host is unspecified, the Ingress routes all traffic based on
369	// the specified IngressRuleValue.
370	//
371	// host can be "precise" which is a domain name without the
372	// terminating dot of a network host (e.g. "foo.bar.com") or
373	// "wildcard", which is a domain name prefixed with a single
374	// wildcard label (e.g. "*.foo.com"). The wildcard character '*'
375	// must appear by itself as the first DNS label and matches only
376	// a single label. You cannot have a wildcard label by itself
377	// (e.g. Host == "*"). Requests will be matched against the Host
378	// field in the following way: 1. If host is precise, the request
379	// matches this rule if the http host header is equal to Host. 2.
380	// If host is a wildcard, then the request matches this rule if
381	// the http host header is to equal to the suffix (removing the
382	// first label) of the wildcard rule.
383	"host"?: string
384	"http"?: #HTTPIngressRuleValue
385}
386
387// IngressServiceBackend references a Kubernetes Service as a
388// Backend.
389#IngressServiceBackend: {
390	// name is the referenced service. The service must exist in the
391	// same namespace as the Ingress object.
392	"name"!: string
393
394	// port of the referenced service. A port name or port number is
395	// required for a IngressServiceBackend.
396	"port"?: #ServiceBackendPort
397}
398
399// IngressSpec describes the Ingress the user wishes to exist.
400#IngressSpec: {
401	// defaultBackend is the backend that should handle requests that
402	// don't match any rule. If Rules are not specified,
403	// DefaultBackend must be specified. If DefaultBackend is not
404	// set, the handling of requests that do not match any of the
405	// rules will be up to the Ingress controller.
406	"defaultBackend"?: #IngressBackend
407
408	// ingressClassName is the name of an IngressClass cluster
409	// resource. Ingress controller implementations use this field to
410	// know whether they should be serving this Ingress resource, by
411	// a transitive connection (controller -> IngressClass -> Ingress
412	// resource). Although the `kubernetes.io/ingress.class`
413	// annotation (simple constant name) was never formally defined,
414	// it was widely supported by Ingress controllers to create a
415	// direct binding between Ingress controller and Ingress
416	// resources. Newly created Ingress resources should prefer using
417	// the field. However, even though the annotation is officially
418	// deprecated, for backwards compatibility reasons, ingress
419	// controllers should still honor that annotation if present.
420	"ingressClassName"?: string
421
422	// rules is a list of host rules used to configure the Ingress. If
423	// unspecified, or no rule matches, all traffic is sent to the
424	// default backend.
425	"rules"?: [...#IngressRule]
426
427	// tls represents the TLS configuration. Currently the Ingress
428	// only supports a single TLS port, 443. If multiple members of
429	// this list specify different hosts, they will be multiplexed on
430	// the same port according to the hostname specified through the
431	// SNI TLS extension, if the ingress controller fulfilling the
432	// ingress supports SNI.
433	"tls"?: [...#IngressTLS]
434}
435
436// IngressStatus describe the current state of the Ingress.
437#IngressStatus: {
438	// loadBalancer contains the current status of the load-balancer.
439	"loadBalancer"?: #IngressLoadBalancerStatus
440}
441
442// IngressTLS describes the transport layer security associated
443// with an ingress.
444#IngressTLS: {
445	// hosts is a list of hosts included in the TLS certificate. The
446	// values in this list must match the name/s used in the
447	// tlsSecret. Defaults to the wildcard host setting for the
448	// loadbalancer controller fulfilling this Ingress, if left
449	// unspecified.
450	"hosts"?: [...string]
451
452	// secretName is the name of the secret used to terminate TLS
453	// traffic on port 443. Field is left optional to allow TLS
454	// routing based on SNI hostname alone. If the SNI host in a
455	// listener conflicts with the "Host" header field used by an
456	// IngressRule, the SNI host is used for termination and value of
457	// the "Host" header is used for routing.
458	"secretName"?: string
459}
460
461// NetworkPolicy describes what network traffic is allowed for a
462// set of Pods
463#NetworkPolicy: {
464	// APIVersion defines the versioned schema of this representation
465	// of an object. Servers should convert recognized schemas to the
466	// latest internal value, and may reject unrecognized values.
467	// More info:
468	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
469	"apiVersion": "networking.k8s.io/v1"
470
471	// Kind is a string value representing the REST resource this
472	// object represents. Servers may infer this from the endpoint
473	// the client submits requests to. Cannot be updated. In
474	// CamelCase. More info:
475	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
476	"kind": "NetworkPolicy"
477
478	// Standard object's metadata. More info:
479	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
480	"metadata"?: v1.#ObjectMeta
481
482	// spec represents the specification of the desired behavior for
483	// this NetworkPolicy.
484	"spec"?: #NetworkPolicySpec
485}
486
487// NetworkPolicyEgressRule describes a particular set of traffic
488// that is allowed out of pods matched by a NetworkPolicySpec's
489// podSelector. The traffic must match both ports and to. This
490// type is beta-level in 1.8
491#NetworkPolicyEgressRule: {
492	// ports is a list of destination ports for outgoing traffic. Each
493	// item in this list is combined using a logical OR. If this
494	// field is empty or missing, this rule matches all ports
495	// (traffic not restricted by port). If this field is present and
496	// contains at least one item, then this rule allows traffic only
497	// if the traffic matches at least one port in the list.
498	"ports"?: [...#NetworkPolicyPort]
499
500	// to is a list of destinations for outgoing traffic of pods
501	// selected for this rule. Items in this list are combined using
502	// a logical OR operation. If this field is empty or missing,
503	// this rule matches all destinations (traffic not restricted by
504	// destination). If this field is present and contains at least
505	// one item, this rule allows traffic only if the traffic matches
506	// at least one item in the to list.
507	"to"?: [...#NetworkPolicyPeer]
508}
509
510// NetworkPolicyIngressRule describes a particular set of traffic
511// that is allowed to the pods matched by a NetworkPolicySpec's
512// podSelector. The traffic must match both ports and from.
513#NetworkPolicyIngressRule: {
514	// from is a list of sources which should be able to access the
515	// pods selected for this rule. Items in this list are combined
516	// using a logical OR operation. If this field is empty or
517	// missing, this rule matches all sources (traffic not restricted
518	// by source). If this field is present and contains at least one
519	// item, this rule allows traffic only if the traffic matches at
520	// least one item in the from list.
521	"from"?: [...#NetworkPolicyPeer]
522
523	// ports is a list of ports which should be made accessible on the
524	// pods selected for this rule. Each item in this list is
525	// combined using a logical OR. If this field is empty or
526	// missing, this rule matches all ports (traffic not restricted
527	// by port). If this field is present and contains at least one
528	// item, then this rule allows traffic only if the traffic
529	// matches at least one port in the list.
530	"ports"?: [...#NetworkPolicyPort]
531}
532
533// NetworkPolicyList is a list of NetworkPolicy objects.
534#NetworkPolicyList: {
535	// APIVersion defines the versioned schema of this representation
536	// of an object. Servers should convert recognized schemas to the
537	// latest internal value, and may reject unrecognized values.
538	// More info:
539	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
540	"apiVersion": "networking.k8s.io/v1"
541
542	// items is a list of schema objects.
543	"items"!: [...#NetworkPolicy]
544
545	// Kind is a string value representing the REST resource this
546	// object represents. Servers may infer this from the endpoint
547	// the client submits requests to. Cannot be updated. In
548	// CamelCase. More info:
549	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
550	"kind": "NetworkPolicyList"
551
552	// Standard list metadata. More info:
553	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
554	"metadata"?: v1.#ListMeta
555}
556
557// NetworkPolicyPeer describes a peer to allow traffic to/from.
558// Only certain combinations of fields are allowed
559#NetworkPolicyPeer: {
560	// ipBlock defines policy on a particular IPBlock. If this field
561	// is set then neither of the other fields can be.
562	"ipBlock"?: #IPBlock
563
564	// namespaceSelector selects namespaces using cluster-scoped
565	// labels. This field follows standard label selector semantics;
566	// if present but empty, it selects all namespaces.
567	//
568	// If podSelector is also set, then the NetworkPolicyPeer as a
569	// whole selects the pods matching podSelector in the namespaces
570	// selected by namespaceSelector. Otherwise it selects all pods
571	// in the namespaces selected by namespaceSelector.
572	"namespaceSelector"?: v1.#LabelSelector
573
574	// podSelector is a label selector which selects pods. This field
575	// follows standard label selector semantics; if present but
576	// empty, it selects all pods.
577	//
578	// If namespaceSelector is also set, then the NetworkPolicyPeer as
579	// a whole selects the pods matching podSelector in the
580	// Namespaces selected by NamespaceSelector. Otherwise it selects
581	// the pods matching podSelector in the policy's own namespace.
582	"podSelector"?: v1.#LabelSelector
583}
584
585// NetworkPolicyPort describes a port to allow traffic on
586#NetworkPolicyPort: {
587	// endPort indicates that the range of ports from port to endPort
588	// if set, inclusive, should be allowed by the policy. This field
589	// cannot be defined if the port field is not defined or if the
590	// port field is defined as a named (string) port. The endPort
591	// must be equal or greater than port.
592	"endPort"?: int32 & int
593
594	// port represents the port on the given protocol. This can either
595	// be a numerical or named port on a pod. If this field is not
596	// provided, this matches all port names and numbers. If present,
597	// only traffic on the specified protocol AND port will be
598	// matched.
599	"port"?: intstr.#IntOrString
600
601	// protocol represents the protocol (TCP, UDP, or SCTP) which
602	// traffic must match. If not specified, this field defaults to
603	// TCP.
604	"protocol"?: string
605}
606
607// NetworkPolicySpec provides the specification of a NetworkPolicy
608#NetworkPolicySpec: {
609	// egress is a list of egress rules to be applied to the selected
610	// pods. Outgoing traffic is allowed if there are no
611	// NetworkPolicies selecting the pod (and cluster policy
612	// otherwise allows the traffic), OR if the traffic matches at
613	// least one egress rule across all of the NetworkPolicy objects
614	// whose podSelector matches the pod. If this field is empty then
615	// this NetworkPolicy limits all outgoing traffic (and serves
616	// solely to ensure that the pods it selects are isolated by
617	// default). This field is beta-level in 1.8
618	"egress"?: [...#NetworkPolicyEgressRule]
619
620	// ingress is a list of ingress rules to be applied to the
621	// selected pods. Traffic is allowed to a pod if there are no
622	// NetworkPolicies selecting the pod (and cluster policy
623	// otherwise allows the traffic), OR if the traffic source is the
624	// pod's local node, OR if the traffic matches at least one
625	// ingress rule across all of the NetworkPolicy objects whose
626	// podSelector matches the pod. If this field is empty then this
627	// NetworkPolicy does not allow any traffic (and serves solely to
628	// ensure that the pods it selects are isolated by default)
629	"ingress"?: [...#NetworkPolicyIngressRule]
630
631	// podSelector selects the pods to which this NetworkPolicy object
632	// applies. The array of rules is applied to any pods selected by
633	// this field. An empty selector matches all pods in the policy's
634	// namespace. Multiple network policies can select the same set
635	// of pods. In this case, the ingress rules for each are combined
636	// additively. This field is optional. If it is not specified, it
637	// defaults to an empty selector.
638	"podSelector"?: v1.#LabelSelector
639
640	// policyTypes is a list of rule types that the NetworkPolicy
641	// relates to. Valid options are ["Ingress"], ["Egress"], or
642	// ["Ingress", "Egress"]. If this field is not specified, it will
643	// default based on the existence of ingress or egress rules;
644	// policies that contain an egress section are assumed to affect
645	// egress, and all policies (whether or not they contain an
646	// ingress section) are assumed to affect ingress. If you want to
647	// write an egress-only policy, you must explicitly specify
648	// policyTypes [ "Egress" ]. Likewise, if you want to write a
649	// policy that specifies that no egress is allowed, you must
650	// specify a policyTypes value that include "Egress" (since such
651	// a policy would not include an egress section and would
652	// otherwise default to just [ "Ingress" ]). This field is
653	// beta-level in 1.8
654	"policyTypes"?: [...string]
655}
656
657// ParentReference describes a reference to a parent object.
658#ParentReference: {
659	// Group is the group of the object being referenced.
660	"group"?: string
661
662	// Name is the name of the object being referenced.
663	"name"!: string
664
665	// Namespace is the namespace of the object being referenced.
666	"namespace"?: string
667
668	// Resource is the resource of the object being referenced.
669	"resource"!: string
670}
671
672// ServiceBackendPort is the service port being referenced.
673#ServiceBackendPort: {
674	// name is the name of the port on the Service. This is a mutually
675	// exclusive setting with "Number".
676	"name"?: string
677
678	// number is the numerical port number (e.g. 80) on the Service.
679	// This is a mutually exclusive setting with "Name".
680	"number"?: int32 & int
681}
682
683// ServiceCIDR defines a range of IP addresses using CIDR format
684// (e.g. 192.168.0.0/24 or 2001:db2::/64). This range is used to
685// allocate ClusterIPs to Service objects.
686#ServiceCIDR: {
687	// APIVersion defines the versioned schema of this representation
688	// of an object. Servers should convert recognized schemas to the
689	// latest internal value, and may reject unrecognized values.
690	// More info:
691	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
692	"apiVersion": "networking.k8s.io/v1"
693
694	// Kind is a string value representing the REST resource this
695	// object represents. Servers may infer this from the endpoint
696	// the client submits requests to. Cannot be updated. In
697	// CamelCase. More info:
698	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
699	"kind": "ServiceCIDR"
700
701	// Standard object's metadata. More info:
702	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
703	"metadata"?: v1.#ObjectMeta
704
705	// spec is the desired state of the ServiceCIDR. More info:
706	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
707	"spec"?: #ServiceCIDRSpec
708
709	// status represents the current state of the ServiceCIDR. More
710	// info:
711	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#spec-and-status
712	"status"?: #ServiceCIDRStatus
713}
714
715// ServiceCIDRList contains a list of ServiceCIDR objects.
716#ServiceCIDRList: {
717	// APIVersion defines the versioned schema of this representation
718	// of an object. Servers should convert recognized schemas to the
719	// latest internal value, and may reject unrecognized values.
720	// More info:
721	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
722	"apiVersion": "networking.k8s.io/v1"
723
724	// items is the list of ServiceCIDRs.
725	"items"!: [...#ServiceCIDR]
726
727	// Kind is a string value representing the REST resource this
728	// object represents. Servers may infer this from the endpoint
729	// the client submits requests to. Cannot be updated. In
730	// CamelCase. More info:
731	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
732	"kind": "ServiceCIDRList"
733
734	// Standard object's metadata. More info:
735	// https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata
736	"metadata"?: v1.#ListMeta
737}
738
739// ServiceCIDRSpec define the CIDRs the user wants to use for
740// allocating ClusterIPs for Services.
741#ServiceCIDRSpec: {
742	// CIDRs defines the IP blocks in CIDR notation (e.g.
743	// "192.168.0.0/24" or "2001:db8::/64") from which to assign
744	// service cluster IPs. Max of two CIDRs is allowed, one of each
745	// IP family. This field is immutable.
746	"cidrs"?: [...string]
747}
748
749// ServiceCIDRStatus describes the current state of the
750// ServiceCIDR.
751#ServiceCIDRStatus: {
752	// conditions holds an array of metav1.Condition that describe the
753	// state of the ServiceCIDR. Current service state
754	"conditions"?: [...v1.#Condition]
755}