{ "properties": { "apiVersion": { "description": "apiVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#resources", "type": "string" }, "kind": { "description": "kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "properties": { "action": { "description": "The Action to perform when the client connection triggers the rule. Can currently be either\n\"allow\", \"deny\" or \"goto_next\".", "type": "string" }, "description": { "description": "A description of the rule.", "type": "string" }, "direction": { "description": "The direction in which this rule applies. If unspecified an INGRESS rule is created. Possible values: [\"INGRESS\", \"EGRESS\"].", "type": "string" }, "enableLogging": { "description": "Denotes whether to enable logging for a particular rule.\nIf logging is enabled, logs will be exported to the\nconfigured export destination in Stackdriver.", "type": "boolean" }, "match": { "description": "A match condition that incoming traffic is evaluated against. If it evaluates to true, the corresponding 'action' is enforced.", "properties": { "config": { "description": "The configuration options for matching the rule.", "properties": { "destIpRanges": { "description": "Destination IP address range in CIDR format. Required for\nEGRESS rules.", "items": { "type": "string" }, "type": "array" }, "layer4Config": { "description": "Pairs of IP protocols and ports that the rule should match.", "items": { "properties": { "ipProtocol": { "description": "The IP protocol to which this rule applies. The protocol\ntype is required when creating a firewall rule.\nThis value can either be one of the following well\nknown protocol strings (tcp, udp, icmp, esp, ah, ipip, sctp),\nor the IP protocol number.", "type": "string" }, "ports": { "description": "An optional list of ports to which this rule applies. This field\nis only applicable for UDP or TCP protocol. Each entry must be\neither an integer or a range. If not specified, this rule\napplies to connections through any port.\n\nExample inputs include: [\"22\"], [\"80\",\"443\"], and\n[\"12345-12349\"].", "items": { "type": "string" }, "type": "array" } }, "required": [ "ipProtocol" ], "type": "object", "additionalProperties": false }, "type": "array" }, "srcIpRanges": { "description": "Source IP address range in CIDR format. Required for\nINGRESS rules.", "items": { "type": "string" }, "type": "array" } }, "required": [ "layer4Config" ], "type": "object", "additionalProperties": false }, "description": { "description": "A description of the rule.", "type": "string" }, "versionedExpr": { "description": "Preconfigured versioned expression. For organization security policy rules,\nthe only supported type is \"FIREWALL\". Default value: \"FIREWALL\" Possible values: [\"FIREWALL\"].", "type": "string" } }, "required": [ "config" ], "type": "object", "additionalProperties": false }, "policyId": { "description": "Immutable. The ID of the OrganizationSecurityPolicy this rule applies to.", "type": "string" }, "preview": { "description": "If set to true, the specified action is not enforced.", "type": "boolean" }, "resourceID": { "description": "Immutable. Optional. The priority of the resource. Used for creation and acquisition. When unset, the value of `metadata.name` is used as the default.", "type": "string" }, "targetResources": { "description": "A list of network resource URLs to which this rule applies.\nThis field allows you to control which network's VMs get\nthis rule. If this field is left blank, all VMs\nwithin the organization will receive the rule.", "items": { "type": "string" }, "type": "array" }, "targetServiceAccounts": { "description": "A list of service accounts indicating the sets of\ninstances that are applied with this rule.", "items": { "type": "string" }, "type": "array" } }, "required": [ "action", "match", "policyId" ], "type": "object", "additionalProperties": false }, "status": { "properties": { "conditions": { "description": "Conditions represent the latest available observation of the resource's current state.", "items": { "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "type": "string" }, "message": { "description": "Human-readable message indicating details about last transition.", "type": "string" }, "reason": { "description": "Unique, one-word, CamelCase reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status is the status of the condition. Can be True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the condition.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "observedGeneration": { "description": "ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.", "type": "integer" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }