{ "description": "FQDNNetworkPolicy specifies which Fully-Qualified Domain Names a workload is allowed to egress to. FQDNNetworkPolicy has no effect on the allowed ingress traffic. \n FQDNNetworkPolicy works additively with Kubernetes Network Policies. Traffic matching either a Kubernetes NetworkPolicy or a FQDNNetworkPolicy will be allowed to egress the workload.", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "Spec is the desired configuration for FQDN Network Policy.", "properties": { "egress": { "description": "Egress specifies a list of rules applied to the selected pods. All egress rules are enforced using an implicit deny model (like Kubernetes Network Policies) -- only packets destined for IPs resolving the matching FQDNs and ports are allowed. \n Egress may not be missing or empty - it must contain at least 1 entry.", "items": { "description": "FQDNNetworkPolicyEgressRule identifies a set of endpoints traffic is allowed to. The exact L4 endpoints are constructed as a cross-product between the matches and ports lists.", "properties": { "matches": { "description": "Matches specifies the FQDN peers to which egress traffic is allowed. Matches may not be missing or empty - it must contain at least 1 entry.", "items": { "description": "FQDNNetworkPolicyMatch specifies which FQDNs are allowed as peers of the selected pods.Exactly one of the sub-fields of FQDNNetworkPolicyMatch must be set. An empty struct is not allowed. A struct setting both Name and Pattern is not allowed.", "maxProperties": 1, "minProperties": 1, "properties": { "name": { "description": "Name specifies the literal FQDN to match. If this is specified, no other match types may be specified in the same struct.", "pattern": "^([a-zA-Z0-9]([-a-zA-Z0-9_]*[a-zA-Z0-9])*\\.?)*$", "type": "string" }, "pattern": { "description": "Pattern allows matching FQDNs using wildcard specifiers. If this is specified, no other match types may be specified in the same struct. \"*\" matches 0 or more DNS valid characters (except for \".\"), and may occur anywhere in the pattern. As a special case, the \"*\" character by itself acts as a wildcard, matching all domain names. \n Examples: \n - `*.google.com` matches subdomains of google.com at that level - \"www.google.com\" and \"mail.google.com\" match, however \"google.com\", \"sub.subdomain.google.com\", and \"kubernetes.io\" do not. - `sub*.google.com` matches subdomains of google.com where the subdomain component begins with \"sub\" - \"sub.google.com\" and \"subdomain.google.com\" match, however \"www.google.com\", \"mail.google.com\", and \"google.com do not. - `*.*.google.com` matches subdomains of google.com at that level - \"sub.subdomain.google.com\" matches, however \"google.com\" and \"mail.google.com\" do not. - `*a*.google.com` matches subdomains of google.com that contain an \"a\" at that level - \"mail.google.com\", \"maps.google.com\", and \"subdomain.maps.google.com\" match, however \"google.com\" and \"cloud.google.com\" do not. - `*` by itself is a wild-card that matches all domains - \"www.google.com\", \"kubernetes.io\", and \"sub.subdomain.google.com\" all match", "pattern": "^([a-zA-Z0-9*]([-a-zA-Z0-9_*]*[a-zA-Z0-9*])*\\.?)*$", "type": "string" } }, "type": "object", "additionalProperties": false }, "minItems": 1, "type": "array" }, "ports": { "description": "Ports specifies the destination L4 port and protocol allowed to egress the pod. If ports is missing or empty, all ports and protocols are allowed.", "items": { "description": "FQDNNetworkPolicyPort specifies which remote port and protocol is a valid peer of the selected pod.", "properties": { "port": { "description": "Port is L4 Port. If Port is missing or empty, it matches all ports.", "format": "int32", "maximum": 65535, "minimum": 1, "type": "integer" }, "protocol": { "description": "Protocol is the L4 protocol. Valid options are \"TCP\", \"UDP\", or \"ALL\". If Protocol is missing or empty, it defaults to allowing all protocols.", "enum": [ "TCP", "UDP", "ALL" ], "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "matches" ], "type": "object", "additionalProperties": false }, "minItems": 1, "type": "array" }, "podSelector": { "description": "PodSelector defines which workloads are selected by the Policy. An empty PodSelector selects all pods in the namespace.", "properties": { "matchExpressions": { "description": "matchExpressions is a list of label selector requirements. The requirements are ANDed.", "items": { "description": "A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.", "properties": { "key": { "description": "key is the label key that the selector applies to.", "type": "string" }, "operator": { "description": "operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.", "type": "string" }, "values": { "description": "values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.", "items": { "type": "string" }, "type": "array" } }, "required": [ "key", "operator" ], "type": "object", "additionalProperties": false }, "type": "array" }, "matchLabels": { "additionalProperties": { "type": "string" }, "description": "matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \"key\", the operator is \"In\", and the values array contains only \"value\". The requirements are ANDed.", "type": "object" } }, "type": "object", "additionalProperties": false } }, "required": [ "egress", "podSelector" ], "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }