{ "description": "NetworkSecurityAuthorizationPolicy is the Schema for the NetworkSecurityAuthorizationPolicy API", "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "NetworkSecurityAuthorizationPolicySpec defines the desired state of NetworkSecurityAuthorizationPolicy", "properties": { "action": { "description": "Required. The action to take when a rule match is found. Possible values are \"ALLOW\" or \"DENY\".", "type": "string" }, "description": { "description": "Optional. Free-text description of the resource.", "type": "string" }, "location": { "description": "Immutable.", "type": "string", "x-kubernetes-validations": [ { "message": "Location field is immutable", "rule": "self == oldSelf" } ] }, "projectRef": { "description": "The Project that this resource belongs to.", "oneOf": [ { "not": { "required": [ "external" ] }, "required": [ "name" ] }, { "not": { "anyOf": [ { "required": [ "name" ] }, { "required": [ "namespace" ] } ] }, "required": [ "external" ] } ], "properties": { "external": { "description": "The `projectID` field of a project, when not managed by Config Connector.", "type": "string" }, "kind": { "description": "The kind of the Project resource; optional but must be `Project` if provided.", "type": "string" }, "name": { "description": "The `name` field of a `Project` resource.", "type": "string" }, "namespace": { "description": "The `namespace` field of a `Project` resource.", "type": "string" } }, "type": "object", "additionalProperties": false }, "resourceID": { "description": "The NetworkSecurityAuthorizationPolicy name. If not given, the metadata.name will be used.", "type": "string" }, "rules": { "description": "Optional. List of rules to match. Note that at least one of the rules must match in order for the action specified in the 'action' field to be taken. A rule is a match if there is a matching source and destination. If left blank, the action specified in the `action` field will be applied on every request.", "items": { "properties": { "destinations": { "description": "Optional. List of attributes for the traffic destination. All of the destinations must match. A destination is a match if a request matches all the specified hosts, ports, methods and headers. If not set, the action specified in the 'action' field will be applied without any rule checks for the destination.", "items": { "properties": { "hosts": { "description": "Required. List of host names to match. Matched against the \":authority\" header in http requests. At least one host should match. Each host can be an exact match, or a prefix match (example \"mydomain.*\") or a suffix match (example \"*.myorg.com\") or a presence (any) match \"*\".", "items": { "type": "string" }, "type": "array" }, "httpHeaderMatch": { "description": "Optional. Match against key:value pair in http header. Provides a flexible match based on HTTP headers, for potentially advanced use cases. At least one header should match. Avoid using header matches to make authorization decisions unless there is a strong guarantee that requests arrive through a trusted client or proxy.", "properties": { "headerName": { "description": "Required. The name of the HTTP header to match. For matching against the HTTP request's authority, use a headerMatch with the header name \":authority\". For matching a request's method, use the headerName \":method\".", "type": "string" }, "regexMatch": { "description": "Required. The value of the header must match the regular expression specified in regexMatch. For regular expression grammar, please see: en.cppreference.com/w/cpp/regex/ecmascript For matching against a port specified in the HTTP request, use a headerMatch with headerName set to Host and a regular expression that satisfies the RFC2616 Host header's port specifier.", "type": "string" } }, "required": [ "headerName", "regexMatch" ], "type": "object", "additionalProperties": false }, "methods": { "description": "Optional. A list of HTTP methods to match. At least one method should match. Should not be set for gRPC services.", "items": { "type": "string" }, "type": "array" }, "ports": { "description": "Required. List of destination ports to match. At least one port should match.", "items": { "format": "int32", "type": "integer" }, "type": "array" } }, "required": [ "hosts", "ports" ], "type": "object", "additionalProperties": false }, "type": "array" }, "sources": { "description": "Optional. List of attributes for the traffic source. All of the sources must match. A source is a match if both principals and ip_blocks match. If not set, the action specified in the 'action' field will be applied without any rule checks for the source.", "items": { "properties": { "ipBlocks": { "description": "Optional. List of CIDR ranges to match based on source IP address. At least one IP block should match. Single IP (e.g., \"1.2.3.4\") and CIDR (e.g., \"1.2.3.0/24\") are supported. Authorization based on source IP alone should be avoided. The IP addresses of any load balancers or proxies should be considered untrusted.", "items": { "type": "string" }, "type": "array" }, "principals": { "description": "Optional. List of peer identities to match for authorization. At least one principal should match. Each peer can be an exact match, or a prefix match (example, \"namespace/*\") or a suffix match (example, \"*/service-account\") or a presence match \"*\". Authorization based on the principal name without certificate validation (configured by ServerTlsPolicy resource) is considered insecure.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "type": "object", "additionalProperties": false }, "type": "array" } }, "required": [ "action", "location", "projectRef" ], "type": "object", "additionalProperties": false }, "status": { "description": "NetworkSecurityAuthorizationPolicyStatus defines the config connector machine state of NetworkSecurityAuthorizationPolicy", "properties": { "conditions": { "description": "Conditions represent the latest available observations of the object's current state.", "items": { "properties": { "lastTransitionTime": { "description": "Last time the condition transitioned from one status to another.", "type": "string" }, "message": { "description": "Human-readable message indicating details about last transition.", "type": "string" }, "reason": { "description": "Unique, one-word, CamelCase reason for the condition's last transition.", "type": "string" }, "status": { "description": "Status is the status of the condition. Can be True, False, Unknown.", "type": "string" }, "type": { "description": "Type is the type of the condition.", "type": "string" } }, "type": "object", "additionalProperties": false }, "type": "array" }, "createTime": { "description": "Output only. The timestamp when the resource was created.", "format": "date-time", "type": "string" }, "externalRef": { "description": "A unique specifier for the NetworkSecurityAuthorizationPolicy resource in GCP.", "type": "string" }, "observedGeneration": { "description": "ObservedGeneration is the generation of the resource that was most recently observed by the Config Connector controller. If this is equal to metadata.generation, then that means that the current reported status reflects the most recent desired state of the resource.", "format": "int64", "type": "integer" }, "updateTime": { "description": "Output only. The timestamp when the resource was updated.", "format": "date-time", "type": "string" } }, "type": "object", "additionalProperties": false } }, "required": [ "spec" ], "type": "object" }