-
-| Field | -Description | -||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
-apiVersion
-string |
-
-
-crd.antrea.io/v1alpha1
-
- |
-||||||||||
-kind
-string
- |
-ClusterNetworkPolicy |
-||||||||||
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
- Standard metadata of the object. -Refer to the Kubernetes API documentation for the fields of the -metadata field.
- |
-||||||||||
-spec
-
-
-ClusterNetworkPolicySpec
-
-
- |
-
- Specification of the desired behavior of ClusterNetworkPolicy. -- -
|
-||||||||||
-status
-
-
-NetworkPolicyStatus
-
-
- |
-
- Most recently observed status of the NetworkPolicy. - |
-
@@ -3026,7 +2868,7 @@
@@ -3053,7 +2895,7 @@
kind
string
-NetworkPolicySupportBundleCollectionspec
-
-NetworkPolicySpec
+
+SupportBundleCollectionSpec
Specification of the desired behavior of NetworkPolicy.
+Specification of the desired behavior of SupportBundleCollection.
-tier
+nodes
-string
+
+BundleNodes
+
|
- Tier specifies the tier to which this NetworkPolicy belongs to. -The NetworkPolicy order will be determined based on the combination of the -Tier’s Priority and the NetworkPolicy’s own Priority. If not specified, -this policy will be created in the Application Tier right above the K8s -NetworkPolicy which resides at the bottom. |
-priority
+externalNodes
-float64
+
+BundleExternalNodes
+
|
- Priority specfies the order of the NetworkPolicy relative to other -NetworkPolicies. |
-appliedTo
+expirationMinutes
-
-[]AppliedTo
-
+int32
|
-(Optional)
- Select workloads on which the rules will be applied to. Cannot be set in -conjunction with AppliedTo in each rule. +ExpirationMinutes is the requested duration of validity of the SupportBundleCollection. +A SupportBundleCollection will be marked as Failed if it does not finish before expiration. +Default is 60. |
-ingress
+sinceTime
-
-[]Rule
+string
+
+ |
+
+ SinceTime specifies a relative time before the current time from which to collect logs +A valid value is like: 1d, 2h, 30m. + |
+
+fileServer
+
+
+BundleFileServer
|
-(Optional)
- Set of ingress rules evaluated based on the order in which they are set.
-Currently Ingress rule supports setting the |
-egress
+authentication
-
-[]Rule
+
+BundleServerAuthConfiguration
|
-(Optional)
- Set of egress rules evaluated based on the order in which they are set.
-Currently Egress rule supports setting the |
status
-
-NetworkPolicyStatus
+
+SupportBundleCollectionStatus
Most recently observed status of the NetworkPolicy.
+Most recently observed status of the SupportBundleCollection.
+(Appears on: +SupportBundleCollectionSpec) +
+
-apiVersion
-string |
-
-
-crd.antrea.io/v1alpha1
-
+namespace
+
+string
+
|
-||||||||||||
-kind
-string
|
-SupportBundleCollection |
||||||||||||
-metadata
+nodeNames
-
-Kubernetes meta/v1.ObjectMeta
-
+[]string
|
- Standard metadata of the object. -Refer to the Kubernetes API documentation for the fields of the -metadata field.
+(Optional)
+List the names of certain ExternalNodes which are expected to collect and upload +bundle files. |
||||||||||||
-spec
+nodeSelector
-
-SupportBundleCollectionSpec
-
-
- |
-
- Specification of the desired behavior of SupportBundleCollection. -- -
|
-||||||||||||
-status
-
-
-SupportBundleCollectionStatus
-
-
- |
-
- Most recently observed status of the SupportBundleCollection. - |
-
-
-| Field | -Description | -||||
|---|---|---|---|---|---|
-apiVersion
-string |
-
-
-crd.antrea.io/v1alpha1
-
- |
-||||
-kind
-string
- |
-Tier |
-||||
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
- Standard metadata of the object. -Refer to the Kubernetes API documentation for the fields of the -metadata field.
- |
-||||
-spec
-
-
-TierSpec
-
-
- |
-
- Specification of the desired behavior of Tier. -- -
|
-
-
-| Field | -Description | -||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
-apiVersion
-string |
-
-
-crd.antrea.io/v1alpha1
-
- |
-||||||||||||
-kind
-string
- |
-Traceflow |
-||||||||||||
-metadata
-
-
-Kubernetes meta/v1.ObjectMeta
-
-
- |
-
-Refer to the Kubernetes API documentation for the fields of the
-metadata field.
- |
-||||||||||||
-spec
-
-
-TraceflowSpec
-
-
- |
-
- - -
|
-||||||||||||
-status
-
-
-TraceflowStatus
-
-
- |
-- | -
-(Appears on: -ClusterNetworkPolicySpec, -NetworkPolicySpec, -Rule) -
--
AppliedTo describes the grouping selector of workloads in AppliedTo field.
- -| Field | -Description | -
|---|---|
-podSelector
-
-
-Kubernetes meta/v1.LabelSelector
-
-
- |
-
-(Optional)
- Select Pods from NetworkPolicy’s Namespace as workloads in -AppliedTo fields. If set with NamespaceSelector, Pods are -matched from Namespaces matched by the NamespaceSelector. -Cannot be set with any other selector except NamespaceSelector. - |
-
-namespaceSelector
-
-
-Kubernetes meta/v1.LabelSelector
-
-
- |
-
-(Optional)
- Select all Pods from Namespaces matched by this selector, as -workloads in AppliedTo fields. If set with PodSelector, -Pods are matched from Namespaces matched by the NamespaceSelector. -Cannot be set with any other selector except PodSelector or -ExternalEntitySelector. Cannot be set with Namespaces. - |
-
-externalEntitySelector
-
-
-Kubernetes meta/v1.LabelSelector
-
-
- |
-
-(Optional)
- Select ExternalEntities from NetworkPolicy’s Namespace as workloads -in AppliedTo fields. If set with NamespaceSelector, -ExternalEntities are matched from Namespaces matched by the -NamespaceSelector. -Cannot be set with any other selector except NamespaceSelector. - |
-
-group
-
-string
-
- |
-
-(Optional)
- Group is the name of the ClusterGroup which can be set as an -AppliedTo in place of a stand-alone selector. A Group cannot -be set with any other selector. - |
-
-serviceAccount
-
-
-NamespacedName
-
-
- |
-
-(Optional)
- Select all Pods with the ServiceAccount matched by this field, as -workloads in AppliedTo fields. -Cannot be set with any other selector. - |
-
-service
-
-
-NamespacedName
-
-
- |
-
-(Optional)
- Select a certain Service which matches the NamespacedName. -A Service can only be set in either policy level AppliedTo field in a policy -that only has ingress rules or rule level AppliedTo field in an ingress rule. -Only a NodePort Service can be referred by this field. -Cannot be set with any other selector. - |
-
-(Appears on: -SupportBundleCollectionSpec) -
--
-| Field | -Description | -
|---|---|
-namespace
-
-string
-
- |
-- | -
-nodeNames
-
-[]string
-
- |
-
-(Optional)
- List the names of certain ExternalNodes which are expected to collect and upload -bundle files. - |
-
-nodeSelector
-
-
-Kubernetes meta/v1.LabelSelector
-
-
- |
-
-(Optional)
- Select certain ExternalNodes which match the label selector. - |
-
-(Appears on: -SupportBundleCollectionSpec) -
--
BundleFileServer specifies the bundle file server information.
- -| Field | -Description | -
|---|---|
-url
-
-string
-
- |
-
- The URL of the bundle file server. It is set with format: scheme://host[:port][/path], -e.g, https://api.example.com:8443/v1/supportbundles/. If scheme is not set, https is used by default. - |
-
-(Appears on: -SupportBundleCollectionSpec) -
--
-| Field | -Description | -
|---|---|
-nodeNames
-
-[]string
-
- |
-
-(Optional)
- List the names of certain Nodes which are expected to collect and upload -bundle files. - |
-
-nodeSelector
-
-
-Kubernetes meta/v1.LabelSelector
-
-
- |
-
-(Optional)
- Select certain Nodes which match the label selector. - |
-
-(Appears on: -SupportBundleCollectionSpec) -
--
BundleServerAuthConfiguration defines the authentication parameters that Antrea uses to access -the BundleFileServer.
- -| Field | -Description | -
|---|---|
-authType
-
-
-BundleServerAuthType
-
-
- |
-- | -
-authSecret
-
-
-Kubernetes core/v1.SecretReference
-
-
- |
-
- AuthSecret is a Secret reference which stores the authentication value. - |
-
string alias)-(Appears on: -BundleServerAuthConfiguration) -
--
BundleServerAuthType defines the authentication type to access the BundleFileServer.
- --(Appears on: -ClusterNetworkPolicy) -
--
ClusterNetworkPolicySpec defines the desired state for ClusterNetworkPolicy.
- -| Field | -Description | -
|---|---|
-tier
-
-string
-
- |
-
- Tier specifies the tier to which this ClusterNetworkPolicy belongs to. -The ClusterNetworkPolicy order will be determined based on the -combination of the Tier’s Priority and the ClusterNetworkPolicy’s own -Priority. If not specified, this policy will be created in the Application -Tier right above the K8s NetworkPolicy which resides at the bottom. - |
-
-priority
-
-float64
-
- |
-
- Priority specfies the order of the ClusterNetworkPolicy relative to -other AntreaClusterNetworkPolicies. - |
-
-appliedTo
-
-
-[]AppliedTo
-
-
- |
-
-(Optional)
- Select workloads on which the rules will be applied to. Cannot be set in -conjunction with AppliedTo in each rule. - |
-
-ingress
-
-
-[]Rule
-
-
- |
-
-(Optional)
- Set of ingress rules evaluated based on the order in which they are set.
-Currently Ingress rule supports setting the |
-
-egress
-
-
-[]Rule
-
-
- |
-
-(Optional)
- Set of egress rules evaluated based on the order in which they are set.
-Currently Egress rule supports setting the |
-
-(Appears on: -TraceflowSpec) -
--
Destination describes the destination spec of the traceflow.
- -| Field | -Description | -
|---|---|
-namespace
-
-string
-
- |
-
- Namespace is the destination namespace. - |
-
-pod
-
-string
-
- |
-
- Pod is the destination pod, exclusive with destination service. - |
-
-service
-
-string
-
- |
-
- Service is the destination service, exclusive with destination pod. - |
-
-ip
-
-string
-
- |
-
- IP is the destination IPv4 or IPv6 address. - |
-
-(Appears on: -ExternalNode) -
--
ExternalNodeSpec defines the desired state for ExternalNode.
- -| Field | -Description | -
|---|---|
-interfaces
-
-
-[]NetworkInterface
-
-
- |
-
- Only one network interface is supported now. -Other interfaces except interfaces[0] will be ignored if there are more than one interfaces. - |
-
-(Appears on: -L7Protocol) -
--
HTTPProtocol matches HTTP requests with specific host, method, and path. All fields could be used alone or together. -If all fields are not provided, it matches all HTTP requests.
- -| Field | -Description | -
|---|---|
-host
-
-string
-
- |
-
- Host represents the hostname present in the URI or the HTTP Host header to match. -It does not contain the port associated with the host. - |
-
-method
-
-string
-
- |
-
- Method represents the HTTP method to match. -It could be GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH. - |
-
-path
-
-string
-
- |
-
- Path represents the URI path to match (Ex. “/index.html”, “/admin”). - |
-
-(Appears on: -TransportHeader) -
--
ICMPEchoRequestHeader describes spec of an ICMP echo request header.
- -| Field | -Description | -
|---|---|
-id
-
-int32
-
- |
-
- ID is the ICMPEchoRequestHeader ID. - |
-
-sequence
-
-int32
-
- |
-
- Sequence is the ICMPEchoRequestHeader sequence. - |
-
-(Appears on: -NetworkPolicyProtocol) -
--
ICMPProtocol matches ICMP traffic with specific ICMPType and/or ICMPCode. All -fields could be used alone or together. If all fields are not provided, this -matches all ICMP traffic.
- -| Field | -Description | -
|---|---|
-icmpType
-
-int32
-
- |
-- | -
-icmpCode
-
-int32
-
- |
-- | -
-(Appears on: -NetworkPolicyProtocol) -
--
IGMPProtocol matches IGMP traffic with IGMPType and GroupAddress. IGMPType must -be filled with: -IGMPQuery int32 = 0x11 -IGMPReportV1 int32 = 0x12 -IGMPReportV2 int32 = 0x16 -IGMPReportV3 int32 = 0x22 -If groupAddress is empty, all groupAddresses will be matched.
- -| Field | -Description | -
|---|---|
-igmpType
-
-int32
-
- |
-- | -
-groupAddress
-
-string
-
- |
-- | -
-(Appears on: -NetworkPolicyPeer, -GroupSpec) -
--
IPBlock describes a particular CIDR (Ex. “192.168.1.1⁄24”) that is allowed -or denied to/from the workloads matched by a Spec.AppliedTo.
- -| Field | -Description | -
|---|---|
-cidr
-
-string
-
- |
-
- CIDR is a string representing the IP Block -Valid examples are “192.168.1.1⁄24”. - |
-
-(Appears on: -Packet) -
--
IPHeader describes spec of an IPv4 header.
- -| Field | -Description | -
|---|---|
-srcIP
-
-string
-
- |
-
- SrcIP is the source IP. - |
-
-protocol
-
-int32
-
- |
-
- Protocol is the IP protocol. - |
-
-ttl
-
-int32
-
- |
-
- TTL is the IP TTL. - |
-
-flags
-
-int32
-
- |
-
- Flags is the flags for IP. - |
-
-(Appears on: -Packet) -
--
IPv6Header describes spec of an IPv6 header.
- -| Field | -Description | -
|---|---|
-srcIP
-
-string
-
- |
-
- SrcIP is the source IPv6. - |
-
-nextHeader
-
-int32
-
- |
-
- NextHeader is the IPv6 protocol. - |
-
-hopLimit
-
-int32
-
- |
-
- HopLimit is the IPv6 Hop Limit. - |
-
-(Appears on: -Rule) -
--
-| Field | -Description | -
|---|---|
-http
-
-
-HTTPProtocol
-
-
- |
-- | -
-tls
-
-
-TLSProtocol
-
-
- |
-- | -
string alias)-(Appears on: -PeerNamespaces) -
--
NamespaceMatchType describes Namespace matching strategy.
- --(Appears on: -AppliedTo, -NetworkPolicyPeer, -GroupSpec) -
--
NamespacedName refers to a Namespace scoped resource. -All fields must be used together.
- -| Field | -Description | -
|---|---|
-name
-
-string
-
- |
-- | -
-namespace
-
-string
-
- |
-- | -
-(Appears on: -ExternalNodeSpec) -
--
-| Field | -Description | -
|---|---|
-name
-
-string
-
- |
-- | -
-ips
-
-[]string
-
- |
-- | -
-(Appears on: -NetworkPolicyStatus) -
--
NetworkPolicyCondition describes the state of a NetworkPolicy at a certain point.
- -| Field | -Description | -
|---|---|
-type
-
-
-NetworkPolicyConditionType
-
-
- |
-
- Type of StatefulSet condition. - |
-
-status
-
-
-Kubernetes meta/v1.ConditionStatus
-
-
- |
-
- Status of the condition, one of True, False, Unknown. - |
-
-lastTransitionTime
-
-
-Kubernetes meta/v1.Time
-
-
- |
-
-(Optional)
- Last time the condition transitioned from one status to another. - |
-
-reason
-
-string
-
- |
-
-(Optional)
- The reason for the condition’s last transition. - |
-
-message
-
-string
-
- |
-
-(Optional)
- A human-readable message indicating details about the transition. - |
-
string alias)-(Appears on: -NetworkPolicyCondition) -
--
NetworkPolicyConditionType describes the condition types of NetworkPolicies.
- --(Appears on: -Rule) -
--
NetworkPolicyPeer describes the grouping selector of workloads.
- -| Field | -Description | -
|---|---|
-ipBlock
-
-
-IPBlock
-
-
- |
-
-(Optional)
- IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. -IPBlock cannot be set as part of the AppliedTo field. -Cannot be set with any other selector. - |
-
-podSelector
-
-
-Kubernetes meta/v1.LabelSelector
-
-
- |
-
-(Optional)
- Select Pods from NetworkPolicy’s Namespace as workloads in -To/From fields. If set with NamespaceSelector, Pods are -matched from Namespaces matched by the NamespaceSelector. -Cannot be set with any other selector except NamespaceSelector. - |
-
-namespaceSelector
-
-
-Kubernetes meta/v1.LabelSelector
-
-
- |
-
-(Optional)
- Select all Pods from Namespaces matched by this selector, as -workloads in To/From fields. If set with PodSelector, -Pods are matched from Namespaces matched by the NamespaceSelector. -Cannot be set with any other selector except PodSelector or -ExternalEntitySelector. Cannot be set with Namespaces. - |
-
-namespaces
-
-
-PeerNamespaces
-
-
- |
-
-(Optional)
- Select Pod/ExternalEntity from Namespaces matched by specific criteria. -Current supported criteria is match: Self, which selects from the same -Namespace of the appliedTo workloads. -Cannot be set with any other selector except PodSelector or -ExternalEntitySelector. This field can only be set when NetworkPolicyPeer -is created for ClusterNetworkPolicy ingress/egress rules. -Cannot be set with NamespaceSelector. - |
-
-externalEntitySelector
-
-
-Kubernetes meta/v1.LabelSelector
-
-
- |
-
-(Optional)
- Select ExternalEntities from NetworkPolicy’s Namespace as workloads -in To/From fields. If set with NamespaceSelector, -ExternalEntities are matched from Namespaces matched by the -NamespaceSelector. -Cannot be set with any other selector except NamespaceSelector. - |
-
-group
-
-string
-
- |
-
- Group is the name of the ClusterGroup which can be set within -an Ingress or Egress rule in place of a stand-alone selector. -A Group cannot be set with any other selector. - |
-
-fqdn
-
-string
-
- |
-
- Restrict egress access to the Fully Qualified Domain Names prescribed -by name or by wildcard match patterns. This field can only be set for -NetworkPolicyPeer of egress rules. -Supported formats are: -Exact FQDNs, i.e. “google.com”, “db-svc.default.svc.cluster.local” -Wildcard expressions, i.e. “*wayfair.com”. - |
-
-serviceAccount
-
-
-NamespacedName
-
-
- |
-
-(Optional)
- Select all Pods with the ServiceAccount matched by this field, as -workloads in To/From fields. -Cannot be set with any other selector. - |
-
-nodeSelector
-
-
-Kubernetes meta/v1.LabelSelector
-
-
- |
-
-(Optional)
- Select certain Nodes which match the label selector. -A NodeSelector cannot be set in AppliedTo field or set with any other selector. - |
-
-scope
-
-
-PeerScope
-
-
- |
-
-(Optional)
- Define scope of the Pod/NamespaceSelector(s) of this peer. -Can only be used in ingress NetworkPolicyPeers. -Defaults to “Cluster”. - |
-
string alias)-(Appears on: -NetworkPolicyStatus) -
--
NetworkPolicyPhase defines the phase in which a NetworkPolicy is.
- --(Appears on: -Rule) -
--
NetworkPolicyPort describes the port and protocol to match in a rule.
- -| Field | -Description | -
|---|---|
-protocol
-
-
-Kubernetes core/v1.Protocol
-
-
- |
-
-(Optional)
- The protocol (TCP, UDP, or SCTP) which traffic must match. -If not specified, this field defaults to TCP. - |
-
-port
-
-
-k8s.io/apimachinery/pkg/util/intstr.IntOrString
-
-
- |
-
-(Optional)
- The port on the given protocol. This can be either a numerical -or named port on a Pod. If this field is not provided, this -matches all port names and numbers. - |
-
-endPort
-
-int32
-
- |
-
-(Optional)
- EndPort defines the end of the port range, inclusive.
-It can only be specified when a numerical |
-
-sourcePort
-
-int32
-
- |
-
-(Optional)
- The source port on the given protocol. This can only be a numerical port. -If this field is not provided, rule matches all source ports. - |
-
-sourceEndPort
-
-int32
-
- |
-
-(Optional)
- SourceEndPort defines the end of the source port range, inclusive.
-It can only be specified when |
-
-(Appears on: -Rule) -
--
NetworkPolicyProtocol defines additional protocols that are not supported by
-ports. All fields should be used as a standalone field.
| Field | -Description | -
|---|---|
-icmp
-
-
-ICMPProtocol
-
-
- |
-- | -
-igmp
-
-
-IGMPProtocol
-
-
- |
-- | -
-(Appears on: -NetworkPolicy) -
--
NetworkPolicySpec defines the desired state for NetworkPolicy.
- -| Field | -Description | -
|---|---|
-tier
-
-string
-
- |
-
- Tier specifies the tier to which this NetworkPolicy belongs to. -The NetworkPolicy order will be determined based on the combination of the -Tier’s Priority and the NetworkPolicy’s own Priority. If not specified, -this policy will be created in the Application Tier right above the K8s -NetworkPolicy which resides at the bottom. - |
-
-priority
-
-float64
-
- |
-
- Priority specfies the order of the NetworkPolicy relative to other -NetworkPolicies. - |
-
-appliedTo
-
-
-[]AppliedTo
-
-
- |
-
-(Optional)
- Select workloads on which the rules will be applied to. Cannot be set in -conjunction with AppliedTo in each rule. - |
-
-ingress
-
-
-[]Rule
-
-
- |
-
-(Optional)
- Set of ingress rules evaluated based on the order in which they are set.
-Currently Ingress rule supports setting the |
-
-egress
-
-
-[]Rule
-
-
- |
-
-(Optional)
- Set of egress rules evaluated based on the order in which they are set.
-Currently Egress rule supports setting the |
-
-(Appears on: -ClusterNetworkPolicy, -NetworkPolicy) -
--
NetworkPolicyStatus represents information about the status of a NetworkPolicy.
- -| Field | -Description | -
|---|---|
-phase
-
-
-NetworkPolicyPhase
-
-
- |
-
- The phase of a NetworkPolicy is a simple, high-level summary of the NetworkPolicy’s status. - |
-
-observedGeneration
-
-int64
-
- |
-
- The generation observed by Antrea. - |
-
-currentNodesRealized
-
-int32
-
- |
-
- The number of nodes that have realized the NetworkPolicy. - |
-
-desiredNodesRealized
-
-int32
-
- |
-
- The total number of nodes that should realize the NetworkPolicy. - |
-
-conditions
-
-
-[]NetworkPolicyCondition
-
-
- |
-
- Represents the latest available observations of a NetworkPolicy current state. - |
-
-(Appears on: -TraceflowStatus) -
--
-| Field | -Description | -
|---|---|
-node
-
-string
-
- |
-
- Node is the node of the observation. - |
-
-role
-
-string
-
- |
-
- Role of the node like sender, receiver, etc. - |
-
-timestamp
-
-int64
-
- |
-
- Timestamp is the timestamp of the observations on the node. - |
-
-observations
-
-
-[]Observation
-
-
- |
-
- Observations includes all observations from sender nodes, receiver ones, etc. - |
-
-(Appears on: -NodeResult) -
--
Observation describes those from sender nodes or receiver nodes.
- -| Field | -Description | -
|---|---|
-component
-
-
-TraceflowComponent
-
-
- |
-
- Component is the observation component. - |
-
-componentInfo
-
-string
-
- |
-
- ComponentInfo is the extension of Component field. - |
-
-action
-
-
-TraceflowAction
-
-
- |
-
- Action is the action to the observation. - |
-
-pod
-
-string
-
- |
-
- Pod is the combination of Pod name and Pod Namespace. - |
-
-dstMAC
-
-string
-
- |
-
- DstMAC is the destination MAC. - |
-
-networkPolicy
-
-string
-
- |
-
- NetworkPolicy is the combination of Namespace and NetworkPolicyName. - |
-
-egress
-
-string
-
- |
-
- Egress is the name of the Egress. - |
-
-ttl
-
-int32
-
- |
-
- TTL is the observation TTL. - |
-
-translatedSrcIP
-
-string
-
- |
-
- TranslatedSrcIP is the translated source IP. - |
-
-translatedDstIP
-
-string
-
- |
-
- TranslatedDstIP is the translated destination IP. - |
-
-tunnelDstIP
-
-string
-
- |
-
- TunnelDstIP is the tunnel destination IP. - |
-
-egressIP
-
-string
-
- |
-- | -
-(Appears on: -TraceflowSpec, -TraceflowStatus) -
--
Packet includes header info.
- -| Field | -Description | -
|---|---|
-srcIP
-
-string
-
- |
-- | -
-dstIP
-
-string
-
- |
-- | -
-length
-
-uint16
-
- |
-
- Length is the IP packet length (includes the IPv4 or IPv6 header length). - |
-
-ipHeader
-
-
-IPHeader
-
-
- |
-
- TODO: change type IPHeader to *IPHeader and correct all internal references - |
-
-ipv6Header
-
-
-IPv6Header
-
-
- |
-- | -
-transportHeader
-
-
-TransportHeader
-
-
- |
-- | -
-(Appears on: -NetworkPolicyPeer) -
--
-| Field | -Description | -
|---|---|
-match
-
-
-NamespaceMatchType
-
-
- |
-- | -
string alias)-(Appears on: -NetworkPolicyPeer, -PeerService) -
--
--(Appears on: -Rule) -
--
PeerService refers to a Service, which can be a in-cluster Service or -imported multi-cluster service.
- -| Field | -Description | -
|---|---|
-name
-
-string
-
- |
-- | -
-namespace
-
-string
-
- |
-- | -
-scope
-
-
-PeerScope
-
-
- |
-- | -
-(Appears on: -ClusterNetworkPolicySpec, -NetworkPolicySpec) -
--
Rule describes the traffic allowed to/from the workloads selected by -Spec.AppliedTo. Based on the action specified in the rule, traffic is either -allowed or denied which exactly match the specified ports and protocol.
- -| Field | -Description | -
|---|---|
-action
-
-
-RuleAction
-
-
- |
-
- Action specifies the action to be applied on the rule. - |
-
-ports
-
-
-[]NetworkPolicyPort
-
-
- |
-
-(Optional)
- Set of ports and protocols matched by the rule. If this field and Protocols -are unset or empty, this rule matches all ports. - |
-
-protocols
-
-
-[]NetworkPolicyProtocol
-
-
- |
-
-(Optional)
- Set of protocols matched by the rule. If this field and Ports are unset or -empty, this rule matches all protocols supported. - |
-
-l7Protocols
-
-
-[]L7Protocol
-
-
- |
-
- Set of layer 7 protocols matched by the rule. If this field is set, action can only be Allow. -When this field is used in a rule, any traffic matching the other layer 3⁄4 criteria of the rule (typically the -5-tuple) will be forwarded to an application-aware engine for protocol detection and rule enforcement, and the -traffic will be allowed if the layer 7 criteria is also matched, otherwise it will be dropped. Therefore, any -rules after a layer 7 rule will not be enforced for the traffic. - |
-
-from
-
-
-[]NetworkPolicyPeer
-
-
- |
-
-(Optional)
- Rule is matched if traffic originates from workloads selected by -this field. If this field is empty, this rule matches all sources. - |
-
-to
-
-
-[]NetworkPolicyPeer
-
-
- |
-
-(Optional)
- Rule is matched if traffic is intended for workloads selected by -this field. This field can’t be used with ToServices. If this field -and ToServices are both empty or missing this rule matches all destinations. - |
-
-toServices
-
-
-[]PeerService
-
-
- |
-
-(Optional)
- Rule is matched if traffic is intended for a Service listed in this field. -Currently, only ClusterIP types Services are supported in this field. -When scope is set to ClusterSet, it matches traffic intended for a multi-cluster -Service listed in this field. Service name and Namespace provided should match -the original exported Service. -This field can only be used when AntreaProxy is enabled. This field can’t be used -with To or Ports. If this field and To are both empty or missing, this rule matches -all destinations. - |
-
-name
-
-string
-
- |
-
-(Optional)
- Name describes the intention of this rule. -Name should be unique within the policy. - |
-
-enableLogging
-
-bool
-
- |
-
-(Optional)
- EnableLogging is used to indicate if agent should generate logs -when rules are matched. Should be default to false. - |
-
-logLabel
-
-string
-
- |
-
-(Optional)
- LogLabel is a user-defined arbitrary string which will be printed in the NetworkPolicy logs. - |
-
-appliedTo
-
-
-[]AppliedTo
+
+Kubernetes meta/v1.LabelSelector
|
(Optional)
- Select workloads on which this rule will be applied to. Cannot be set in -conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo. +Select certain ExternalNodes which match the label selector. |
string alias)-(Appears on: -Rule) -
--
RuleAction describes the action to be applied on traffic matching a rule.
- -(Appears on: -TraceflowSpec) +SupportBundleCollectionSpec)
-
Source describes the source spec of the traceflow.
+BundleFileServer specifies the bundle file server information.
-namespace
-
-string
-
- |
-
- Namespace is the source namespace. - |
-
-pod
-
-string
-
- |
-
- Pod is the source pod. - |
-
-ip
+url
string
|
- IP is the source IPv4 or IPv6 address. IP as the source is supported -only for live-traffic Traceflow. +The URL of the bundle file server. It is set with format: scheme://host[:port][/path], +e.g, https://api.example.com:8443/v1/supportbundles/. If scheme is not set, https is used by default. |
(Appears on: -SupportBundleCollectionStatus) +SupportBundleCollectionSpec)
-
SupportBundleCollectionCondition describes the state of a SupportBundleCollection at a certain point.
-type
+nodeNames
-
-SupportBundleCollectionConditionType
-
+[]string
|
- Type of StatefulSet condition. +(Optional) +List the names of certain Nodes which are expected to collect and upload +bundle files. |
-status
+nodeSelector
-
-Kubernetes meta/v1.ConditionStatus
+
+Kubernetes meta/v1.LabelSelector
|
- Status of the condition, one of True, False, Unknown. +(Optional) +Select certain Nodes which match the label selector. |
+(Appears on: +SupportBundleCollectionSpec) +
++
BundleServerAuthConfiguration defines the authentication parameters that Antrea uses to access +the BundleFileServer.
+ +
-lastTransitionTime
-
-
-Kubernetes meta/v1.Time
-
-
- |
-
-(Optional)
- Last time the condition transitioned from one status to another. - |
+Field | +Description |
|---|---|---|---|
-reason
+authType
-string
+
+BundleServerAuthType
+
|
-(Optional)
- The reason for the condition’s last transition. |
||
-message
+authSecret
-string
+
+Kubernetes core/v1.SecretReference
+
|
-(Optional)
- A human-readable message indicating details about the transition. +AuthSecret is a Secret reference which stores the authentication value. |
string alias)(Appears on: -SupportBundleCollectionCondition) +BundleServerAuthConfiguration)
+
BundleServerAuthType defines the authentication type to access the BundleFileServer.
-(Appears on: -SupportBundleCollection) +ExternalNode)
+
ExternalNodeSpec defines the desired state for ExternalNode.
-nodes
-
-
-BundleNodes
-
-
- |
-- | -
-externalNodes
+interfaces
-
-BundleExternalNodes
+
+[]NetworkInterface
|
+ Only one network interface is supported now. +Other interfaces except interfaces[0] will be ignored if there are more than one interfaces. |
+(Appears on: +L7Protocol) +
++
HTTPProtocol matches HTTP requests with specific host, method, and path. All fields could be used alone or together. +If all fields are not provided, it matches all HTTP requests.
+ +
-expirationMinutes
-
-int32
-
- |
-
- ExpirationMinutes is the requested duration of validity of the SupportBundleCollection. -A SupportBundleCollection will be marked as Failed if it does not finish before expiration. -Default is 60. - |
+Field | +Description |
|---|---|---|---|
-sinceTime
+host
string
|
- SinceTime specifies a relative time before the current time from which to collect logs -A valid value is like: 1d, 2h, 30m. +Host represents the hostname present in the URI or the HTTP Host header to match. +It does not contain the port associated with the host. |
||
-fileServer
+method
-
-BundleFileServer
-
+string
|
+ Method represents the HTTP method to match. +It could be GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH. |
||
-authentication
+path
-
-BundleServerAuthConfiguration
-
+string
|
+ Path represents the URI path to match (Ex. “/index.html”, “/admin”). |
(Appears on: -SupportBundleCollection) +GroupSpec)
+
IPBlock describes a particular CIDR (Ex. “192.168.1.1⁄24”) that is allowed +or denied to/from the workloads matched by a Spec.AppliedTo.
-collectedNodes
-
-int32
-
- |
-
- The number of Nodes and ExternalNodes that have completed the SupportBundleCollection. - |
-
-desiredNodes
-
-int32
-
- |
-
- The total number of Nodes and ExternalNodes that should process the SupportBundleCollection. - |
-
-conditions
-
-
-[]SupportBundleCollectionCondition
-
+cidr
+
+string
|
- Represents the latest available observations of a SupportBundleCollection current state. +CIDR is a string representing the IP Block +Valid examples are “192.168.1.1⁄24”. |
-(Appears on: -TransportHeader) -
--
TCPHeader describes spec of a TCP header.
-srcPort
-
-int32
-
- |
-
- SrcPort is the source port. - |
-
-dstPort
+http
-int32
+
+HTTPProtocol
+
|
- DstPort is the destination port. |
-flags
+tls
-int32
+
+TLSProtocol
+
|
- Flags are flags in the header. |
(Appears on: -L7Protocol) +GroupSpec)
-
TLSProtocol matches TLS handshake packets with specific SNI. If the field is not provided, this -matches all TLS handshake packets.
+NamespacedName refers to a Namespace scoped resource. +All fields must be used together.
-sni
+name
+
+string
+
+ |
++ | +
+namespace
string
|
- SNI (Server Name Indication) indicates the server domain name in the TLS/SSL hello message. |
(Appears on: -Tier) +ExternalNodeSpec)
-
TierSpec defines the desired state for Tier.
-priority
+name
-int32
+string
|
- Priority specfies the order of the Tier relative to other Tiers. |
-description
+ips
-string
+[]string
|
- Description is an optional field to add more information regarding -the purpose of this Tier. |
string alias)-(Appears on: -Observation) -
--
-string alias)-(Appears on: -Observation) -
--
-string alias)-(Appears on: -TraceflowStatus) -
--
-(Appears on: -Traceflow) +SupportBundleCollectionStatus)
-
TraceflowSpec describes the spec of the traceflow.
+SupportBundleCollectionCondition describes the state of a SupportBundleCollection at a certain point.
-source
+type
-
-Source
+
+SupportBundleCollectionConditionType
|
+ Type of StatefulSet condition. |
-destination
+status
-
-Destination
+
+Kubernetes meta/v1.ConditionStatus
|
+ Status of the condition, one of True, False, Unknown. |
-packet
+lastTransitionTime
-
-Packet
+
+Kubernetes meta/v1.Time
|
+(Optional)
+ Last time the condition transitioned from one status to another. |
-liveTraffic
-
-bool
-
- |
-
- LiveTraffic indicates the Traceflow is to trace the live traffic -rather than an injected packet, when set to true. The first packet of -the first connection that matches the packet spec will be traced. - |
-
-droppedOnly
+reason
-bool
+string
|
- DroppedOnly indicates only the dropped packet should be captured in a -live-traffic Traceflow. +(Optional) +The reason for the condition’s last transition. |
-timeout
+message
-uint16
+string
|
- Timeout specifies the timeout of the Traceflow in seconds. Defaults -to 20 seconds if not set. +(Optional) +A human-readable message indicating details about the transition. |
string alias)+(Appears on: +SupportBundleCollectionCondition) +
++
+(Appears on: -Traceflow) +SupportBundleCollection)
-
TraceflowStatus describes current status of the traceflow.
-phase
+nodes
-
-TraceflowPhase
+
+BundleNodes
|
- Phase is the Traceflow phase. |
-reason
+externalNodes
-string
+
+BundleExternalNodes
+
|
- Reason is a message indicating the reason of the traceflow’s current phase. |
-startTime
+expirationMinutes
-
-Kubernetes meta/v1.Time
-
+int32
|
- StartTime is the time at which the Traceflow as started by the Antrea Controller. -Before K8s v1.20, null values (field not set) are not pruned, and a CR where a -metav1.Time field is not set would fail OpenAPI validation (type string). The -recommendation seems to be to use a pointer instead, and the field will be omitted when -serializing. -See https://github.com/kubernetes/kubernetes/issues/86811 +ExpirationMinutes is the requested duration of validity of the SupportBundleCollection. +A SupportBundleCollection will be marked as Failed if it does not finish before expiration. +Default is 60. |
-dataplaneTag
+sinceTime
-byte
+string
|
- DataplaneTag is a tag to identify a traceflow session across Nodes. +SinceTime specifies a relative time before the current time from which to collect logs +A valid value is like: 1d, 2h, 30m. |
-results
+fileServer
-
-[]NodeResult
+
+BundleFileServer
|
- Results is the collection of all observations on different nodes. |
-capturedPacket
+authentication
-
-Packet
+
+BundleServerAuthConfiguration
|
- CapturedPacket is the captured packet in live-traffic Traceflow. |
(Appears on: -Packet) +SupportBundleCollection)
-
TransportHeader describes spec of a TransportHeader.
-icmp
+collectedNodes
-
-ICMPEchoRequestHeader
-
+int32
|
+ The number of Nodes and ExternalNodes that have completed the SupportBundleCollection. |
-udp
+desiredNodes
-
-UDPHeader
-
+int32
|
+ The total number of Nodes and ExternalNodes that should process the SupportBundleCollection. |
-tcp
+conditions
-
-TCPHeader
+
+[]SupportBundleCollectionCondition
|
+ Represents the latest available observations of a SupportBundleCollection current state. |
(Appears on: -TransportHeader) +L7Protocol)
-
UDPHeader describes spec of a UDP header.
+TLSProtocol matches TLS handshake packets with specific SNI. If the field is not provided, this +matches all TLS handshake packets.
-srcPort
-
-int32
-
- |
-
- SrcPort is the source port. - |
-
-dstPort
+sni
-int32
+string
|
- DstPort is the destination port. +SNI (Server Name Indication) indicates the server domain name in the TLS/SSL hello message. |
string alias)+
+string alias)+
+string alias)+
Generated with gen-crd-api-reference-docs
-on git commit ab234c5.
+on git commit fc2b6ae.